Administration Portal Getting Started

Congratulations on choosing CSO for SD-WAN, Hybrid WAN, SD-LAN, and NFV lifecycle management. This guide is designed to help you quickly learn the basics of the Administration Portal.

Administration Portal Capabilities

The Administration Portal helps you:

See a compact, graphical view of important information in the Dashboard
Monitor system performance
Manage resources used by tenants and their customers
Configure service level agreement (SLA) parameters and application profiles
Manage tenants
Manage Administration Portal users and roles

Deployment Options

Using the previously-mentioned capabilities you can create, provision, manage, and monitor all of the elements required for Contrail SD-WAN, Hybrid WAN, SD-LAN, and Next Generation Firewall (NGFW) deployments:

Hybrid WAN Deployment–CSO creates a secure site-to-site connection with a remote customer premises equipment (CPE) device, in part, to allow deployment of VNFs at the tenant site.
In a Hybrid WAN deployment, the primary goal is to provide the individual site with CSO-managed network services. When you deploy multiple Hybrid WAN sites, each one stands on its own.
Contrail SD-WAN Deployment–CSO creates secure site-to-site connections with remote CPE devices through the use of overlay networks. Multiple sites in an SD-WAN deployment can communicate with each other. Thus network functions can be deployed at any of the sites as needed.
In addition to site-local VNF access, individual SD-WAN sites can be extended to include SD-LAN and Mist WiFi access point capabilities.
SD-LAN Deployment-You can use CSO to manage EX Series LAN access switches that are deployed behind an Internet gateway device at customer sites.
The Internet gateway device can be an existing WAN router, a Contrail SD-WAN CPE, or an NGFW CPE. An SD-LAN deployment can be extended to include Mist WiFi access points.
NGFW Deployment–CSO creates a secure connection to an SRX-based NGFW device to provide managed security to the remote site. You can use CSO to manage the customer-site SRX Series devices and their built-in services thus providing managed security services to remote sites. An NGFW deployment can be extended to include SD-LAN and Mist WiFi access points.

To perform any of the deployments mentioned above, there are some things you need to know how to do within the CSO GUI. An administrator, working within the Administration Portal, must be familiar with a number of tasks. Some are for setup and configuration of CSO and some are needed to configure the components used in the previously-mentioned deployments. The following sections describe those tasks at a high level without linking them to any particular deployment.

Administration

The following procedures describe how to perform some of the administration tasks in the Administration Portal.

Set CSO Authentication Methods and Servers

Procedure

CSO allows global administrators (cspadmin user and equivalent) in the on-premises version of CSO to define and edit authentication methods, and to add and manage single sign-on servers. The cspadmin user has full access to change the authentication and authorization methods used by the CSO instance. Since the cspadmin user is not available to users in a cloud-hosted version of CSO, this function is reserved for Juniper Networks to perform.

An OpCo administrator (in either on-premises or cloud-hosted CSO versions) has no access to view or change the authentication Methods. The OpCo administrator has full access to add, edit, and delete Single Sign-On (SSO) servers and the authentication and authorization functions they perform for CSO. Figure 1 shows the default Authentication page with overlays showing the authentication types and the initial SSO configuration page.

Figure 1: Authentication Page

To view or change the authentication method used for CSO:

Login to CSO as the cspadmin user or equivalent.
Navigate to the Administration > Authentication page.
Select either the Tenant User or SP User checkbox.
Click the edit button in the upper right corner of the Authentication Methods area.
Set the appropriate authentication method.
Click Save.

Procedure

To manage SSO servers, navigate to the Administration > Authentication page.

Click the Add icon (+) to add a new SSO server.
Follow the Add SSO Server workflow guide to add and configure an SSO server for use with CSO.
Click the checkbox next to an existing SSO server to Test Login, Edit, or Delete an existing SSO server.
You cannot delete an SSO server if the Authentication Method is set to use that server. You must set the authentication method to use either local authentication or another SSO server.

