Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     
     

    Deploy with SRX

    WebApp Secure must be logically in-line with all web site traffic, generally between the load balancer and application servers. Traditionally this has required the involvement of the load balancer team, and can often be a high-risk proposition that must move through an organization. Therefore WebApp Secure now provides an easier, alternative method for deployment with a Juniper Networks SRX Series Services Gateway using common routing protocols.

    When you configure the Deploy with SRX feature, a minimal amount of information is needed and logical defaults are used in several fields. As part of the configuration, you select whether to use the OSPF or BGP protocol. Once a protocol is chosen, WebApp Secure will communicate with the SRX series and insert itself at the appropriate place in the network topology. Then, leveraging either OSPF or BGP routing protocols, traffic will route in a fault-tolerant manner through WebApp Secure or directly to the backend application servers as appropriate.

    Figure 1: WebApp Secure Logically In-line with Web Site Traffic

    WebApp Secure Logically In-line with Web Site Traffic

    To configure Deploy with SRX, do the following:

    1. In the Web UI, under the Configuration menu, select Deploy With SRX.
    2. In the Easy Deployment with SRX window, select a Routing Mode in the Configure Routing tab. You can choose either OSPF (Open Shortest Path First) or BGP (Border Gatway Protocol). Routing Mode is disabled by default.
    3. Once you select a routing protocol, corresponding fields for configuring that protocol appear. For OSPF, you may configure the Area, Interface on the SRX, and Hello and Dead intervals. For BGP, you may configure the Hold time, Autonomous System number, and Interface IP. Regardless of the protocol you select, you may also configure a Routing Authentication key and the Interface on the WebApp Secure system that will be used. You cannot have both protocols active at the same time.

      Figure 2: Select and Configure OSPF

      Select and Configure OSPF

      Figure 3: Select and Configure BGP

      Select and Configure BGP
    4. After you have completed the protocol configuration on the WebApp Secure side, you must make some minor configuration changes on your SRX series. Under SRX configuration at the bottom of the window, if you select to Make Changes Automatically, when you click Save, WebApp Secure uses the NETCONF protocol to make the changes on the SRX series for you. Otherwise, you can select to Make Changes Manually. When you click the Save button, a code snippet is provided. You must manually run this code on your SRX series before continuing on to the next step.

      Figure 4: Make Changes Manually - Selected

      Make Changes Manually - Selected

      Figure 5: Make Changes Manually - Example Code Snippet

      Make Changes Manually - Example Code Snippet
    5. Once WebApp Secure and your SRX series are configured, you can deploy individual applications to use your chosen routing protocol. To do this, select the Deploy Applications tab. For each application you wish to deploy, select a listen IP address and protocol. Then click Save.

      Figure 6: Deploy Applications - Select Listen IP and Protocol

      Deploy Applications - Select Listen IP and Protocol

      Figure 7: Example - Test Output

      Example - Test Output

      Note: There must be a one-to-one match between a backend server IP and a listen IP, and if any applications share an IP, you will need to make the same choices for both IPs (configured or not configured) for each application that shares either IP. For example, if www.example.com and blogs.example.com share a listen IP and/or backend server, both of them must be configured to use or not use OSPF/BGP.

      Note: It is not possible to deploy an application without first setting a backend server at the application level; that is, the global backend server does not inherit in this case. You must claim the backend for the application by navigating to the application's configuration dashboard and clicking the "Override" button. If you do not have an application configured in WebApp Secure, you must configure one before you can use this feature.

    If you wish to stop using OSPF or BGP, you must first un-check all of the checkboxes in the Deploy Applications tab, click Save, and then navigate back to the Configure Routing tab to disable the protocol and make the necessary configuration changes to your SRX series.

    Figure 8: Manual Undeploy

    Manual Undeploy

    Figure 9: Manual Undeploy Commands

    Manual Undeploy Commands

    Limitations:

    • All traffic to the destination IP (running through WebApp Secure) will go through the WebApp Secure appliance - not only HTTP/HTTPS traffic.
    • All domains that point to a single IP will have to pass through WebApp Secure, even if the appliance will not modify the traffic on a particular domain.
    • Netconf over SSH must be enabled in order to use the Auto-Deploy method of deployment.
    • OSPF and BGP cannot both be configured at the same time.
     
     

    Published: 2015-02-04