Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Virtual Mist Edge Overview

You can run Juniper Mist Edge as a hypervisor on VMware to implement a virtual Mist Edge architecture using a Juniper Mist Edge appliance as the virtual machine (VM).

Hardware Specifications for a Mist Edge Virtual Machine

The following are the minimum hardware requirements to implement a Mist Edge VM.

Table 1: Hardware Specifications for a Mist Edge VM
Hardware Component Quantity or Capacity

4 vCPUs


32 GB

Hard disk

100 GB (thick provisioned)


Three virtual NICs

  • Supported VMware hypervisor—VMware ESXi, tested versions - 6.7.0, 7.0

  • CPU support—Juniper Mist Edge requires 1G HugePages support from the CPU. Hence, the minimum supported CPU is Intel Haswell family and above. Juniper Mist Edge does not work on older Intel CPUs or on AMD CPUs.

  • NIC Support—Juniper Mist Edge requires Data Plane Development Kit (DPDK) support. Please refer to to see if your NIC is supported.

  • Preferred NICs—Intel x520 Dual Port 10GbE SFP+, Intel i350 Dual Port 1GbE, rNDC Qlogic Quad Port 10GbE SFP+, and rNDC Intel i350


Contact Juniper Mist Sales team to obtain a link to Mist Edge ISO file for installation.

Virtual Network Interfaces

Juniper Mist Edge requires the following three virtual NIC interfaces:

  • Out-of-Band Management (OOBM) Port Group—To connect Juniper Mist Edge to the Juniper Mist™ cloud and Radius Proxy service.

  • Downstream (Tunnel IP) Port Group—To allow Mist Tunnel (L2TPv3 or IPSEC) establishment from a Mist access point (AP).

  • Upstream Port Group—To uplink to the wired network with all the VLANs that need to be extended for clients.

The following image illustrates virtual NIC interfaces:

Virtual Network Interfaces

Firewall Port Requirements

Configure the firewall to allow the following connections:

  • The OOBM interface must have outbound access to or (for the EU AWS environment) on TCP port 443.

  • The tunnel IP interface must allow incoming traffic on UDP Port 1701 (either the non IPsec campus or the branch use case).

  • For remote teleworker use cases with IPsec encryption, the tunnel IP interface must allow incoming traffic on UDP port 500 and UDP port 4500. Also, the firewall needs to execute port translation from outside to the tunnel IP address.

  • For a remote user in a Dot1x RadSec Proxy implementation, the OOBM interface should be able to access the RADIUS server. Also, the firewall must execute port translation on TCP port 2083 toward the tunnel IP address.