Manage Users

Procedure

The Administration Portal allows the global administrator (cspadmin or equivalent) of an on-premises CSO installation to add OpCo and tenant-level administrator and user accounts. In a cloud-hosted version of CSO, the Administration Portal allows the OpCo administrator to add other administrators and users to their specific OpCo, and to add tenant-level administrators and users for the tenants of their OpCo.

The following task describes how to add an OpCo administrator.

Click Administration > Users.
The Users page appears.
Click the Add icon (+).
The Add OpCo User page appears, as shown in Figure 2.
Figure 2: OpCo User Page
Fill out the information in the form as shown in the image above.
If you leave the status set to enabled, CSO sends an e-mail to the specified mail address upon completion of the procedure.
If you set the status to disabled, no mail is sent to the user.
Click OK when finished.

Manage Roles

Procedure

CSO uses Role-Based Access Control (RBAC) to isolate control of certain features to specific roles (groups of users). The following task describes how to add a custom role to your tenant.

Click Administration > Roles.
The Roles page appears.
Click the Add icon (+).
The Add Role page appears, as shown in Figure 3.
Figure 3: Add Role Page
Specify the details for the role.
Pay particular attention to the Access Privileges. Many combinations are possible. Selecting some privileges automatically selects others.
Click OK.
A status message appears about the new role.

Manage Audit Logs

Procedure

CSO automatically logs changes to an audit log. Administrators can view, export, purge and archive audit logs based on date range.

To view or manage audit logs:

Navigate to Administration > Audit Logs.
The Audit Logs page appears.
To see details of recorded logs, select the checkbox next to the desired log.
From the More menu, select Details.
Audit log details are displayed on the right part of the page.
To export or purge a range of logs, click the appropriate button.
The export or purge audit logs window appears.
To archive logs prior to purge, click the Purge button, then click the Archive Logs Before Purging button.
Archived logs are stored as .zip compressed comma-separated value (CSV) files. These archives can be stored locally or on a remote server.

Set Dynamic VPN Thresholds

Procedure

CSO automatically creates and deletes VPN tunnels between two sites based on user-specified session thresholds. The following procedure describes how to set the dynamic VPN thresholds for all tenants.

Navigate to Administration > Dynamic VPN to set session thresholds.
Default values of 5 sessions every two minutes for tunnel creation and 2 sessions every 15 minutes for tunnel deletion are automatically populated.
Enter the desired thresholds in the fields.
Click Save.
Your dynamic VPN thresholds will be applied to all of your tenants.

Upload Device Licenses

Procedure

To upload a license:

Click Administration > Licenses > Device Licences.
The License Files page appears.
Click the Add icon (+).
The Add License page appears as shown in Figure 4.
Figure 4: Add License Page
Specify the details for the license.
Click OK.
The Upload License page displays the progress of the license upload.
Click OK to save the changes.
The status of the save operation is displayed.

Assign CSO Licenses to Tenants

Procedure

For an on-premises version of CSO, the global administrator (cspadmin user or equivalent) adds CSO licenses to the application. The cspadmin user can also assign licenses to OpCos and tenants. As an OpCo administrator, you can assign the added licenses to your tenants.

The following procedure describes the assignment process.

Click Administration > Licenses > CSO Licenses.
The CSO Licenses Page is displayed. All assigned licenses and the license counts appear in the list.
Click the checkbox next to the license you want to assign.
Click the Update Assignment button.
The Assign CSO License window appears and shows the quantity for this license and the number available for assignment to tenants.
From the Tenants section, click the Add icon (+) to enter a new assignment.
A new row on the list will appear.
From the Tenant pull-down, select the tenant.
Enter the number of licenses to assign to this tenant in the Quantity field. Alternatively, you can click the up and down arrows on the right of the field until the appropriate number appears in the field.
Click OK.
The window will close and the CSO Licenses page will update immediately.

