Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Secure Edge Connectors for Session Smart Routers

Juniper® Secure Edge provides full-stack Security Service Edge (SSE) capabilities to protect access to web, SaaS, and on-premises applications and provide users with security workforce wherever they are with consistent threat protection and an optimized network experience, and security policies that follow users wherever they go. Secure Edge acts as an advanced cloud-based security scanner. It enables organizations to protect data and provide users with consistent, secure network access whether users are in the office, on campus, or on the move.

Figure 1: Juniper Secure Edge Juniper Secure Edge

Secure Edge capabilities are all managed by Juniper Security Director Cloud, Juniper’s simple and seamless management experience delivered in a single user interface (UI).

Figure 2: Traffic Inspection by Juniper Secure Edge Traffic Inspection by Juniper Secure Edge

For more information, see Juniper Secure Edge.

Secure Edge Connector Overview

The Juniper Mist™ cloud works with Juniper® Secure Edge to perform traffic inspection from edge devices by using the Secure Edge connector feature. This feature allows the Juniper® Session Smart™ Routers, deployed as WAN edge device, to send a portion of traffic to Juniper Secure Edge for an inspection.

In this task, you send the Internet-bound traffic from the LAN side of a spoke or hub device to Secure Edge for an inspection before the traffic reaches Internet.

To perform traffic inspection by Secure Edge:

  • In Security Director Cloud, create and configure the service locations, IPsec profiles, sites, and policies for Secure Edge. These are the cloud-based resources that provide security services and connectivity for the WAN edge devices.

  • In Mist Cloud, create and configure the WAN edge devices, such as a Session Smart Router, that connect to the LAN networks. These are the physical devices that provide routing, switching, and SD-WAN capabilities for the branches or campuses.

  • In Mist WAN-Edge, create and configure the Secure Edge tunnels that connect the WAN edge devices to the service locations. These are the IPsec tunnels that provide secure and reliable transport for the traffic that needs to be inspected by Secure Edge.

  • In Mist Cloud, assign the Secure Edge tunnels to the sites or device profiles that correspond to the WAN edge devices. This enables the traffic steering from the LAN networks to the Secure Edge cloud based on the defined data policies and other match criteria. Table 1

Topics in in the following table present the overview information you need to use the cloud-based security of Secure Edge with the Juniper Mist™ cloud.

Table 1: Secure Edge Connector Configuration Workflow
Step Task Description
1 Access Juniper Security Director Cloud and Check Active Subscriptions Access Juniper Security Director Cloud, go to your organization account, and check Secure Edge subscriptions. The subscription entitles you to configure Secure Edge services for your deployments.
2 Configure a Service Location in Juniper Security Director Cloud

Create service locations. This is where the vSRX-based VPN gateways creates secure connections between different networks.
3 Generate Device Certificates in Juniper Security Director Cloud Generate digital certificates for Juniper Secure Edge to establish secure communications between Secure Edge and user endpoints.
4 Create an IPsec Profile in Juniper Security Director Cloud Create IPsec profiles to establish IPsec tunnels for communication between the WAN edge devices on your Juniper Mist cloud network with Secure Edge instance.
5 Create a Site in Juniper Security Director Cloud Create a site that hosts a WAN edge device (Session Smart Router). The traffic from the device is forwarded to the Secure Edge instance through a secure tunnel for an inspection.
6 Deploy a Secure Edge Policy in Juniper Security Director Cloud Configure policies that define the security rules and actions for the traffic originating from or destined to the site
7 Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud Note down the details such as service location IP or hostname, the IPsec profile name, and the pre-shared key. You need these details to set up IPsec tunnels from Juniper Mist side.
8 Create Secure Edge Connectors in the Juniper Mist Cloud Portal Create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between WAN edge device managed by Mist and the Secure Edge instance.
9 Modify an Application Policy Create a new or change an existing application policy to direct the traffic from WAN edge device to the Internet through Juniper Security Director Cloud instead of going through a hub for centralized access.
10 Verify the Configuration Confirm if your configuration is working by checking the established IPsec tunnels in:
  • WAN Insights in Mist portal
  • Security Director Cloud dashboard
  • Tunnel traffic flow on the WAN edge device CLI.

