Communication Between a Secure Access Device and NSM Overview

The Secure Access device and the NSM application communicate through the Device Management Interface (DMI). DMI is a collection of schema-driven protocols that run on a common transport (that is, TCP). DMI is designed to work with Juniper Networks platforms to make device management consistent across all administrative realms. Supported DMI protocols include:

DMI supports third-party network management systems that incorporate the DMI standard; however, only one DMI-based agent per device is supported.

The Secure Access device configuration is represented as a hierarchical tree of configuration items. This structure is expressed in XML and can be manipulated with NetConf. NetConf is a network management protocol that uses XML. DMI uses NetConf’s generic configuration management capability to allow remote configuration of the device.

To allow NSM to manage the Secure Access device using the DMI protocol, NSM must import the schema and metadata files from the Juniper Networks Schema Repository, a publicly accessible resource that is updated with each device release. In addition to downloading the Secure Access device current schema, NSM may also download upgraded software.

The Schema Repository enables access to XSD and XML files defined for each device, model, and software version.

Before attempting to communicate with NSM, you must first complete the initial configuration of the Secure Access device. Initial configuration includes network interface settings, DNS settings, licensing, and password administration.

If you have several Secure Access devices that will be configured in a clustering environment, the cluster abstraction must first be created in the NSM Cluster Manager. Then you can add individual nodes.

After you have completed the initial network configuration, you can configure the Secure Access device to communicate with NSM using the appropriate network information. Once the Secure Access device has been configured to communicate with NSM, the Secure Access device contacts NSM and establishes a DMI session through an initial TCP handshake.

All communications between the Secure Access device and NSM occur over SSH to ensure data integrity.

After the Secure Access device initially contacts NSM and a TCP session is established, interaction between the Secure Access device and NSM is driven from NSM, which issues commands to get hardware, software, and license details of the Secure Access device. NSM connects to the Schema Repository to download the configuration schema that is specific to the Secure Access device.

NSM then issues a command to retrieve configuration information from the Secure Access device. If NSM is contacted by more than one Secure Access device as a member of a cluster, information from only one of the cluster devices is gathered. NSM attempts to validate the configuration received from the Secure Access device against the schema from Juniper Networks.

Once the Secure Access device and NSM are communicating, the Secure Access device delivers syslog and event information to NSM.

After NSM and the Secure Access device are connected, you can make any configuration changes directly on the Secure Access device, bypassing NSM. NSM automatically detects these changes and imports the new configuration data. Changes to Secure Access cluster members will similarly be detected by NSM.

When you make changes to the Secure Access device configuration through NSM you must push the changes to the device by performing an Update Device operation.

When you double-click the Secure Access device icon in the Device Manager and select the Configuration tab, the configuration tree appears in the main display area in the same orientation as items appear on the Secure Access device admin console.

Related Documentation