Manage the Signature Database

In an on-premises version of CSO, the global administrator (cspadmin user or equivalent) can update the intrusion prevention system (IPS) signature database by navigating to Administration > Signature Database while in the Global domain.

Procedure

The following procedure describes how to download and apply signature database updates to CSO.

Click the Signature Download Settings button on the upper right part of the Active Database section.
Enter the signature database version in the Signature Version field.
Choose whether to run the update procedure now or schedule it for a later time.
Click OK.
The update begins at the scheduled time. You can find information regarding the update procedure at the Monitor > Jobs page by searching for the signature update job.

OpCo administrators in either on-premises or cloud-hosted versions of CSO can view information about the active signature database installed in CSO and summary information about other database versions.

Set SMTP Server

Procedure

CSO uses e-mail to send messages, such as first-time access messages for new users and account locked messages. Because of this, you must configure an SMTP server for CSO to use.

Click Administration > SMTP.
The SMTP page appears.
Fill out the information shown in Figure 5, according to the needs of your SMTP server.
Figure 5: SMTP Page
Click Save when complete.
It is recommended that you send a test e-mail to confirm that your settings are correct. When using the Send Test Mail button, you will get either a success or failure message.
Click Save once again after you receive a success message.

Manage Terms of Use Documents

CSO allows OpCo administrators to create and distribute custom terms of use documents for their tenants.

Procedure

To create a Terms of Use document:

Navigate to Administration > Terms of Use.
The Terms of Use page appears.
Enter a valid URL from which the document can be downloaded.
Enter a date at which you want the terms of use document to be effective.
Click Save.

Email Templates

The following task describes the e–mail templates used by CSO.

Procedure

There are several circumstances under which CSO sends e-mail to users. You can view and edit these e-mail templates to suit your needs using the following procedure:

Click Administration > Email Templates.
The Email Templates page appears that shows a list of CSO e-mail templates as shown in Figure 6.
Figure 6: Email Templates Page
The template names indicate under which circumstances the template is used.
Click the checkbox next to one of the template names.
Click the Edit icon (pencil).
The Edit Template page appears.
Edit the YAML template as needed.
(Optional) Click Restore Default Content if there are problems with your template after editing.
Click Save.
A successful save message appears.

Tenant Management

The following tasks describe how to add tenants in the administration portal:

Add a Single Tenant

Procedure

This task describes how to add a single tenant. Alternatively, you could import a file that contains data for multiple tenants and their sites by clicking Tenants > Import Tenants > Import.

You can add SD-WAN, Hybrid WAN, Next Generation Firewall (NGFW), and LAN services in any combination for your tenant.

Note You cannot add or remove services once the tenant is added. Make your service selections with this in mind.

To add a single tenant:

Click Tenants.
Click the Add icon (+).
The Add Tenant window appears.
Complete the configuration for the tenant as shown in Figure 7.
Figure 7: Add Tenant Window
Click OK to save the changes.

Add Multiple Tenants

Procedure

This task describes how to add multiple tenants using a JSON formatted text file.

To add multiple tenants:

Click Tenants > Import Tenants > Import.
The Import Tenants page appears.
To obtain a sample JSON file for use in the import procedure, click the Download Sample JSON link below the file upload field.
Edit the JSON file to suit your tenant needs and save.
Click the Browse button and select the JSON file you just saved or another previously configured JSON file.
Click the Import button.
The status of the import and add jobs will appear as messages on the Tenants page.

Delete Tenants

An OpCo administrator in either cloud-hosted or on-premises versions of CSO can delete existing tenants using the following procedure:

Procedure

Navigate to Tenants.
The Tenants page appears.
Select the desired tenant by clicking the checkbox next to the tenant name.
Click the Delete icon (trash can).
A confirmation window pops up.
Click Yes to complete the delete process or No to keep the tenant.

Configuration Management

The following tasks describe the Configuration tasks that can be performed within the Administration Portal.