Before You Begin

Access Juniper Security Director Cloud and Check Active Subscriptions

A tenant in Juniper Secure Edge is an organization account that you create to access the Juniper Security Director Cloud portal and manage your Secure Edge services. A tenant is associated with a unique e-mail address and a subscription plan. A tenant can have multiple service locations, which are vSRX based VPN gateways hosted in a public cloud for your organization.

A tenant can have one or more service locations, which are the connection points for end users. To create a tenant, you need to have an account on Juniper Security Director Cloud. See Create Your Secure Edge Tenant for details.

After you create your Secure Edge tenant in the Juniper Security Director Cloud portal, access the portal and check your subscriptions.

To access Juniper Security Director Cloud and check active subscriptions:

  1. Open the URL to the Juniper Security Director Cloud. Enter your e-mail address and password to log in and start using the Juniper Security Director Cloud portal.
    Figure 3: Access Juniper Security Director Cloud Access Juniper Security Director Cloud
  2. Select the required tenant in the upper right corner of the portal to continue.
  3. Select Administration > Subscriptions to access the Juniper Security Director Cloud subscriptions page.
    Figure 4: Secure Edge Subscriptions Secure Edge Subscriptions
  4. Scroll to the Secure Edge Subscriptions section to check whether you have an active subscription.
    Note: You do not need to click the SRX Management Subscription tab, even if you are using a Juniper Networks® SRX Series Firewall. In this task, you are not using Juniper Security Director Cloud for managing WAN edge devices.

    For details, see About the Subscriptions Page.

    Assuming that you have active subscriptions, continue with next steps.

Configure Service Locations

After ensuring that you have an active license to Juniper Security Director Cloud, you configure a service location. This is your first main task in setting up a Secure Edge connector for Session Smart Routers.

A service location in Juniper Security Director Cloud is also known as POP (point of presence) and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.

Service locations are places where vSRX creates secure connections between different networks using a public cloud service. The public IP address (unique per tenant and service location) is used to:

  • Set up an IPsec tunnel between the branch device and the Juniper Security Director Cloud.

  • Centrally distribute the traffic when the destination is on the Internet.

To configure a service location in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud menu, select Secure Edge>Service Management>Service Locations.

    The Service Locations page appears.

  2. Click the Add (+) icon to create a new service location.
    Enter the details for the following fields:

    • Region—Choose the geographic region where you want to create a Secure Edge instance.

    • PoP—Select the location for the Secure Edge in the region.

    • Number of Users—Enter the total possible number of users this service location may need to serve.

    Table 2 shows examples of service locations.

    Table 2: Service Location Fields
    Field Service Location Service Location
    Region North America North America
    PoP Ohio Oregon
    Number of Users 50 (we split the exiting equally) 50
  3. Click OK.

    Security Director Cloud creates a new service location and lists it on the Service Locations page.

    The status of the service location shows In Progress until the Secure Edge instance is fully deployed, as shown in Figure 5.

    Figure 5: Service Locations Status Service Locations Status

    When you create a new service location, the system starts the deployment of two vSRX instances as VPN gateways for your tenant system. In this deployment, vSRX instances are not shared with other tenants.

Generate Device Certificates in Juniper Security Director Cloud

Now that you have configured service locations in Juniper Security Director Cloud, you generate device certificates to secure network traffic.

You use a Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificate to establish secure communications between Secure Edge and WAN edge devices. All the client browsers on your network must trust the certificates signed by the Juniper Networks and SRX Series Firewalls to use an SSL proxy.

In Juniper Security Director Cloud, you have the following choices for generating certificates:

  • Create a new certificate signing request (CSR), and your own certificate authority (CA) can use the CSR to generate a new certificate.

