Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Sky Enterprise Technical Support Guide

 

Juniper Networks Sky Enterprise delivers cloud-based network management for Juniper Networks SRX Series and EX Series devices. It provides a secure Web-based user interface that is quick to set up and connect devices to. With Sky Enterprise, network engineers with no prior Juniper Networks experience can easily commission devices and manage device updates and the network in general.

Juniper Networks Devices Supported by Sky Enterprise

Table 1 lists all the Juniper Networks product series and devices supported by Sky Enterprise.

In this list, certain devices are marked as “Recommended” as they are comparatively newer and have longer life cycles than others; feature gap is not a factor in their selection.

Table 1: Juniper Networks Devices Supported by Sky Enterprise

Product Series

Supported Devices

Description

EX Series

EX2200

 

EX2300-C-12T

Recommended

EX2300-C-12P

Recommended

EX2300-24T

Recommended

EX2300-24P

Recommended

EX2300-24MP

Recommended

EX2300-48T

Recommended

EX2300-48P

Recommended

EX2300-48MP

Recommended

EX3300

 

EX3400-24T

Recommended

EX3400-24P

Recommended

EX3400-48T

Recommended

EX3400-48P

Recommended

EX4200

 

EX4300-24T

Recommended

EX4300-24P

Recommended

EX4300-48T

Recommended

EX4300-48P

Recommended

EX4300-48MP

Recommended

EX4550

 

EX4600

Recommended

EX4650

Recommended

EX9200

Recommended

EX9251

Recommended

EX9253

Recommended

QFX Series

QFX5100

Recommended

QFX5110

Recommended

QFX5120

Recommended

QFX5200

Recommended

QFX5210

Recommended

SRX Series

SRX100

 

SRX110

 

SRX210

 

SRX220

 

SRX240

 

SRX300

Recommended

SRX320

Recommended

SRX340

Recommended

SRX345

Recommended

SRX380

Recommended

SRX550

Recommended

SRX550M

 

SRX650

 

SRX1500

Recommended

SRX4100

Recommended

SRX4200

Recommended

SRX5400

Recommended

SRX5600

Recommended

SRX5800

Recommended

vSRX

Recommended

NFX Series (only supported with vSRX)

NFX150-C-S1

Recommended

NFX150-C-S1-AA

Recommended

NFX150-C-S1-AE

Recommended

NFX150-C-S1E-AA

Recommended

NFX150-C-S1E-AE

Recommended

NFX150-S1

Recommended

NFX150-S1E

Recommended

NFX250-LS1

 

NFX250-S1

Recommended

NFX250-S1E

Recommended

NFX250-S2

Recommended

NFX250-S2-TAA

Recommended

Junos OS Software Releases Supported by Sky Enterprise

Juniper Networks EX Series Switches

EX Series switches—Junos OS Release 12.1 and later are supported on Sky Enterprise.

Note

We recommend not using the Junos OS 12.3R12-S13, 12.3R12-S14, and 12.3R12-S15 releases. These releases contain an SSH bug that prevents devices from establishing a connection to Sky Enterprise.

Juniper Networks QFX Series Switches

QFX Series switches—Junos OS Release 14.1X53-D30 and later are supported on Sky Enterprise.

Juniper Networks SRX Series Services Gateways

SRX Series and vSRX devices—The following Junos OS software releases are supported on Sky Enterprise:

  • Junos OS Releases 12.1X44, 12.1X45, 12.1X46, and 12.1X47.

  • Junos OS Releases 12.3X48 and 15.1X49.

  • Junos OS Release 17.3R1.

  • Junos OS Release 18.1 and later.

Juniper Networks NFX Series Devices

We recommend the Junos OS Release 15.1X53-D47 for Juniper Networks NFX Series devices.

Junos OS Release 15.1X53-D45.3 is supported, but it contains a bug. Use the following JTAC recommended procedure to rectify the issue:

Start shell as root user and enter the following command:

If this does not resolve the issue, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.

Adding New Devices to Sky Enterprise

This section provides instructions on how to add your Juniper Networks device to Sky Enterprise, obtain a configuration snippet and add the configuration snippet to your device.

