Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes

Administration Portal Getting Started

Congratulations on choosing CSO for SD-WAN, SD-LAN, Next Generation Firewall, Hybrid WAN, and NFV lifecycle management. This guide is designed to help you quickly learn the basics of the Administration Portal.

Administration Portal Capabilities

The Administration Portal helps you:

Deployment Options

Using the previously mentioned capabilities you can create, provision, manage, and monitor all of the elements required for Contrail SD–WAN, SD–LAN, Next Generation Firewall (NGFW), and Hybrid WAN deployments:

To perform any of the deployments mentioned above, there are some things you need to know how to do within the CSO GUI. An administrator, working within the Administration Portal, must be familiar with a number of tasks. Some are for setup and configuration of CSO and some are needed to configure the components used in the previously mentioned deployments. The following sections describe those tasks at a high level without linking them to any particular deployment.

Administration

The following procedures describe how to perform some of the administration tasks in the Administration Portal.

Set CSO Authentication Methods and Servers

Procedure

CSO allows global administrators (cspadmin user and equivalent) in the on-premises version of CSO to define and edit authentication methods, and to add and manage single sign-on servers. The cspadmin user has full access to change the authentication and authorization methods used by the CSO instance. Since the cspadmin user is not available to users in a cloud-hosted version of CSO, this function is reserved for Juniper Networks to perform.

An OpCo administrator (in either on-premises or cloud-hosted CSO versions) has no access to view or change the authentication Methods. The OpCo administrator has full access to add, edit, and delete Single Sign-On (SSO) servers and the authentication and authorization functions they perform for CSO. Figure 1 shows the default Authentication page with overlays showing the authentication types and the initial SSO configuration page.

Figure 1: Authentication Page

Authentication Page

To view or change the authentication method used for CSO:

  1. Login to CSO as the cspadmin user or equivalent.
  2. Navigate to the Administration > Authentication page.
  3. Select either the Tenant User or SP User checkbox.
  4. Click the edit button in the upper right corner of the Authentication Methods area.
  5. Set the appropriate authentication method.
  6. Click Save.

Procedure

To manage SSO servers, navigate to the Administration > Authentication page.

Manage Users

Procedure

The Administration Portal allows the global administrator (cspadmin or equivalent) of an on-premises CSO installation to add OpCo and tenant-level administrator and user accounts. In a cloud-hosted version of CSO, the Administration Portal allows the OpCo administrator to add other administrators and users to their specific OpCo, and to add tenant-level administrators and users for the tenants of their OpCo.

The following task describes how to add an OpCo administrator.

  1. Click Administration > Users.

    The Users page appears.

  2. Click the Add icon (+).

    The Add OpCo User page appears, as shown in Figure 2.

    Figure 2: OpCo User Page

    OpCo User Page
  3. Fill out the information in the form as shown in the image above.

    If you leave the status set to enabled, CSO sends an e-mail to the specified mail address upon completion of the procedure.

    If you set the status to disabled, no mail is sent to the user.

  4. Click OK when finished.

Manage Roles

Procedure

CSO uses role-based access control (RBAC) to isolate control of certain features to specific roles (groups of users). The following task describes how to add a custom role to your tenant.

  1. Click Administration > Roles.

    The Roles page appears.

  2. Click the Add icon (+).

    The Add Role page appears, as shown in Figure 3.

    Figure 3: Add Role Page

    Add Role Page
  3. Specify the details for the role.

    Pay particular attention to the Access Privileges. Many combinations are possible. Selecting some privileges automatically selects others.

  4. Click OK.

    A status message appears about the new role.

Manage Audit Logs

Procedure

CSO automatically logs changes to an audit log. Administrators can view, export, purge and archive audit logs based on date range.

To view or manage audit logs:

Set Dynamic VPN Thresholds

Procedure

CSO automatically creates and deletes VPN tunnels between two sites based on user-specified session thresholds. The following procedure describes how to set the dynamic VPN thresholds for all tenants.