  • Select the option to have Juniper Networks create a new certificate.

Note:

This topic describes how to generate a TLS/SSL certificate. How you import and use the certificate depends on your company's client-management requirements and is beyond the scope of this topic.

To generate device certificates in Juniper Security Director Cloud:

  1. Select Secure Edge>Service Administration>Certificate Management.

    The Certificate Management page appears.

    From the Generate list, you can generate either a new Certificate signing request (CSR) or a Juniper issued certificate.

    Figure 6: Certificate Management Certificate Management
  2. Select the relevant option:
    1. If your company has its own CA and you want to generate a CSR, click Certificate signing request.

      After Juniper Secure Edge generates CSR, download the CSR and submit it to your CA to generate a new certificate. Once generated, click Upload to upload the certificate on the Certificate Management page.

    2. If your company does not have its own CA, click Juniper issued certificate, and then click Generate to generate the certificate. Juniper Networks will generate and keep the certificate on the system.
      In this task, select Juniper issued certificate and continue with next step.
  3. Enter the certificate details. In the Common name field, use the certificate's fully qualified domain name (FQDN).
    Figure 7: Generate a Juniper-Issued Certificate Generate a Juniper-Issued Certificate

    The Certificate Management page opens with a message indicating that the certificate is created successfully.

  4. Download the generated certificate.
    Figure 8: Download the Certificate Download the Certificate

    The following sample shows the downloaded certificate:

    After you download the certificate to your system, add the certificate to client browsers.

Create an IPsec Profile in Juniper Security Director Cloud

After you generate the certificates to establish secure communications between Secure Edge and WAN edge devices, you're ready to create IPsec profiles.

IPsec profiles define the parameters with which an IPsec tunnel is established when the WAN edge devices on your Juniper Mist™ cloud network start communicating with your Secure Edge instance.

To create an IPsec profile in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge > Service Management > IPsec Profiles .
  2. Click the Add (+) icon to create an IPsec profile.
    The Create IPsec Profile page appears.
  3. For the profile name, use default-ipsec. Retain all default values for Internet Key Exchange (IKE) and IPsec; currently, they are not configurable on the Juniper Mist cloud portal.
    Figure 9: Create an IPsec Profile Create an IPsec Profile

    You use this IPsec profile to create a site in the next task. On the Create Site page, if you select IPsec as the tunnel type on the Traffic Forwarding tab, you will attach the IPsec profile.

Create a Site in Juniper Secure Edge cloud

You have now created IPsec profiles. These profiles define the parameters for the IPsec tunnel between WAN edge devices on your Juniper Mist™ cloud network and your Secure Edge instance.

At this point, you need to create a site in Juniper Security Director Cloud. A site represents a location that hosts a WAN edge device, such as an Session Smart Router. The traffic from the WAN edge device is forwarded to the Secure Edge instance through a secure tunnel, and then inspected and enforced by the Secure Edge cloud services.

You can configure to forward some or all of the Internet-bound traffic from customer sites to the Juniper Secure Edge cloud through generic routing encapsulation (GRE) or IPsec tunnels from the WAN edge devices at the site.

Note:

Overlapping branch addresses are not supported to the same POP within Secure Edge when using a stateful firewall at branch locations. Reverse path traffic to these overlapping IPs will be routed using equal-cost multipath (ECMP) across all connections. Traffic is routed using ECMP rather than per-session routing to the interface from which traffic originated. Consider reverse path traffic through ECMP when you configure the protected networks for a site.

To create a site in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge >Service Management > Sites.

    The Sites page appears.

  2. Click the Add (+) icon to create a site.
  3. Complete the Site Details page as follows:

    1. Enter a unique site name and a description.

    2. Select the corresponding country from the list where the site is located.

    3. (Optional) Enter the zip code where the customer branch is located.

    4. (Optional) Enter the location (street address) of the site.

