Sky Enterprise Technical Support Guide
Juniper Networks Sky Enterprise delivers cloud-based network management for Juniper Networks SRX Series and EX Series devices. It provides a secure Web-based user interface that is quick to set up and connect devices to. With Sky Enterprise, network engineers with no prior Juniper Networks experience can easily commission devices and manage device updates and the network in general.
Juniper Networks Devices Supported by Sky Enterprise
Table 1 lists all the Juniper Networks product series and devices supported by Sky Enterprise.
In this list, certain devices are marked as “Recommended” as they are comparatively newer and have longer life cycles than others; feature gap is not a factor in their selection.
Table 1: Juniper Networks Devices Supported by Sky Enterprise
Product Series | Supported Devices | Description |
---|---|---|
EX Series | EX2200 | |
EX2300-C-12T | Recommended | |
EX2300-C-12P | Recommended | |
EX2300-24T | Recommended | |
EX2300-24P | Recommended | |
EX2300-24MP | Recommended | |
EX2300-48T | Recommended | |
EX2300-48P | Recommended | |
EX2300-48MP | Recommended | |
EX3300 | ||
EX3400-24T | Recommended | |
EX3400-24P | Recommended | |
EX3400-48T | Recommended | |
EX3400-48P | Recommended | |
EX4200 | ||
EX4300-24T | Recommended | |
EX4300-24P | Recommended | |
EX4300-48T | Recommended | |
EX4300-48P | Recommended | |
EX4300-48MP | Recommended | |
EX4550 | ||
EX4600 | Recommended | |
EX4650 | Recommended | |
EX9200 | Recommended | |
EX9251 | Recommended | |
EX9253 | Recommended | |
QFX Series | QFX5100 | Recommended |
QFX5110 | Recommended | |
QFX5120 | Recommended | |
QFX5200 | Recommended | |
QFX5210 | Recommended | |
SRX Series | SRX100 | |
SRX110 | ||
SRX210 | ||
SRX220 | ||
SRX240 | ||
SRX300 | Recommended | |
SRX320 | Recommended | |
SRX340 | Recommended | |
SRX345 | Recommended | |
SRX380 | Recommended | |
SRX550 | Recommended | |
SRX550M | ||
SRX650 | ||
SRX1500 | Recommended | |
SRX4100 | Recommended | |
SRX4200 | Recommended | |
SRX5400 | Recommended | |
SRX5600 | Recommended | |
SRX5800 | Recommended | |
vSRX | Recommended | |
NFX Series (only supported with vSRX) | NFX150-C-S1 | Recommended |
NFX150-C-S1-AA | Recommended | |
NFX150-C-S1-AE | Recommended | |
NFX150-C-S1E-AA | Recommended | |
NFX150-C-S1E-AE | Recommended | |
NFX150-S1 | Recommended | |
NFX150-S1E | Recommended | |
NFX250-LS1 | ||
NFX250-S1 | Recommended | |
NFX250-S1E | Recommended | |
NFX250-S2 | Recommended | |
NFX250-S2-TAA | Recommended |
Junos OS Software Releases Supported by Sky Enterprise
Juniper Networks EX Series Switches
EX Series switches—Junos OS Release 12.1 and later are supported on Sky Enterprise.
We recommend not using the Junos OS 12.3R12-S13, 12.3R12-S14, and 12.3R12-S15 releases. These releases contain an SSH bug that prevents devices from establishing a connection to Sky Enterprise.
Juniper Networks QFX Series Switches
QFX Series switches—Junos OS Release 14.1X53-D30 and later are supported on Sky Enterprise.
Juniper Networks SRX Series Services Gateways
SRX Series and vSRX devices—The following Junos OS software releases are supported on Sky Enterprise:
Junos OS Releases 12.1X44, 12.1X45, 12.1X46, and 12.1X47.
Junos OS Releases 12.3X48 and 15.1X49.
Junos OS Release 17.3R1.
Junos OS Release 18.1 and later.
Juniper Networks NFX Series Devices
We recommend the Junos OS Release 15.1X53-D47 for Juniper Networks NFX Series devices.
Junos OS Release 15.1X53-D45.3 is supported, but it contains a bug. Use the following JTAC recommended procedure to rectify the issue:
Start shell as root user and enter the following command:
If this does not resolve the issue, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.
Adding New Devices to Sky Enterprise
This section provides instructions on how to add your Juniper Networks device to Sky Enterprise, obtain a configuration snippet and add the configuration snippet to your device.
Log in to the Sky Enterprise Web Interface
To add your Juniper Networks device to Sky Enterprise, follow these steps:
- Log in to the Sky Enterprise Web Interface.