Upload Device Licenses

Procedure

To upload a license:

  1. Click Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the Add icon (+).

    The Add License page appears as shown in Figure 4.

    Figure 4: Add License Page

    Add License Page
  3. Specify the details for the license.
  4. Click OK.

    The Upload License page displays the progress of the license upload.

  5. Click OK to save the changes.

    The status of the save operation is displayed.

Assign CSO Licenses to Tenants

Procedure

For an on-premises version of CSO, the global administrator (cspadmin user or equivalent) adds CSO licenses to the application. The cspadmin user can also assign licenses to OpCos and tenants. As an OpCo administrator, you can assign the added licenses to your tenants.

The following procedure describes the assignment process.

  1. Click Administration > Licenses > CSO Licenses.

    The CSO Licenses Page is displayed. All assigned licenses and the license counts appear in the list.

  2. Click the checkbox next to the license you want to assign.
  3. Click the Update Assignment button.

    The Assign CSO License window appears and shows the quantity for this license and the number available for assignment to tenants.

  4. From the Tenants section, click the Add icon (+) to enter a new assignment.

    A new row on the list will appear.

  5. From the Tenant pull-down, select the tenant.
  6. Enter the number of licenses to assign to this tenant in the Quantity field. Alternatively, you can click the up and down arrows on the right of the field until the appropriate number appears in the field.
  7. Click OK.

    The window will close and the CSO Licenses page will update immediately.

Manage the Signature Database

In an on-premises version of CSO, the global administrator (cspadmin user or equivalent) can update the intrusion prevention system (IPS) signature database by navigating to Administration > Signature Database while in the Global domain.

Procedure

The following procedure describes how to download and apply signature database updates to CSO.

  1. Click the Signature Download Settings button on the upper right part of the Active Database section.
  2. Enter the signature database version in the Signature Version field.
  3. Choose whether to run the update procedure now or schedule it for a later time.
  4. Click OK.

    The update begins at the scheduled time. You can find information regarding the update procedure at the Monitor > Jobs page by searching for the signature update job.

OpCo administrators in either on-premises or cloud-hosted versions of CSO can view information about the active signature database installed in CSO and summary information about other database versions.

Set SMTP Server

Procedure

CSO uses e-mail to send messages, such as first-time access messages for new users and account locked messages. Because of this, you must configure an SMTP server for CSO to use.

  1. Click Administration > SMTP.

    The SMTP page appears.

  2. Fill out the information shown in Figure 5, according to the needs of your SMTP server.

    Figure 5: SMTP Page

    SMTP Page
  3. Click Save when complete.

    It is recommended that you send a test e-mail to confirm that your settings are correct. When using the Send Test Mail button, you will get either a success or failure message.

  4. Click Save once again after you receive a success message.

Manage Terms of Use Documents

CSO allows OpCo administrators to create and distribute custom terms of use documents for their tenants.

Procedure

To create a Terms of Use document:

  1. Navigate to Administration > Terms of Use.

    The Terms of Use page appears.

  2. Enter a valid URL from which the document can be downloaded.
  3. Enter a date at which you want the terms of use document to be effective.
  4. Click Save.

Email Templates

The following task describes the e–mail templates used by CSO.

Procedure

There are several circumstances under which CSO sends e-mail to users. You can view and edit these e-mail templates to suit your needs using the following procedure:

  1. Click Administration > Email Templates.

    The Email Templates page appears that shows a list of CSO e-mail templates as shown in Figure 6.

    Figure 6: Email Templates Page

    Email Templates Page

    The template names indicate under which circumstances the template is used.

  2. Click the checkbox next to one of the template names.
  3. Click the Edit icon (pencil).

    The Edit Template page appears.

  4. Edit the YAML template as needed.
  5. (Optional) Click Restore Default Content if there are problems with your template after editing.
  6. Click Save.

    A successful save message appears.