Add SLA-Based Steering Profiles

Procedure

SLA-based steering profiles allow administrators to determine when specific traffic types get switched to a different WAN link based on link performance metrics like jitter, round-trip-time, and packet loss.

This task describes how to add SLA-Based Steering Profiles for use by your tenants in SD-WAN Policy intents.

Click Configuration > SLA Based Steering Profiles.
The SLA-Based Steering Profiles page shows a list of Juniper-supplied steering profiles with names that start with “CSO-”. These profiles can be used as-is in SD-WAN Policies.
Click the Add icon (+).
The Create SLA Profile page appears as shown in Figure 8.
Figure 8: Create SLA Profile Page
Fill out the information on the page.
Since SLA-Based Steering profiles are intended to assist CSO in making path switching decisions, it is recommended to leave the Path Preference set to Any. This allows CSO to switch traffic to different WAN paths in situations where SLAs are not being met by the active path.

Add Path-Based Steering Profiles

Procedure

Path-based steering profiles allow administrators to specify which WAN link is used to transport specific types of traffic.

This task describes how to add a Path-Based Steering Profile for use by your tenants in SD-WAN Policy intents.

Click Configuration > Path Based Steering Profiles.
The Path-Based Steering Profiles appears.
Click the Add icon (+).
The Create Path Profile page appears.
Fill out the information on the page.
Since Path-Based steering profiles are intended to allow an administrator to choose a specific path for certain traffic types to use, it makes sense to choose a specific path in the Path Preference section. This ensures that your path preference is used rather than a system-determined path.

View Application Traffic Type Profiles

Application traffic type profiles define custom traffic types for use within your SLA profiles. These profiles are added to CSO by the global administrator (cspadmin user or equivalent) in an on-premises version of CSO. For cloud-hosted versions, Juniper manages the creation and enabling of application traffic types.

An OpCo administrator can view the list of application traffic type profiles by navigating to Configuration > Application Traffic Type Profiles. An application traffic type must be enabled so that it can be used in an SLA profile. Only 4 application traffic type profiles can be enabled at one time. Contact the global administrator, or your account team for cloud-hosted CSO, if you need new profiles to be created or enabled.

Manage Breakout Profiles

Breakout profiles are used to enable sites to break out traffic directly from the site (local breakout), through the hub or gateway (backhaul or central breakout), or through a cloud-based security platform (cloud breakout). On the Breakout Profiles page, you can view, add, edit, or delete local, backhaul, and cloud breakout profiles.

Procedure

To add a breakout profile for your site:

Navigate to Configuration > SD-WAN Breakout Profiles.
The Breakout Profiles page appears with a list of existing profiles, if any.
Click the Add icon (+) to add a breakout profile.
The Add Breakout Profile window appears.
Select a profile type from the Type pull-down menu.
Available options are:
- Local Breakout (Underlay)
- Backhaul
- Local Breakout (Cloud)
Give the profile a name.
(Optional) Enter a description for the breakout profile.
Select a traffic type profile from the pull-down menu.
The available options depend on which application profile types are enabled on your instance of CSO.
Select a preferred path for this type of traffic.
Note Cloud breakout profiles default to Any path and cannot be changed.
(Optional) Enable the Advanced Configuration button to specify rate-limiting rules for this breakout profile.
If you enable rate limiting, all the fields in the Advanced Configuration section are required.
Click OK to save the profile.
The new profile appears in the list.

Work with Application Signatures

CSO ships with a pre-defined set of application signatures for use in firewall and SD-WAN policies. This set of signatures is usually enough to get started. Global and OpCo administrators can create custom signatures.

Procedure

To create a custom signature:

Navigate to Configuration > Shared Objects > Application Signatures.
Select Signature from the Create pull-down menu.
The Create Application Signature window appears.
Give the new signature a name.
A global administrator in an on-premises version of CSO can configure additional signature details in the Signature Classification section of the window.
(Optional) Fill in description information if needed.
(Optional) Set the signature order from 1 to 50000.
This option is used to prioritize signature application when traffic matches multiple signatures. Lower numbers have higher priority.
(Optional) Select High or Low priority for the signature.
Select one or more Application Identification match criteria by clicking the appropriate checkbox(es) and filling in the required information.