- Select Devices> Add Device (see Figure 1).
The system prompts you to provide information, such as the device name and device type.
- Provide the required information as prompted.
Your device is added to the Sky Enterprise Web interface.
Obtain the Configuration Snippet
After you’ve added your device, you can follow one of these methods to obtain the configuration snippet:
Copy the configuration snippet from the popup.
Copy the configuration snippet from an e-mail. You receive the configuration snippet in an e-mail sent to your nominated e-mail address.
Add the Configuration Snippet to Your Device
To add the configuration snippet to your device, follow these steps:
- Telnet or SSH to the device. Find your terminal session software (such as Putty for Windows, or Terminal/iTerm for the Mac) and initiate a Telnet or SSH session to your device’s IP address or hostname. Log in to the device with your usual administrator details.
- Use ping to verify that your Juniper Networks
device can communicate with Sky Enterprise.
user@host> ping skyenterprise.juniper.net PING skyenterprise.juniper.net (192.237.250.140): 56 data bytes 64 bytes from 192.237.250.140: icmp_seq=0 ttl=64 time=1.301 ms 64 bytes from 192.237.250.140: icmp_seq=1 ttl=64 time=2.158 ms ^C --- skyenterprise.juniper.net ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.301/1.729/2.158/0.429 ms
If you receive no results from ping, check your routing, next-hop and DNS settings.
- Enter configuration mode.
user@host> configure Entering configuration mode [edit] user@SRX#
- Copy and paste the configuration snippet. Here is a sample
configuration snippet:[edit]set system services ssh protocol-version v2set system login user skyenterprise class super-userset system login user skyenterprise authentication encrypted-passwordset system services outbound-ssh client skyenterprise-ncd01 device-id new-device-devcoset system services outbound-ssh client skyenterprise-ncd01 secretset system services outbound-ssh client skyenterprise-ncd01 services netconf keep-alive retry 3 timeout 5set system services outbound-ssh client skyenterprise-ncd01 skyent-ncd01.juniper.net port 4087 timeout 60 retry 1000
Removing Devices from Sky Enterprise
Devices can be deleted from Sky Enterprise using the Delete Device option under Action menu. When you delete a device, the Sky Enterprise system attempts to also delete the configuration snippet from the device if the device is still connected to it.
If your device is not connected to Sky Enterprise, the system cannot delete the configuration snippet, you must delete it yourself.
Here is an example to show how you can remove the configuration snippet yourself:
- Log in to your device, enter the configuration mode, and
check the outbound-ssh setup. user@host> configureEntering configuration mode[edit]user@host# show system services outbound-ssh
client skyenterprise-ncd01 { device-id srx1-exampleco; secret “$9$ “; ## SECRET-DATA keep-alive { retry 3; timeout 5; } services netconf; skyenterprise.juniper.net { port 4087; retry 1000; timeout 60; } }
This output shows a client called skyenterprise-ncd01.
- Delete the configuration snippet. [edit]user@host# delete system services outbound-ssh client skyenterprise-ncd01user@host# delete system services outbound-ssh client skyenterprise-ncd02
- Commit the configuration.[edit]user@host# commit and-quitcommit completeExiting configuration mode
Adding a Static Host Mapping to Your Device (no DNS)
Your Juniper Networks device needs to learn how to contact Sky Enterprise using domain name system (DNS) servers. In some situations your device might not have name servers configured or available for use. Use the Junos static host mapping feature to configure the name servers.
Here is an example of how to configure the mappings for the Sky Enterprise Netconf Connect Daemon (NCD) servers.
Creating and Managing User Accounts
As a Juniper Sky Enterprise administrator, you can create and manage user accounts.
Creating New User Accounts
To create a new user account:
- Navigate to the Users tab.
- Select Add User.
- Enter the users’ e-mail address.
- Select an appropriate role for the user. See Understanding User Roles.
- Click Create User.
Activating User Accounts
After you create an account, you will receive an e-mail from the Sky Enterprise team that contains a link. You can use this link to activate your account.
The activation link is valid for 48 hours.
To activate your user account:
- Click the link you received in your e-mail.
The creating password dialog box appears.
- Enter your password and then enter it again to confirm
it. To be valid, your password:
Must contain 12 or more characters and at least three of the following:
Uppercase characters
Lowercase characters
Numbers
Non-alphanumeric characters
Must not contain leading spaces, dictionary words, names, or personal information.
- Click Confirm my account.
Your account is activated.
Managing User Accounts
As a Sky Enterprise administrator, you can re-send activation requests, delete users, and edit user accounts. To perform these activities, navigate to the user account you want to manage, and follow these steps:
Re-send Activation Requests—From the action drop-down menu, select Resend Activation to re-send an activation request.