Tenant Management

The following tasks describe how to add tenants in the Administration Portal:

Add a Single Tenant

Procedure

This task describes how to add a single tenant. Alternatively, you could import a file that contains data for multiple tenants and their sites by clicking Tenants > Import Tenants > Import.

You can add SD-WAN, SD-LAN, Next Generation Firewall (NGFW), or Hybrid WAN in any combination for your tenant.

Note You cannot add or remove services once the tenant is added. Make your service selections with this in mind.

To add a single tenant:

  1. Click Tenants.
  2. Click the Add icon (+).

    The Add Tenant window appears.

  3. Complete the configuration for the tenant as shown in Figure 7.

    Figure 7: Add Tenant Window

    Add Tenant Window
  4. Click OK to save the changes.

Add Multiple Tenants

Procedure

This task describes how to add multiple tenants using a JSON formatted text file.

To add multiple tenants:

  1. Click Tenants > Import Tenants > Import.

    The Import Tenants page appears.

  2. To obtain a sample JSON file for use in the import procedure, click the Download Sample JSON link below the file upload field.
  3. Edit the JSON file to suit your tenant needs and save.
  4. Click the Browse button and select the JSON file you just saved or another previously configured JSON file.
  5. Click the Import button.

    The status of the import and add jobs will appear as messages on the Tenants page.

Delete Tenants

An OpCo administrator in either cloud-hosted or on-premises versions of CSO can delete existing tenants using the following procedure:

Procedure

  1. Navigate to Tenants.

    The Tenants page appears.

  2. Select the desired tenant by clicking the checkbox next to the tenant name.
  3. Click the Delete icon (trash can).

    A confirmation window pops up.

  4. Click Yes to complete the delete process or No to keep the tenant.

Configuration Management

The following tasks describe the Configuration tasks that can be performed within the Administration Portal.

Add SLA-Based Steering Profiles

Procedure

SLA-based steering profiles allow administrators to determine when specific traffic types get switched to a different WAN link based on link performance metrics like jitter, round-trip-time, and packet loss.

This task describes how to add SLA-Based Steering Profiles for use by your tenants in SD-WAN Policy intents.

  1. Click Configuration > SLA Based Steering Profiles.

    The SLA-Based Steering Profiles page shows a list of Juniper-supplied steering profiles with names that start with “CSO-”. These profiles can be used as-is in SD-WAN Policies.

  2. Click the Add icon (+).

    The Create SLA Profile page appears as shown in Figure 8.

    Figure 8: Create SLA Profile Page

    Create SLA Profile Page
  3. Fill out the information on the page.

    Since SLA-Based Steering profiles are intended to assist CSO in making path switching decisions, it is recommended to leave the Path Preference set to Any. This allows CSO to switch traffic to different WAN paths in situations where SLAs are not being met by the active path.

Add Path-Based Steering Profiles

Procedure

Path-based steering profiles allow administrators to specify which WAN link is used to transport specific types of traffic.

This task describes how to add a Path-Based Steering Profile for use by your tenants in SD-WAN Policy intents.

  1. Click Configuration > Path Based Steering Profiles.

    The Path–Based Steering Profiles appear.

  2. Click the Add icon (+).

    The Create Path Profile page appears.

  3. Fill out the information on the page.

    Since path-based steering profiles are intended to allow an administrator to choose a specific path for certain traffic types to use, it makes sense to choose a specific path in the Path Preference section. This ensures that CSO selects your path preference rather than a system-determined path.

View Application Traffic Type Profiles

Application traffic type profiles define custom traffic types for use within your SLA profiles. These profiles are added to CSO by the global administrator (cspadmin user or equivalent) in an on-premises version of CSO. For cloud-hosted versions, Juniper manages the creation and enabling of application traffic types.

An OpCo administrator can view the list of application traffic type profiles by navigating to Configuration > Application Traffic Type Profiles. An application traffic type must be enabled so that it can be used in an SLA profile. Only 4 application traffic type profiles can be enabled at one time. Contact the global administrator, or your account team for cloud-hosted CSO, if you need new profiles to be created or enabled.