Log in to the Sky Enterprise Web Interface

To add your Juniper Networks device to Sky Enterprise, follow these steps:

  1. Log in to the Sky Enterprise Web Interface.
  2. Select Devices> Add Device (see Figure 1).

    The system prompts you to provide information, such as the device name and device type.

    Figure 1: Adding Your Devices to Sky Enterprise
    Adding Your
Devices to Sky Enterprise
  3. Provide the required information as prompted.

    Your device is added to the Sky Enterprise Web interface.

Obtain the Configuration Snippet

After you’ve added your device, you can follow one of these methods to obtain the configuration snippet:

  • Copy the configuration snippet from the popup.

  • Copy the configuration snippet from an e-mail. You receive the configuration snippet in an e-mail sent to your nominated e-mail address.

Add the Configuration Snippet to Your Device

To add the configuration snippet to your device, follow these steps:

  1. Telnet or SSH to the device. Find your terminal session software (such as Putty for Windows, or Terminal/iTerm for the Mac) and initiate a Telnet or SSH session to your device’s IP address or hostname. Log in to the device with your usual administrator details.
  2. Use ping to verify that your Juniper Networks device can communicate with Sky Enterprise.

    If you receive no results from ping, check your routing, next-hop and DNS settings.

  3. Enter configuration mode.
  4. Copy and paste the configuration snippet. Here is a sample configuration snippet:

Removing Devices from Sky Enterprise

Devices can be deleted from Sky Enterprise using the Delete Device option under Action menu. When you delete a device, the Sky Enterprise system attempts to also delete the configuration snippet from the device if the device is still connected to it.

If your device is not connected to Sky Enterprise, the system cannot delete the configuration snippet, you must delete it yourself.

Here is an example to show how you can remove the configuration snippet yourself:

  1. Log in to your device, enter the configuration mode, and check the outbound-ssh setup.

    This output shows a client called skyenterprise-ncd01.

  2. Delete the configuration snippet.
  3. Commit the configuration.

Adding a Static Host Mapping to Your Device (no DNS)

Your Juniper Networks device needs to learn how to contact Sky Enterprise using domain name system (DNS) servers. In some situations your device might not have name servers configured or available for use. Use the Junos static host mapping feature to configure the name servers.

Here is an example of how to configure the mappings for the Sky Enterprise Netconf Connect Daemon (NCD) servers.

Creating and Managing User Accounts

As a Juniper Sky Enterprise administrator, you can create and manage user accounts.

Creating New User Accounts

To create a new user account:

  1. Navigate to the Users tab.
  2. Select Add User.
  3. Enter the users’ e-mail address.
  4. Select an appropriate role for the user. See Understanding User Roles.
  5. Click Create User.

Activating User Accounts

After you create an account, you will receive an e-mail from the Sky Enterprise team that contains a link. You can use this link to activate your account.

Note

The activation link is valid for 48 hours.

To activate your user account:

  1. Click the link you received in your e-mail.

    The creating password dialog box appears.

  2. Enter your password and then enter it again to confirm it. To be valid, your password:
    • Must contain 12 or more characters and at least three of the following:

      • Uppercase characters

      • Lowercase characters

      • Numbers

      • Non-alphanumeric characters

    • Must not contain leading spaces, dictionary words, names, or personal information.

  3. Click Confirm my account.

    Your account is activated.

Managing User Accounts

As a Sky Enterprise administrator, you can re-send activation requests, delete users, and edit user accounts. To perform these activities, navigate to the user account you want to manage, and follow these steps:

  • Re-send Activation Requests—From the action drop-down menu, select Resend Activation to re-send an activation request.

  • Delete Users—From the action drop-down menu, select Delete User to delete a user account.

  • Edit Users—From the action drop-down menu, select Edit User to edit a user account.

    On the Edit User Details page, you can reset passwords and roles for users. You can also choose that users don’t receive product update notifications.

Resetting Passwords

When logging in as a user, if you forget your password, you can reset it again.

To reset your password:

  1. Click Forgot your password? on the main login page.
  2. When prompted, enter your e-mail address.
  3. Click Reset my password.
  4. Enter your new password and then enter it again to confirm it. To be valid, your password:
    • Must contain 12 or more characters and at least three of the following:

      • Uppercase characters

      • Lowercase characters

      • Numbers

      • Non-alphanumeric characters

    • Must not contain leading spaces, dictionary words, names, or personal information.