Delete Users—From the action drop-down menu, select Delete User to delete a user account.
Edit Users—From the action drop-down menu, select Edit User to edit a user account.
On the Edit User Details page, you can reset passwords and roles for users. You can also choose that users don’t receive product update notifications.
Resetting Passwords
When logging in as a user, if you forget your password, you can reset it again.
To reset your password:
- Click Forgot your password? on the main login page.
- When prompted, enter your e-mail address.
- Click Reset my password.
- Enter your new password and then enter it again to confirm
it. To be valid, your password:
Must contain 12 or more characters and at least three of the following:
Uppercase characters
Lowercase characters
Numbers
Non-alphanumeric characters
Must not contain leading spaces, dictionary words, names, or personal information.
Enabling Two Factor Authentication
Sky Enterprise supports two factor authentications by selected vendors (such as, Google Authenticator, Duo and Okta).
To enable two factor authentication:
- Log in to your Sky Enterprise account.
- From the upper right corner of your GUI, select Two
Factor Auth.
A QR code is displayed.
- Scan the QR code with your desired two factor application.
- Enter the resulting authentication code.
Your two-factor authentication is enabled and ready to use.
Disabling Two Factor Authentication
To disable your two factor authentication:
- Log in to your Sky Enterprise account.
- From the upper right corner of your GUI, select Two Factor Auth.
- Provide the authentication code from your two factor application.
- (Optional) Choose to get your code via e-mail.
- Click Submit.
Resetting Your Two Factor Authentication
In case your two factor authentication is enabled but you are unable to generate two factor codes or receive codes via e-mail, ask your company’s administrator to remove your account and recreate it. If you continue to experience issues, contact Juniper Technical Assistance Center (JTAC) at support@juniper.net.
Creating Multi-Tenant Users
Sky Enterprise supports multi-tenancy. As a Sky Enterprise administrator, you can enable multi-tenancy using the Settings tab. Once multi-tenancy is enabled, you can create tenants under your company name. You can also create, delete, and edit users within a tenant. Users within a tenant can only view devices in their company and not the parent devices.
- From your main page, select the tenant you want to create, delete, or edit user in.
- After you select a tenant, you will see the tenant change in the upper right corner of the GUI. Navigate to the Users tab and perform the desired action.
Understanding User Roles
The Sky Enterprise system provides predefined roles that you can assign to users to define administrative responsibilities and specify the management tasks that a user can perform in the system.
User Role | Tasks |
---|---|
Read-only |
|
User |
|
Administrator |
|
Read-only User Administrator | Is similar to the read-only role. Except it also allows you to create and delete read-only users:
|
Adding a Junos Software Image or VNF File to the Software Library
You can add Junos software images or VNF files to the Sky Enterprise software library. This allows you to upgrade images or distribute VNF files to one or many Juniper Networks devices easily using the Sky Enterprise software distribution feature.
To use the Sky Enterprise software distribution feature, software images are placed on a file server in your network or another location reachable from your devices.
To add an image to the Sky Enterprise software library:
- Select Configuration>Software Library.
- Click New Software Image.
- Add the image details, including the URL, size, and checksum (see Figure 2)
- Click Submit.
You can now use the image or files under the Software Distribution tab.
Limiting Sky Enterprise Access to Your Devices
It is possible to restrict the access of Sky Enterprise to your devices and limit the changes that can be made using the Sky Enterprise user interface. The Sky Enterprise Web interface uses a secure connection to gather information from your devices using the equivalent of operation commands and a few snippets of configuration. This ‘just-in-time’ collection enables Sky Enterprise to provide certain functions in the Web application. After a short timeout, the details from the cache are cleared. None of your device configuration information is stored on the Sky Enterprise system.
For example, if you want to edit a security policy, the system collects the information about zones, policies, and related address books. If you make a change, the Sky Enterprise system constructs what is needed to be changed in your configuration, makes sure no one else is currently making a change, checks commit, and pushes the change.
This procedure is completed over secure connections. SSL Web session from your browser to the Sky Enterprise Web application, then over an SSH encrypted netconf session to your Juniper Networks device. A similar process is used to display and edit interface information.
It is possible to be more restrictive in what the Sky Enterprise connection can access. Here is an example that you can apply to anything that you want to restrict.
To restrict access to Sky Enterprise, follow these steps:
- Create a custom user class that you can assign to the
Sky Enterprise user.[edit system login class restrict-skyenterprise]user@host# set permissions alluser@host# set deny-configuration-regexps “system”
- Assign the role to the Sky Enterprise user.[edit system login user skyenterprise]user@host# set class restrict-skyenterpriseuser@host# set deny-configuration-regexps “system”
- Commit the change.[edit system login user skyenterprise]user@host# top[edit]user@host# commit checkconfiguration check succeedsuser@host# commit and-quitcommit complete
The [system] hierarchy is no longer accessible.