    5. Select the number of users who can use the network at the site.

    6. In the Protected networks field, click the Add (+) icon to add the private IP address range of the interface to be used for traffic flow through the tunnel.

    Figure 10 and Table 3 show an example of a site.
    Figure 10: Create Site in Juniper Secure Edge Cloud Create Site in Juniper Secure Edge Cloud
    Table 3: Site-Creation Details
    Fields Values
    Primary service location jsec-oregon
    Secondary service location jsec-ohio
    Number of Users 10
    Name spoke1-site
    Country Germany
    Protected networks 10.99.99.0/24 (LAN network)
  4. Click Next.
  5. On the Traffic Forwarding page, enter the details according to the information provided in Figure 11
    Figure 11: Create Site: Traffic-Forwarding Details Create Site: Traffic-Forwarding Details
    Table 4: Details for Traffic Forwarding Policy
    Field Value
    Tunnel type IPsec
    IP address type Dynamic
    IPsec profile default-ipsec
    Pre-shared key

    Define a unique PSK for each site. Example: Juniper!1
    IKE ID site1@example.com (resembles an email address and must be a unique value for each site)
  6. Click Next.
  7. On the Site Configuration page, for the Device Type select Non-Juniper Device.
    Figure 12: Create Site-Site Configuration Create Site-Site Configuration

    You must select this option because the devices that the Juniper Mist cloud portal manages do not have their configuration pushed through Juniper Security Director Cloud.

  8. Click Next.
  9. On the Summary page, review the configuration.
    Figure 13: Create Site-Summary Create Site-Summary
  10. Click Back to edit any fields or Finish to create the new site.
  11. Add two more sites using the same procedure. The following paragraphs describe the details to include in each site.
    1. Create a second site with the details provided in Table 5 and Table 6.
      .
      Table 5: Site Creation for Second Site
      Fields Value
      Primary service location jsec-oregon
      Secondary service location jsec-oregon
      Number of Users 10
      Name spoke2-site
      Country Germany
      Protected networks 10.88.88.0/24 (LAN network)
      Table 6: Traffic Forwarding for Second Site
      Field Value
      Tunnel type IPsec
      IP address type Dynamic
      IPsec profile default-ipsec
      Pre-shared key

      Define a unique PSK for each site. Example: Juniper!1
      IKE ID site2@example.com (resembles an email address and must be a unique value for each site)
    2. Select Devices Type=Non-Juniper Device .
    3. Create a third site with details as provided in Table 7 and Table 8.
      Table 7: Create a Third Site: Site Details
      Fields Value
      Primary service location jsec-oregon
      Secondary service location jsec-ohio
      Number of Users 10
      Name spoke3-site
      Country Germany
      Protected networks 10.77.77.0/24 (LAN network)
      Table 8: Create a Third Site: Traffic-Forwarding Details
      Field Value
      Tunnel type IPsec
      IP address type Dynamic
      IPsec profile default-ipsec
      Pre-shared key

      Define a unique PSK for each site. Example: Juniper!1
      IKE ID site3@example.com (Resembles an email address and must be a unique value for each site)
    4. Select Devices Type=Non-Juniper Device .
  12. Review the Summary page. Modify any incorrect entries.
    #task_zvg_qcv_wxb__fig_ajm_y45_rxb displays the list of sites you created.

Deploy a Secure Edge Policy in Juniper Security Director Cloud

Now that you have created sites in Juniper Security Director Cloud, it's time to deploy one or more Juniper® Secure Edge policies.

Secure Edge policies specify how the network routes traffic. By default, when you create a new tenant, the Security Director Cloud creates a Secure Edge policy rule set with predefined rules.

Note:

Even if you do not change the default rule set, you must use the Deploy option to load the rules in your service locations.

To deploy a Secure Edge policy in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, click Secure Edge > Security Policies.

