Understanding NETCONF and Shell Sessions over Outbound HTTPS
Benefits of NETCONF and Shell Sessions over Outbound HTTPS
Enable NETCONF or shell client applications to manage devices that are not accessible through other protocols.
Enable remote management of devices using certificate-based authentication for the outbound HTTPS client.
NETCONF and Shell Sessions over Outbound HTTPS Overview
You can establish NETCONF and shell sessions over outbound HTTPS between supported devices running Junos OS and a network management system. A NETCONF or shell session over outbound HTTPS enables you to remotely manage devices that might not be accessible through other protocols such as SSH. This might happen, for example, if the device is behind a firewall, and the firewall or another security tool blocks those protocols. HTTPS, on the other hand, uses a standard port, which is typically allowed outbound in most environments.
The Junos OS with upgraded FreeBSD software image includes a Juniper Extension Toolkit (JET) application that supports establishing a NETCONF or shell session using outbound HTTPS. The JET application uses the gRPC framework to connect to the outbound HTTPS client, which consists of a gRPC server running on the network management system. gRPC is a language-agnostic, open-source remote procedure call (RPC) framework. Figure 1 illustrates the outbound HTTPS setup in its simplest form.
In this scenario, the gRPC server acts as the NETCONF or shell client, and the JET application is the gRPC client and NETCONF or shell server. The gRPC server listens for connection requests on the specified port, which defaults to port 443. You configure the JET application as an extension service. The relevant connection and authentication information is passed to the script. While the script runs, it automatically attempts to connect to the gRPC server on the configured port.
The JET application and gRPC server establish a persistent HTTPS connection over a TLS-encrypted gRPC session. The JET application authenticates the gRPC server using an X.509 digital certificate, and if the authentication is successful, the requested NETCONF or shell session is established over this connection. The NETCONF operations and shell commands execute under the account privileges of the user configured for the extension service application.
The outbound HTTPS connection uses an X.509 digital certificate to authenticate the gRPC server. A digital certificate is an electronic means for verifying your identity through a trusted third party, known as a certificate authority or certification authority (CA). A certificate authority issues digital certificates, which can be used to establish a secure connection between two endpoints through certificate validation. The X.509 standard defines the format for the certificate. To establish a NETCONF or shell session over outbound HTTPS on supported devices running Junos OS, the gRPC server must have a valid X.509 certificate.
Table 1 outlines the features supported for sessions over outbound HTTPS for a given Junos OS release. Devices running Junos OS Release 20.3 and later support multiple outbound HTTPS client connections; configuring one or more backup gRPC servers for a client; and establishing multiple, concurrent NETCONF and shell sessions between the outbound HTTPS client and device running Junos OS.
Table 1: Supported Features for Sessions over Outbound HTTPS
Junos OS Release 20.2
Junos OS Release 20.3R1 or Later
Outbound HTTPS client connections
Support for connecting to a single outbound HTTPS client and configuring one gRPC server for that client.
Connection details are configured as script arguments at the [edit system extensions extension-service application file nc_grpc_app.py] hierarchy level.
Support for connecting to multiple outbound HTTPS clients and configuring one or more backup gRPC servers for each client.
Connection details are configured at the [edit system services outbound-https] hierarchy level.
Supports a single NETCONF session.
Supports multiple, concurrent NETCONF and csh sessions for an outbound HTTPS client.
gRPC server certificate
Supports self-signed X.509 certificates only.
Supports self-signed or CA-signed X.509 certificates.
Authentication for the device running Junos OS
Supports configuring an identifier and shared secret to authenticate the device running Junos OS to the outbound HTTPS client.
Connection Workflow for Sessions over Outbound HTTPS
In a NETCONF or shell session over outbound HTTPS, the gRPC server running on the network management system acts as the NETCONF or shell client, and the JET application on the device running Junos OS is the gRPC client and NETCONF or shell server. Starting in Junos OS Release 20.3, you can configure multiple outbound HTTPS clients, and you can configure one or more backup gRPC servers for each client. The JET application connects to only one gRPC server in the client’s server list at any one time. You can establish multiple, concurrent NETCONF and shell sessions with that gRPC server in releases that support multiple sessions.
The gRPC client and server perform the following actions to establish a NETCONF or shell session over outbound HTTPS:
The gRPC server listens for incoming connections on the specified port, or if no port is specified, on the default port 443.
The gRPC client initiates a TCP/IP connection with the configured gRPC server and port. If you configure an outbound HTTPS client with one or more backup gRPC servers, the gRPC client tries to connect to each server in the list until it establishes a connection.
The gRPC client sends a TLS ClientHello message to initiate the TLS handshake.
The gRPC server sends a ServerHello message and its certificate.
The gRPC client verifies the identity of the gRPC server.
On devices running Junos OS Release 20.3R1 or later, the gRPC client sends the device ID and shared secret configured for that outbound HTTPS client to the gRPC server.
The NETCONF or shell session is established as follows:
For connections to devices running Junos OS Release 20.2, a single NETCONF session is automatically established.
For connections to devices running Junos OS Release 20.3R1 or later, the outbound HTTPS client requests a NETCONF or shell session, and the gRPC server uses the device ID and shared secret to authenticate the device running Junos OS. If authentication is successful, the session is established.
If a NETCONF session is requested, the server and client exchange NETCONF
The NETCONF or shell client application performs operations as needed.
If the device is running Junos OS Release 20.3R1 or later, the gRPC client initiates another TCP/IP connection with the same gRPC server, and the gRPC client and server repeat the process, which enables the outbound HTTPS client to establish multiple NETCONF and shell sessions with the device running Junos OS.