- To make sure that the [system] hierarchy is inaccessible,
log in as the Sky Enterprise user and check.[edit]user@host# edit system^syntax error, expectingor .[edit]user@host# exitExiting configuration modeuser@host> show configuration sy^syntax error
This is just one example of an area you could protect using this method. You can expand this to restrict access to commands, or conversely allow only specific commands or configuration.
For more information, see https://kb.juniper.net/KB23038 and https://www.juniper.net/documentation/en_US/junos11.3/topics/example/access-privileges-configuration-mode-commands-regexps-configuring.html.
Creating an MD5 Checksum for Your Software Image
The Sky Enterprise software distribution system requires you to provide an MD5 checksum of the Junos or VNF image file. This enables the system to perform a check on the file once it has been copied to the device, ensuring the integrity of the file.
MD5 Checksum is a program that acts as a digital fingerprint for files. It ensures that the file has not changed due to file transfer faults, disk errors or non-malicious meddling. Sky Enterprise uses MD5 Checksum to ensure file integrity for the Software Distribution feature.
Vendor Supplied Checksum
Depending on where your software image is coming from you might have an option to obtain an MD5 checksum from a provider. For example, you can obtain an MD5 checksum for a Juniper Networks vSRX image.
Here is an example of Juniper Networks software download site with links to MD5 checksums for each image. Download the MD5 file, open it using a text editor, and copy the string (see Figure 3).
Create Your Own MD5 Checksum
If you don’t have a supplied MD5 checksum file, you can create one by using a checksum tool.
Depending on your operating system, there are different ways to obtain a checksum from a file.
For Windows systems
There is a utility called FCIV (File Checksum Integrity Verifier) that is available from Microsoft. For instructions on how to download and use the utility, see https://support.microsoft.com/en-us/help/841290.
For Unix-based systems
Unix-based systems, like MacOS or Linux (or even Junos), usually include tools to get checksums. The command is either md5 or md5sum, depending on the distribution.
For example:
user@host$ md5 junos-srxsme-15.1X49-D70.3-domestic.tgzMD5 (junos-srxsme-15.1X49-D70.3-domestic.tgz) = 07453173a9db4b2f034f2ab9f0ad2711
NFX250 Device Connectivity Issues
This section lists the known issues in connecting NFX250 devices to Sky Enterprise:
Connecting the NFX250 devices to Sky Enterprise using the Junos OS Release 17.2R1 has a partial missing outbound-ssh configuration.
We recommend using Junos OS Release 15.1X53-D47 for NFX250.
Junos OS Release 15.1X53-D45.3 (or Junos OS Release 15.1X53-D45) allows NFX250 devices to connect to Sky Enterprise. However, in some circumstances, the authentication fails. To rectify this issue, follow this JTAC recommendation:
Start shell as root user, and enter this command:
cp /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub.orig sed -i -e “s/ jdm/ root@jdm/” /etc/ssh/ssh_host_rsa_key.pub
If this does not resolve the issue, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.
Troubleshooting Device Connectivity Issues
If you’ve added your Juniper Networks device to Sky Enterprise and it’s not showing online, follow these steps to ensure that the path from your device to Sky Enterprise is working:
Make sure your device connects to the “outside world”. Try to ping to an external IP address.
Make sure your device has DNS to resolve the Sky Enterprise hosts, or static host mappings. See Adding a Static Host Mapping to Your Device (no DNS).
Make sure your device can connect to the Sky Enterprise connector servers using TCP port 4087.
Occasionally, a firewall filter might block the port 4087 traffic. Then you must configure your device to get through the firewall.
To check the connection, use Telnet on the Juniper Networks device with some specific options to activate the connection on port 4087.
Here is an example showing a Juniper Networks device that isn’t able to connect to the Sky Enterprise port 4087 and requires further investigation for the blocked traffic.
user@host> telnet skyent-ncd01.juniper.net port 4087 Trying 162.243.139.198… telnet: connect to address 162.243.139.198: Connection refused telnet: Unable to connect to remote host
Here is an example of a successful test:
user@host> telnet skyent-ncd01.juniper.net port 4087 Trying 162.243.139.198… Connected to skyent-ncd01.juniper.net. Escape character is ‘^]’.
If you cannot determine the cause of a problem or need additional assistance, visit Juniper Networks Technical Assistance Center (JTAC) at https://www.juniper.net/support/requesting-support.html.