    A Secure Edge Policy page with default rules appears. You modify the default security policy set for better debugging. The default rule set does not allow ICMP pings to the outside (Internet), preventing you from pinging anything through the cloud.

    Figure 14: Secure Edge Policy Details Secure Edge Policy Details
  2. Click the Add (+) icon to create a new rule, or select the existing rule and click the pencil icon to edit the rule.
  3. Give the new rule the Rule Name=Allow-ICMP.
  4. Click Add (+) to add sources.
    Under Sources, use the following default values:

    • Addresses=Any

    • User Groups=Any

  5. Click Add (+) to add destinations.
    Under Destinations, for Addresses, use the default value =Any.
  6. Under Applications/Services, configure the following values:

    • Applications=Any

    • Services=Specific (via search)

    • Specific Service=icmp-all

    Using the Right Arrow (>), move specific service=icmp-all to the right pane to activate it before you click OK.

  7. Configure Action=Permit, and retain the default values for the remaining fields.

    The system places the new rule at the bottom of the rules list and treats this rule as the last rule in the rule set. If the rule is placed after a global rule (that denies all traffic), it will never get applied, because the global rule stops all further traffic. Therefore, for this example you change the position of the rule by selecting the rule. Then, use the Move > Move > Move Top options to move the selected rule to the top of the rule set. Moving the rule to the top of the rule set ensures that the system applies this rule first.

    Note:

    Whenever you modify a rule set, ensure that you use the Deploy button to complete the task. Otherwise, service locations continue to use the outdated rule sets.

  8. Click Deploy.
  9. On the Deploy page, check the Run now option and click OK.

    Service locations get the updated rule set after few minutes.

  10. Select Administration > Jobs to view the status and progress of the deployed job.

Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud

In the preceding tasks, you completed several actions to set up an IPsec tunnels in Juniper Secure Edge and have deployed the Secure Edge policy in Juniper Security Director Cloud. The final step in Security Director Cloud is to collect configuration data for each site. You'll need these details to complete the secure edge connector configuration (Create Secure Edge Connectors in the Juniper Mist Cloud Portal) in the Juniper Mist™ cloud to set up an IPsec tunnel. In this step, you'll note down the details of the sites you created.

Note:

An automated configuration push to synchronize between Juniper Security Director Cloud and Juniper Mist cloud option not available.

To get IPsec tunnel configuration parameters to apply in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge >Service Management > Sites.
    The Site page opens, displaying deployed site details.
    Figure 15: Tunnel Configuration Details Tunnel Configuration Details
  2. For each spoke site, click the Tunnel Configuration option under Deployed Status, and then check the MIST Managed Device tab for information.

    Note down the following details, which you will use in Create Secure Edge Connectors in the Juniper Mist Cloud Portal:

    • Pre-Shared Key

    • Local ID

    • IP address and remote ID of each service location tunnel

    he following samples show extracted information for all three sites you created in Create a Site in Juniper Secure Edge cloud:

    The following sample is of the extracted information for site2:

    The following sample is of the extracted information for site3:

    You need these site details when you configure tunnels in the Mist cloud portal.

Create Secure Edge Connectors in the Juniper Mist Cloud Portal

You are about halfway to your ultimate goal of setting up a Secure Edge connector for the Session Smart Routers in Juniper Mist™.

You create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between WAN edge devices managed by Mist and Security Director Cloud. Before you create the connectors, ensure that your site has a deployed Session Smart Router.

To create Secure Edge connectors:

  1. In the Juniper Mist cloud portal, click WAN Edges.

    The WAN Edges page displays site details.

