Add a Tenant

Basic Information

Name

Enter a unique name for the tenant. The name can contain alphanumeric characters, underscores, and hyphens, and must be less than 32 characters long.

For example, Ent_Tenant.

Password Policy

Password Expiration Days

Specify the duration (in days) after which the password will expire and must be changed.

Range: 1 through 365.

Default: 180.

Admin User

You must add an administrator user that can perform the administration tasks for that tenant.

First Name

Enter the first name of the administrator user.

Last Name

Enter the last name of the administrator user.

Username (Email)

Enter the e-mail address of the administrator user. The e-mail address will be the username that the administrator user will use to log in to the CSO portal.

After the tenant is added successfully, CSO sends an e-mail containing the link to the CSO portal and a link to set the password.

Roles

Select one or more roles (predefined or custom) that you want to assign to the tenant user, and click the right arrow (>) to move the selected role or roles from the Available column to the Selected column.

Services

Services for Tenant

Select the services that you want to be available for the tenant:

• SD-WAN—If you select SD-WAN, the tenant can add on-premise spoke sites (with SD-WAN capability), enterprise hub sites, and cloud spoke sites.

• Security Services—If you select NGFW (next-generation firewall), the tenant can add on-premise spoke sites with NGFW capability.

Service Level

Choose an SD-WAN service type for the tenant. The following options are available:

• Essential—Provides the basic SD-WAN services. This service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, or pool-based source NAT rules.

• Advanced—Provides complete SD-WAN services. All sites of the tenant are connected in full mesh or hub-and-spoke topology. This service includes Secure SD-WAN Essential service.

SSL Settings

This setting is applicable only to tenants with SD-WAN service.

Default SSL Proxy Profile

Click the toggle button to enable a default SSL proxy profile for the tenant. This option is disabled by default.

If you enable this option, you must add a root certificate.

If you enable this option and add the root certificate, the following items are created when a tenant is added:

• A default root certificate with the certificate content specified (in the Root Certificate field)

• A default SSL proxy profile

• A default SSL proxy profile intent that references the default profile

Root Certificate

You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content:

• To import the certificate content directly from a file:

  1. Click Browse.

     The File Upload dialog box appears.

  2. Select a file and click Open.

     The content of the certificate file is displayed in the Root Certificate field.

• Copy the certificate content from a file and paste it in the text box.

After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are added.

VPN Authentication

This setting is applicable only to tenants with SD-WAN service.

Authentication Type

Select the VPN authentication method to establish a secure IPsec tunnel:

• Preshared Key—Select this option if you want CSO to establish IPsec tunnels using keys. This is the default VPN authentication method.

  Note:

  When preshared key is used as the VPN authentication method, CSO generates a random preshared key for each IPsec tunnel and pushes the key to the two devices between which the IPsec tunnel is established.

• PKI Certificate—Select this option if you want CSO to establish IPsec tunnels using public key infrastructure (PKI) certificates. If you select this option, the following fields appear:

  • CA Server URL—Specify the Certificate Authority (CA) Server URL. For example, http://CA-Server-IP-Address/certsrv/mscep/mscep.dll/pkiclient.exe.

    The CA server manages the life cycle of a certificate. The CA server also publishes revoked certificates to the certification revocation list (CRL) server. To obtain trusted CA certificates, CSO communicates with the CA server using the Simple Certificate Enrollment Protocol (SCEP).

  • Password—Specify the password for the CA server. This field is optional.

  • CRL Server URL—Specify the certificate revocation list (CRL) server URL. For example, http://Revocation-List-Server-IP-Address/certservices/abc.crl. CSO retrieves the list of revoked certificates from the CRL server.

  • Auto Renew CA Certificates—Click the toggle button to enable automatic renewal of certificates. By default, the Auto Renew toggle button is disabled, which means that certificates must be manually renewed.

    If you enable the Auto Renew toggle button, certificates are automatically renewed for all sites in the tenant.

    Note:

    If the certificate is expired before the renewal, CSO might not be able to reach the device.

  • Renew before expiry—This field appears only if you enabled the automatic renewal of certificates.

    Select the period (3 days, 1 week, 2 weeks, or 1 month) before the expiration date when the certificates get automatically renewed.

    Note:

    The default value is 2 weeks. You can also change the duration in the VPN Authentication page in Customer Portal (Administration > Certificate Management > VPN Authentication) page.

Overlay Tunnel Encryption

This setting is applicable only to tenants with SD-WAN service (Advanced or Essential).

Encryption Type

For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the type of encryption to use:

• 3DES-CBC—Triple Data Encryption Standard with Cipher-Block Chaining (CBC) algorithm.

• AES-128-CBC—128-bit Advanced Encryption Standard with CBC algorithm.

• AES-128-GCM—128-bit Advanced Encryption Standard with Galois/Counter Mode (GCM) algorithm.

• AES-256-CBC—256-bit Advanced Encryption Standard with CBC algorithm. This is the default.

• AES-256-GCM—256-bit Advanced Encryption Standard with GCM algorithm.