Manage Breakout Profiles

Breakout profiles are used to enable sites to break out traffic directly from the site (local breakout), through the hub or gateway (backhaul or central breakout), or through a cloud-based security platform (cloud breakout). On the Breakout Profiles page, you can view, add, edit, or delete local, backhaul, and cloud breakout profiles.

Procedure

To add a breakout profile for your site:

  1. Navigate to Configuration > SD-WAN Breakout Profiles.

    The Breakout Profiles page appears with a list of existing profiles, if any.

  2. Click the Add icon (+) to add a breakout profile.

    The Add Breakout Profile window appears.

  3. Select a profile type from the Type pull-down menu.

    Available options are:

    • Local Breakout (Underlay)

    • Backhaul

    • Local Breakout (Cloud)

  4. Give the profile a name.
  5. (Optional) Enter a description for the breakout profile.
  6. Select a traffic type profile from the pull-down menu.

    The available options depend on which application profile types are enabled on your instance of CSO.

  7. Select a preferred path for this type of traffic.

    Note Cloud breakout profiles default to Any path and cannot be changed.

  8. (Optional) Enable the Advanced Configuration button to specify rate-limiting rules for this breakout profile.

    If you enable rate limiting, all the fields in the Advanced Configuration section are required.

  9. Click OK to save the profile.

    The new profile appears in the list.

Work with Application Signatures

CSO ships with a pre-defined set of application signatures for use in firewall and SD–WAN policies. This set of signatures is usually enough to get started. Global and OpCo administrators can create custom signatures.

Procedure

To create a custom signature:

  1. Navigate to Configuration > Shared Objects > Application Signatures.
  2. Select Signature from the Create pull-down menu.

    The Create Application Signature window appears.

  3. Give the new signature a name.

    A global administrator in an on-premises version of CSO can configure additional signature details in the Signature Classification section of the window.

  4. (Optional) Fill in description information if needed.
  5. (Optional) Set the signature order from 1 to 50000.

    This option is used to prioritize signature application when traffic matches multiple signatures. Lower numbers have higher priority.

  6. (Optional) Select High or Low priority for the signature.
  7. Select one or more Application Identification match criteria by clicking the appropriate checkbox(es) and filling in the required information.

Allocate Network Services

You must assign network services to tenants to enable them to access the network services. The network services are published to the network services catalog by the global administrator (cspadmin or equivalent), or Juniper Networks in the case of cloud-hosted CSO. You can assign services in the following ways:

Resource Management

CSO allows administrators to manage the resources used for creating Contrail SD-WAN, SD-LAN, NGFW, and Hybrid WAN solutions. These include Points of Presence (POPs), sites, tenant devices, provider hub devices, device templates, and device software images.

The following tasks describe the management of these resources.

Manage POPs

Procedure

Only the global administrator (cspadmin or equivalent) can add a POP to CSO. An OpCo administrator can only view POPs created by the global administrator.

To add a POP to an on-premises version of CSO:

  1. Log in to CSO as cspadmin or equivalent.
  2. Navigate to Resources > POPs.

    The POPs page appears.

  3. Click the Add icon (+) to add a POP.

    The Add POP window appears. Fill in the required (marked by *) information and click Next until you reach the summary page.

  4. Click OK when finished.

    The new POP appears in the list.

Site Management

CSO allows OpCo administrators to add provider hub devices used in Contrail SD-WAN deployments by accessing Resources > Site Management page.

Procedure

When an OpCo administrator adds a provider hub from the site management page, they are providing the their tenants with access to an existing provider hub that is already assigned to a POP.

Note The creation of the hub device and its assignment to a POP is handled at the Resources > Provider Hub Devices page.

In cloud–hosted CSO, OpCo administrators can assign one or more provider hub devices to their OpCo, and thus their tenants, or they can leave this task for individual tenant administrators. At least one OAM capable provider hub must be available, through a regional POP, for every tenant so that CSO can manage the CPE devices.