Allocate Network Services

You must assign network services to tenants to enable them to access the network services. The network services are published to the network services catalog by the global administrator (cspadmin or equivalent), or Juniper Networks in the case of cloud-hosted CSO. You can assign services in the following ways:

Assign one or more services to a single tenant:
Procedure
1. Click Tenants.
  The Tenants page appears.
2. Select a tenant and click Allocate Network Services. Alternatively, click the Allocate Network Services link under the Assigned Services column.
  The Allocate Network Services to Tenant-Name page appears.
3. Select the services that you want to assign to the tenant and click OK.
  You are returned to the Tenants page and the status of the assign operation is displayed.
Assign a service to one or more tenants:
Procedure
1. Click Configuration > Network Services.
  The Network Services page appears.
2. Select the service that you want to assign to the tenants and click Allocate Services.
  The Select Tenant(s) to allocate the Service page appears.
3. Select the tenants to which you want to assign the service and click OK.
  You return to the Network Services page. The count in the Tenants column increases by the number of tenants that you assigned to the service.

Resource Management

CSO allows administrators to manage the resources used for creating Contrail SD-WAN, Hybrid WAN, SD-LAN, and NGFW solutions. These include Points of Presence (POPs), sites, tenant devices, provider hub devices, device templates, and device software images.

The following tasks describe the management of these resources.

Manage POPs

Procedure

Only the global administrator (cspadmin or equivalent) can add a POP to CSO. An OpCo administrator can only view POPs created by the global administrator.

To add a POP to an on-premises version of CSO:

Log in to CSO as cspadmin or equivalent.
Navigate to Resources > POPs.
The POPs page appears.
Click the Add icon (+) to add a POP.
The Add POP window appears. Fill in the required (marked by *) information and click Next until you reach the summary page.
Click OK when finished.
The new POP appears in the list.

Site Management

CSO allows OpCo administrators to add provider hub devices used in Contrail SD-WAN deployments by accessing Resources > Site Management page.

Procedure

When an OpCo administrator adds a provider hub from the site management page, they are providing the their tenants with access to an existing provider hub that is already assigned to a POP.

Note The creation of the hub device and its assignment to a POP is handled at the Resources > Provider Hub Devices page.

In cloud-hosted CSO, OpCo administrators can assign one or more provider hub devices to their OpCo, and thus their tenants, or they can leave this task for individual tenant administrators. At least one OAM capable provider hub must be available, through a regional POP, for every tenant so that CSO can manage the CPE devices.

Follow the steps below to allow your tenants access to a specific provider hub.

Navigate to Resources > Site Management.
The Add Provider Hub for <OpCo-Name> window appears.
Select a service pop from the pull-down menu.
Select a hub device from the pull-down menu.
The list of available hubs is built from the hubs assigned to the selected POP.
Click OK.
Job start and job complete messages appear and the list can be refreshed to show the new hub device.

View Status of Tenant Devices

CSO provides administrators a way to see all tenant devices within their domain. For the global administrator, this includes all configured devices. For an OpCo administrator, this includes only those devices configured within their OpCo.

The view allows you to see the management status, operational status, device model, OS version, and so on.

Manage Provider Hub Devices

CSO provides administrators with the ability to add provider hub devices to the system. These devices are multi-tenant hub devices that are associated with a specific regional POP. There are 3 types of provider hub devices: OAM_ONLY, DATA_ONLY, or OAM_AND_Data. The global administrator of an on-premises version of CSO can create any type of provider hub.

In cloud-hosted versions of CSO, Juniper creates and manages all OAM hubs. Thus, an OpCo administrator can only add DATA_ONLY hubs.