Network Segmentation

This setting is applicable only to tenants with SD-WAN service.

Network Segmentation

In CSO, network segmentation, which is enabled by default, allows you to isolate the traffic of one department from another because CSO creates a unique Layer 3 VPN for each department. Enabling network segmentation also allows you to use overlapping IP addresses across departments.

Dynamic Mesh

This setting is applicable only to tenants with SD-WAN Advanced service.

Threshold for Creating a Tunnel

Set a threshold value, above which a tunnel is created between two sites.

Number of sessions

For creating dynamic tunnels, specify the threshold, which is the maximum number of sessions closed between two spoke sites in a two-minute duration. If the number of sessions closed between two spoke sites (in two minutes) exceeds the specified threshold, then a dynamic mesh tunnel is created between the spoke sites

The default threshold for tunnel creation value is 5.

Threshold for Deleting a Tunnel

Set a threshold value, below which a tunnel is deleted between two sites.

Number of sessions

For deleting tunnels, specify the threshold, which is the minimum number of sessions closed between two spoke sites in a 15-minute duration.

If the number of sessions closed between two spoke sites (in 15 minutes) is lesser than or equal to the specified threshold, then the dynamic mesh tunnel between two spoke sites is deleted

The default threshold value for tunnel deletion ) is 2.

Max Dynamic Mesh Tunnels

Max tunnels per CSO

Displays the maximum number of dynamic mesh tunnels that can be created in CSO. The total number of dynamic mesh tunnels that can be created by all tenants in a CSO instance is to 125,000.

A major alarm is raised if the number of dynamic mesh tunnels created by all tenants reaches 70 percent of the maximum value.

A critical alarm is raised if the number of dynamic mesh tunnels created by all tenants reaches 90 percent of the maximum value.

You can view the alarms on the Alarms page (Monitor > Alerts & Alarms > Alarms) in Administration Portal.

Max tunnels per tenant

Specify the maximum number of dynamic mesh tunnels that the tenant can add.

Range: 1 through 50,000.

A major alarm is raised if the number of dynamic mesh tunnels created by all sites in a tenant reaches 70 percent of the maximum value.

A critical alarm is raised if the number of dynamic mesh tunnels created by all sites in a tenant reaches 90 percent of the maximum value.

You can view alarms for the tenant on the Alarms page (Monitor > Alerts & Alarms > Alarms) in Customer Portal.

Dynamic Mesh

Click the toggle button to disable dynamic meshing between sites in the tenant. Dynamic meshing is enabled by default.

Cloud Breakout Settings

This setting is applicable only to tenants with SD-WAN Advanced service.

Customer Domain Name

Enter the domain name of the tenant. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels.

For example, juniper.example.com.

Quality of service settings

This setting is applicable only to tenants with SD-WAN service.

Class of Service

This setting is enabled by default, which means that CSO configures the class of service (CoS) parameters on an SD-WAN site (on-premise spoke, cloud spoke, or enterprise hub site) when you deploy the SD-WAN policy for the site. The CoS parameters are derived from the application traffic type profile associated with the path-based steering profile, SLA-based steering profile, or breakout profile, which is referenced in an SD-WAN policy intent.

You can click the toggle button to disable this setting, which means that CSO does not configure CoS parameters for SD-WAN sites, so no CoS parameters are applied to SD-WAN traffic. If you then want to apply CoS parameters on SD-WAN traffic, you must use configuration templates to configure and deploy CoS parameters on the SD-WAN sites.

Therefore, unless you want to apply customized CoS parameters by using configuration templates, we recommend that you do not disable this setting.

Advanced Settings (Optional)

Tenant-Owned Public IP Pool

You can add one or more public IPv4 subnets that are part of the tenant’s pool of public IPv4 addresses. The tenant IP pool addresses are assumed to be public IP addresses and represent public LAN subnets in SD-WAN on-premise spoke sites.

To add an IPv4 subnet:

1. Click the add (+) icon.

   An editable row appears inline in the table.

2. In the Addresses field, enter a valid, public IPv4 prefix.

   Note:

   Ensure that the IP addresses configured for a tenant are unique.

3. Click √ (check mark) to save your changes.

   The prefix that you entered is displayed in the table.

You can enter more IPv4 subnets by following the preceding procedure. You can also modify subnets that you entered by selecting a row and clicking the edit (pencil) icon. To delete a subnet, select the subnet and click the delete icon.

If you update the IP address pool of a tenant, CSO runs a job to automatically update and reprovision the tenant sites.

Tenant-Specific Attributes (Optional)

If you have set up a third-party provider edge (PE) device by using software other than CSO, then configure settings on that router by specifying custom properties (parameters) and its corresponding values.

Custom Properties

To add a custom property::

1. Click the add (+) icon.

   An editable row appears inline in the table.

2. In the Role Name field, enter the description of the parameter (property) that you want to pass to the third-party router.

3. In the Value field, enter the value of the parameter that you want to pass to the third-party router.

4. Click √ (check mark) to save your changes.

   The information that you entered is displayed in the table.