Follow the steps below to allow your tenants access to a specific provider hub.

  1. Navigate to Resources > Site Management.

    The Add Provider Hub for <OpCo-Name> window appears.

  2. Select a service pop from the pull-down menu.
  3. Select a hub device from the pull-down menu.

    The list of available hubs is built from the hubs assigned to the selected POP.

  4. Click OK.

    Job start and job complete messages appear, and the list can be refreshed to show the new hub device.

View Status of Tenant Devices

CSO provides administrators a way to see all tenant devices within their domain. For the global administrator, this includes all configured devices. For an OpCo administrator, this includes only those devices configured within their OpCo.

The view allows you to see the management status, operational status, device model, OS version, and so on.

Manage Provider Hub Devices

CSO provides administrators with the ability to add provider hub devices to the system. These devices are multi-tenant hub devices that are associated with a specific regional POP. There are 3 types of provider hub devices: OAM_ONLY, DATA_ONLY, or OAM_AND_Data. The global administrator of an on-premises version of CSO can create any type of provider hub.

In cloud-hosted versions of CSO, Juniper creates and manages all OAM hubs. Thus, an OpCo administrator can only add DATA_ONLY hubs.

Procedure

To add a DATA_ONLY hub:

  1. Navigate to Resources > Provider Hub Devices.

    The Provider Hub Devices Page appears with a list of available provider hubs.

  2. Click the Add icon (+) to add a provider hub device

    The Add Provider Hub Device window pops up.

  3. On the General tab, fill in the Site Information.

    All the fields within the site information section are required.

    The management region and site capability pull-down menus have only one choice.

    Select the appropriate POP in which to place the new hub device.

  4. Click Next.

    The window advances to the WAN tab.

  5. Select a Device Template.

    Only SRX templates are available for provider hub devices.

    The list of templates is built from the SRX templates available at Resources > Templates > Device Templates.

  6. Fill in the required information in the Device Information section.

    Required information is marked with an asterisk (*).

    You can leave Auto Activate enabled or you can disable it. If disabled, device activation becomes a separate step that is carried out later, perhaps after the hub is put in place at the POP.

    The IP prefix and gateway IP address values are dependant on your network infrastructure. These are the addresses that this hub device uses for communication with remote CPE devices.

  7. Click Next.

    The window advances to the Summary tab.

    Review the summary information and correct as needed.

  8. Click OK when finished.

    The device will be modeled, activated, and finally provisioned if the Auto Activation button was left active. If not, activation and provisioning will have to be done separately.

Manage Images

CSO allows administrators to upload various types of images for use on physical and virtual devices. The table below lists the various image types and their uses:

Image Type

Used For

Device Image

Software image for physical devices such as CPE and hub devices.

VNF Image

Software image for a virtual device

VNF Script

Provision Script for VNF image

EMS Plugin Package

Element Management System plugin to support new device families

Device Extension Package

Extension software package that can be installed on a device

Boot Config Image

Bootable ISO software image for VNF or virtual devices

Telemetry Agent Package

Installs a telemetry agent on a device

Telemetry Agent Plugin

Installable plugin to enable telemetry from a specific set of VNFs

VNFM Plugin Package

Installable VNF Manager plugin for a specific set of VNFs

Once uploaded, the various packages can be staged and deployed to tenant devices on a site-by-site or all-sites basis. Staging an image prior to deploying helps to ensure image deployment works on slow network links.

Monitor Activity and Status

CSO provides administrators with the ability to monitor the CSO system and its tenants.

Procedure

To view highlights of the CSO monitoring feature:

Dashboard

CSO provides a dashboard, which is the default landing page upon successful login. The dashboard can display various graphical information about tenants and sites.

You can customize the dashboard by dragging widgets from the top carousel down to the main dashboard. Different users can have their own dashboards. A user can also have multiple dashboards defined.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit