Deploy with SRX

WebApp Secure must be logically in-line with all web site traffic, generally between the load balancer and application servers. Traditionally this has required the involvement of the load balancer team, and can often be a high-risk proposition that must move through an organization. Therefore WebApp Secure now provides an easier, alternative method for deployment with a Juniper Networks SRX Series Services Gateway using common routing protocols.

When you configure the Deploy with SRX feature, a minimal amount of information is needed and logical defaults are used in several fields. As part of the configuration, you select whether to use the OSPF or BGP protocol. Once a protocol is chosen, WebApp Secure will communicate with the SRX series and insert itself at the appropriate place in the network topology. Then, leveraging either OSPF or BGP routing protocols, traffic will route in a fault-tolerant manner through WebApp Secure or directly to the backend application servers as appropriate.

Figure 42: WebApp Secure Logically In-line with Web Site Traffic

WebApp Secure Logically In-line with Web Site Traffic

To configure Deploy with SRX, do the following:

  1. In the Web UI, under the Configuration menu, select Deploy With SRX.
  2. In the Easy Deployment with SRX window, select a Routing Mode in the Configure Routing tab. You can choose either OSPF (Open Shortest Path First) or BGP (Border Gatway Protocol). Routing Mode is disabled by default.
  3. Once you select a routing protocol, corresponding fields for configuring that protocol appear. For OSPF, you may configure the Area, Interface on the SRX, and Hello and Dead intervals. For BGP, you may configure the Hold time, Autonomous System number, and Interface IP. Regardless of the protocol you select, you may also configure a Routing Authentication key and the Interface on the WebApp Secure system that will be used. You cannot have both protocols active at the same time.

    Figure 43: Select and Configure OSPF

    Select and Configure OSPF

    Figure 44: Select and Configure BGP

    Select and Configure BGP
  4. After you have completed the protocol configuration on the WebApp Secure side, you must make some minor configuration changes on your SRX series. Under SRX configuration at the bottom of the window, if you select to Make Changes Automatically, when you click Save, WebApp Secure uses the NETCONF protocol to make the changes on the SRX series for you. Otherwise, you can select to Make Changes Manually. When you click the Save button, a code snippet is provided. You must manually run this code on your SRX series before continuing on to the next step.

    Figure 45: Make Changes Manually - Selected

    Make Changes Manually - Selected

    Figure 46: Make Changes Manually - Example Code Snippet

    Make Changes Manually - Example Code Snippet
  5. Once WebApp Secure and your SRX series are configured, you can deploy individual applications to use your chosen routing protocol. To do this, select the Deploy Applications tab. For each application you wish to deploy, select a listen IP address and protocol. Then click Save.

    Figure 47: Deploy Applications - Select Listen IP and Protocol

    Deploy Applications - Select Listen IP and Protocol

    Figure 48: Example - Test Output

    Example - Test Output

    Note: There must be a one-to-one match between a backend server IP and a listen IP, and if any applications share an IP, you will need to make the same choices for both IPs (configured or not configured) for each application that shares either IP. For example, if www.example.com and blogs.example.com share a listen IP and/or backend server, both of them must be configured to use or not use OSPF/BGP.

    Note: It is not possible to deploy an application without first setting a backend server at the application level; that is, the global backend server does not inherit in this case. You must claim the backend for the application by navigating to the application's configuration dashboard and clicking the "Override" button. If you do not have an application configured in WebApp Secure, you must configure one before you can use this feature.

If you wish to stop using OSPF or BGP, you must first un-check all of the checkboxes in the Deploy Applications tab, click Save, and then navigate back to the Configure Routing tab to disable the protocol and make the necessary configuration changes to your SRX series.

Figure 49: Manual Undeploy

Manual Undeploy

Figure 50: Manual Undeploy Commands

Manual Undeploy Commands

Limitations:

Related Documentation