Enabling Two Factor Authentication

Sky Enterprise supports two factor authentications by selected vendors (such as, Google Authenticator, Duo and Okta).

To enable two factor authentication:

  1. Log in to your Sky Enterprise account.
  2. From the upper right corner of your GUI, select Two Factor Auth.

    A QR code is displayed.

  3. Scan the QR code with your desired two factor application.
  4. Enter the resulting authentication code.

    Your two-factor authentication is enabled and ready to use.

Disabling Two Factor Authentication

To disable your two factor authentication:

  1. Log in to your Sky Enterprise account.
  2. From the upper right corner of your GUI, select Two Factor Auth.
  3. Provide the authentication code from your two factor application.
  4. (Optional) Choose to get your code via e-mail.
  5. Click Submit.

Resetting Your Two Factor Authentication

In case your two factor authentication is enabled but you are unable to generate two factor codes or receive codes via e-mail, ask your company’s administrator to remove your account and recreate it. If you continue to experience issues, contact Juniper Technical Assistance Center (JTAC) at support@juniper.net.

Creating Multi-Tenant Users

Sky Enterprise supports multi-tenancy. As a Sky Enterprise administrator, you can enable multi-tenancy using the Settings tab. Once multi-tenancy is enabled, you can create tenants under your company name. You can also create, delete, and edit users within a tenant. Users within a tenant can only view devices in their company and not the parent devices.

  1. From your main page, select the tenant you want to create, delete, or edit user in.
  2. After you select a tenant, you will see the tenant change in the upper right corner of the GUI. Navigate to the Users tab and perform the desired action.

Understanding User Roles

The Sky Enterprise system provides predefined roles that you can assign to users to define administrative responsibilities and specify the management tasks that a user can perform in the system.

User Role

Tasks

Read-only

  • Read-only access to view interfaces and security related configuration details.

  • View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).

  • View graphs.

  • View and create ANR reports.

User

  • Read-and-write access to interfaces and security related configuration.

  • View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).

  • View graphs.

  • View and create ANR reports.

  • Set and update device rescue configuration and auto recovery.

Administrator

  • Read-and-write access to interfaces and security related configuration.

  • View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).

  • View graphs.

  • View and create ANR reports.

  • Set and update device rescue configuration and auto recovery.

  • Create and edit user accounts.

  • Create and edit devices.

  • Create and edit managed service provider tenant companies (for MSP use case only)

  • Manage devices for tenant companies (for MSP use case only)

Read-only User Administrator

Is similar to the read-only role. Except it also allows you to create and delete read-only users:

  • Create and delete read-only users.

  • View interfaces and security related configuration details.

  • View troubleshooting information for interfaces (for example, ARP, LLDP, and the ethernet-switching table).

  • View graphs.

  • View and create ANR reports.

Adding a Junos Software Image or VNF File to the Software Library

You can add Junos software images or VNF files to the Sky Enterprise software library. This allows you to upgrade images or distribute VNF files to one or many Juniper Networks devices easily using the Sky Enterprise software distribution feature.

To use the Sky Enterprise software distribution feature, software images are placed on a file server in your network or another location reachable from your devices.

To add an image to the Sky Enterprise software library:

  1. Select Configuration>Software Library.
  2. Click New Software Image.
  3. Add the image details, including the URL, size, and checksum (see Figure 2)
    Figure 2: Adding Your Software Image
    Adding Your Software
Image
  4. Click Submit.

You can now use the image or files under the Software Distribution tab.

Limiting Sky Enterprise Access to Your Devices

It is possible to restrict the access of Sky Enterprise to your devices and limit the changes that can be made using the Sky Enterprise user interface. The Sky Enterprise Web interface uses a secure connection to gather information from your devices using the equivalent of operation commands and a few snippets of configuration. This ‘just-in-time’ collection enables Sky Enterprise to provide certain functions in the Web application. After a short timeout, the details from the cache are cleared. None of your device configuration information is stored on the Sky Enterprise system.

For example, if you want to edit a security policy, the system collects the information about zones, policies, and related address books. If you make a change, the Sky Enterprise system constructs what is needed to be changed in your configuration, makes sure no one else is currently making a change, checks commit, and pushes the change.

This procedure is completed over secure connections. SSL Web session from your browser to the Sky Enterprise Web application, then over an SSH encrypted netconf session to your Juniper Networks device. A similar process is used to display and edit interface information.

It is possible to be more restrictive in what the Sky Enterprise connection can access. Here is an example that you can apply to anything that you want to restrict.

To restrict access to Sky Enterprise, follow these steps:

  1. Create a custom user class that you can assign to the Sky Enterprise user.
  2. Assign the role to the Sky Enterprise user.
  3. Commit the change.

    The [system] hierarchy is no longer accessible.

  4. To make sure that the [system] hierarchy is inaccessible, log in as the Sky Enterprise user and check.

This is just one example of an area you could protect using this method. You can expand this to restrict access to commands, or conversely allow only specific commands or configuration.

For more information, see https://kb.juniper.net/KB23038 and https://www.juniper.net/documentation/en_US/junos11.3/topics/example/access-privileges-configuration-mode-commands-regexps-configuring.html.

Creating an MD5 Checksum for Your Software Image

The Sky Enterprise software distribution system requires you to provide an MD5 checksum of the Junos or VNF image file. This enables the system to perform a check on the file once it has been copied to the device, ensuring the integrity of the file.

MD5 Checksum is a program that acts as a digital fingerprint for files. It ensures that the file has not changed due to file transfer faults, disk errors or non-malicious meddling. Sky Enterprise uses MD5 Checksum to ensure file integrity for the Software Distribution feature.

Vendor Supplied Checksum

Depending on where your software image is coming from you might have an option to obtain an MD5 checksum from a provider. For example, you can obtain an MD5 checksum for a Juniper Networks vSRX image.

Here is an example of Juniper Networks software download site with links to MD5 checksums for each image. Download the MD5 file, open it using a text editor, and copy the string (see Figure 3).

Figure 3: Vendor Supplied Checksum
Vendor Supplied Checksum

Create Your Own MD5 Checksum

If you don’t have a supplied MD5 checksum file, you can create one by using a checksum tool.

Depending on your operating system, there are different ways to obtain a checksum from a file.

  1. For Windows systems

    There is a utility called FCIV (File Checksum Integrity Verifier) that is available from Microsoft. For instructions on how to download and use the utility, see https://support.microsoft.com/en-us/help/841290.

  2. For Unix-based systems

    Unix-based systems, like MacOS or Linux (or even Junos), usually include tools to get checksums. The command is either md5 or md5sum, depending on the distribution.

    For example:

NFX250 Device Connectivity Issues

This section lists the known issues in connecting NFX250 devices to Sky Enterprise:

  • Connecting the NFX250 devices to Sky Enterprise using the Junos OS Release 17.2R1 has a partial missing outbound-ssh configuration.

    We recommend using Junos OS Release 15.1X53-D47 for NFX250.

  • Junos OS Release 15.1X53-D45.3 (or Junos OS Release 15.1X53-D45) allows NFX250 devices to connect to Sky Enterprise. However, in some circumstances, the authentication fails. To rectify this issue, follow this JTAC recommendation:

    Start shell as root user, and enter this command:

    If this does not resolve the issue, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.

Troubleshooting Device Connectivity Issues

If you’ve added your Juniper Networks device to Sky Enterprise and it’s not showing online, follow these steps to ensure that the path from your device to Sky Enterprise is working:

  • Make sure your device connects to the “outside world”. Try to ping to an external IP address.

  • Make sure your device has DNS to resolve the Sky Enterprise hosts, or static host mappings. See Adding a Static Host Mapping to Your Device (no DNS).

  • Make sure your device can connect to the Sky Enterprise connector servers using TCP port 4087.

    Occasionally, a firewall filter might block the port 4087 traffic. Then you must configure your device to get through the firewall.

    To check the connection, use Telnet on the Juniper Networks device with some specific options to activate the connection on port 4087.

    Here is an example showing a Juniper Networks device that isn’t able to connect to the Sky Enterprise port 4087 and requires further investigation for the blocked traffic.

    Here is an example of a successful test:

If you cannot determine the cause of a problem or need additional assistance, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.