Procedure

To add a DATA_ONLY hub:

Navigate to Resources > Provider Hub Devices.
The Provider Hub Devices Page appears with a list of available provider hubs.
Click the Add icon (+) to add a provider hub device
The Add Provider Hub Device window pops up.
On the General tab, fill in the Site Information.
All the fields within the site information section are required.
The management region and site capability pull-down menus have only one choice.
Select the appropriate POP in which to place the new hub device.
Click Next.
The window advances to the WAN tab.
Select a Device Template.
Only SRX templates are available for provider hub devices.
The list of templates is built from the SRX templates available at Resources > Templates > Device Templates.
Fill in the required information in the Device Information section.
Required information is marked with an asterisk (*).
You can leave Auto Activate enabled or you can disable it. If disabled, device activation becomes a separate step that is carried out later, perhaps after the hub is put in place at the POP.
The IP prefix and gateway IP address values are dependant on your network infrastructure. These are the addresses that this hub device uses for communication with remote CPE devices.
Click Next.
The window advances to the Summary tab.
Review the summary information and correct as needed.
Click OK when finished.
The device will be modeled, activated, and finally provisioned if the Auto Activation button was left active. If not, activation and provisioning will have to be done separately.

Manage Images

CSO allows administrators to upload various types of images for use on physical and virtual devices. The table below lists the various image types and their uses:

Image Type	Used For
Device Image	Software image for physical devices such as CPE and hub devices.
VNF Image	Software image for a virtual device
VNF Script	Provision Script for VNF image
EMS Plugin Package	Element Management System plugin to support new device families
Device Extension Package	Extension software package that can be installed on a device
Boot Config Image	Bootable ISO software image for VNF or virtual devices
Telemetry Agent Package	Installs a telemetry agent on a device
Telemetry Agent Plugin	Installable plugin to enable telemetry from a specific set of VNFs
VNFM Plugin Package	Installable VNF Manager plugin for a specific set of VNFs

Once uploaded, the various packages can be staged and deployed to tenant devices on a site-by-site or all-sites basis. Staging an image prior to deploying helps to ensure image deployment works on slow network links.

Monitor Activity and Status

CSO provides administrators with the ability to monitor the CSO system and its tenants.

Procedure

To view highlights of the CSO monitoring feature:

Navigate to the Monitor tab on the left-navigation panel.
Select Overview to see a map of the CSO POPs and their status.
The map can be zoomed and filtered by alarm severity by selecting the appropriate checkbox from the POPs pull-down menu at the upper left corner of the map.
Select Alerts & Alarms > Alerts to see alerts generated by CPE or hub devices.
You can see the severity, time, tenant, site, and a description of the alerts, if any.
Select Alerts & Alarms > Alert Definitions to see what alert definitions have been added. There are SD-WAN alerts and security alerts available.
The cspadmin user (or equivalent) can create new alert definitions by clicking the Add icon (+) and filling out the fields in the create alert definition window.
Select Alerts & Alarms > Alarms to see alarm notifications generated by CPE and hub devices.
The graph at the top of the page shows a count of alarms over a specified time period. You can adjust the time range for the graph to filter the alarms and create additional filters by tenant, site, source, and severity.
Select Tenants SLA Performance to see performance metrics filtered by tenant.
You can choose between card display and grid display and filter the metrics by time.
Select Jobs to see a list of all jobs performed by CSO and the outcome of those jobs.
You can see a job history or see upcoming jobs that have been scheduled for a future time.
Clicking on an individual Job Name shows the details about that job. Further details may be available by clicking additional links within the job details pop-up window.

Dashboard

CSO provides a dashboard, which is the default landing page upon successful login. The dashboard can display various graphical information about tenants and sites.

You can customize the dashboard by dragging widgets from the top carousel down to the main dashboard. Different users can have their own dashboards. A user can also have multiple dashboards defined.

Help us to improve. Rate this article.

Feedback Received. Thank You!