Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

outbound-https

Syntax

Hierarchy Level

Description

Configure a device running Junos OS that’s behind a firewall to initiate outbound HTTPS connections to communicate with client management applications on the other side of the firewall. The outbound-https configuration is consumed by the outbound HTTPS extension service. You must configure this service at the [edit system extensions extension-service application file nc_grpc_app.pyc] hierarchy level in order to initiate the outbound HTTPS connections.

When you configure and start the outbound HTTPS extension service on supported devices running Junos OS, the extension service uses the outbound-https configuration to connect to and authenticate each configured client, which corresponds to a gRPC server running on a network management system. The device and gRPC server establish a persistent HTTPS connection over a TLS-encrypted gRPC session. The device authenticates the gRPC server using an X.509 digital certificate, and the gRPC server uses the device-id and shared-secret values to authenticate the device running Junos OS. An outbound HTTPS client can establish multiple NETCONF or shell sessions with the device.

You can configure multiple outbound HTTPS clients, and you can configure one or more backup gRPC servers for each client. The device connects to only one gRPC server in the client’s server list at any one time.

Options

client client-id

Define a device-initiated outbound HTTPS connection.

This value serves to uniquely identify the outbound-https configuration stanza. Each stanza represents a connection to a single outbound HTTPS client. Thus, the administrator is free to assign the client-id any meaningful unique value. This attribute is not sent to the client management application.

address

Hostname or IPv4 address of the gRPC server running on the network management system.

The hostname or IP address must match the value of the Common Name (CN) field or the SubjectAltName IP Address field, respectively, in that gRPC server's X.509 certificate. You can configure multiple backup gRPC servers, but the device only connects to one server in the list at any given time.

You must configure the following connection parameters for each server:

  • port port—Port on which the gRPC server is listening for outbound HTTPS connection requests.

  • trusted-cert trusted-cert—Certificate information used to authenticate the gRPC server’s X.509 certificate.

    If the server’s certificate is self-signed, configure the contents of the gRPC server’s certificate, omitting any newlines.

    If the server’s certificate is authenticated using a certificate chain, concatenate any intermediate CA and root CA certificates in that order, remove all newlines, and configure the resulting single string.

device-id device-id

Identifies the device running Junos OS to the management application. Each time the device establishes an outbound HTTPS connection, it sends its device identifier and shared secret to the management application, and the management application uses the values to authenticate the device.

reconnect-strategy (in-order | sticky)

(Optional) Method used to reestablish a disconnected outbound HTTPS connection.

  • Values:

    • in-order—Attempt to reconnect to the first server in the list. If the server is unavailable, attempt to connect to the next server in the list, and so on, until the device establishes a connection.

    • sticky—Attempt to reconnect to the server to which the device was last connected. If the server is unavailable, attempt to connect to the next server in the list, and so on, until the device establishes a connection.

  • Default: in-order

secret password

Shared secret between the device running Junos OS and the management application. Each time the device establishes an outbound HTTPS connection, it sends its device identifier and shared secret to the management application, and the management application uses the values to authenticate the device.

waittime seconds

Number of seconds that the device waits before attempting to connect or reconnect to the servers in the list if none of the servers are available. That is, if the device reaches the end of the configured server list and cannot establish a connection, it waits the specified number of seconds before again attempting to connect to each server in the list, starting from the top.

  • Default: 30 seconds

  • Range: 0 through 4,294,967,295 seconds

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.3R1.