    Figure 16: Configure WAN Edge Configure WAN Edge
  2. Select a site with a deployed branch device.
  3. In the Secure Edge Connectors pane, click Add Provider.
    Figure 17: Secure Edge Connector Configuration Secure Edge Connector Configuration
  4. Enter Secure Edge connector details according to the details provided in Figure 18
    Note:

    Remember that these are same the details you gathered in Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud.
    Figure 18: Secure Edge Connector Details Secure Edge Connector Details
    Table 9: Secure Edge Connector Details
    Field Value
    Name site1-to-sdcloud
    Provider Juniper Secure Edge
    Local ID site1@example.com
    Pre-Shared Key Juniper!1 (example)
    Primary
    IP or Hostname <IP address> (from Juniper Security Director Cloud tunnel configuration)
    Probe IPs -
    Remote ID <UUID>.jsec-gen.juniper.net (rom Juniper Security Director Cloud tunnel configuration)
    WAN Interface

    • WAN0=INET

    • WAN1=MPLS
    Secondary
    IP or Hostname <IP address> from (From Juniper Security Director Cloud tunnel configuration)
    Probe IPs -
    Remote ID <UUID>.jsec-gen.juniper.net (from Juniper Security Director Cloud tunnel configuration)
    WAN Interface

    • WAN0=INET

    • WAN1=MPLS
    Mode Active-standby
    Note:

    You don't need to enter the probe IP values. IPsec tunnels do not need additional monitoring like GRE needs.
    Note:

    Do not enable ICMP Probe IPs for Session Smart Router-based Secure Edge configuration. The ICMP probes will be sourced from a non-routable IP address toward the Secure Edge and dropped due to policy. In addition, if the source addresses are overlapping at all branches, routing to more than one branch with a probe IP address is not supported.
    Note:

    The system generates text, application, and email descriptions automatically.
  5. Verify that the Mist cloud portal has added the Secure Edge connector you just configured.
  6. Add the traffic-steering paths

    Add a new traffic-steering path on the WAN edge template or WAN edge device, according to the values provided in Figure 19

    Figure 19: Add Traffic-Steering Options for Secure Edge Add Traffic-Steering Options for Secure Edge
    Table 10: Traffic-Steering Path Configuration
    Fields Value
    Name Cloud
    Strategy Ordered
    Paths Select Type and Destination
    Type Secure Edge Connector
    Provider Juniper Secure Edge
    Name site1-to-sdcloud

    Table 10 displays completed traffic-steering paths.

    Figure 20: Traffic-Steering Paths Traffic-Steering Paths

Modify an Application Policy

After you create Secure Edge connectors in the Juniper Mist™ cloud portal, next step is to modify application policies on the branch device. For example, you can allow traffic from a spoke device to a hub device. You can also allow traffic from a spoke device to another spoke device in the VPN tunnel. After that, you can send traffic from spokes to the Internet through Juniper Security Director Cloud instead of sending traffic from spokes to a hub for central breakout.

Use the following steps to confirm if the configuration is working:

  1. In the Juniper Mist cloud portal, go to Organization > WAN > Application Policy
    Figure 21: Change Application Policies Change Application Policies
  2. Select the policy that you want to modify, and apply the following changes

    • Check the Override Template Settings option.

    • Change the Traffic Steering to Cloud in the last rule (Internet-via-Cloud-CBO).

  3. Save the changes.
    Juniper Mist cloud builds new tunnels to Juniper Security Director Cloud.

Verify the Configuration

After you modify the application policy, now it is time to confirm that your configuration is working as expected. With the desired configuration saved, you can verify if Juniper Mist cloud routes the Internet-bound traffic from spokes to Juniper Security Director Cloud instead of routing it to a hub for central breakout.

To verify the configuration:

  1. (Optional) Depending on your environment, you can see the communication of the IPsec tunnel towards Juniper Security Director Cloud in CLI.

    Verify the established tunnels details WAN Insights of the device in Juniper Mist cloud portal.

    Figure 22: Secure Edge Connector with Tunnel Details Secure Edge Connector with Tunnel Details
    You can also check the established tunnels in the Juniper Security Director Cloud dashboard and in the service location.
  2. Check the new traffic flow using a VM desktop connected to the branch device. You can verify the traffic flow by using pings to the Internet.
    Note:

    You may experience latency depending on the physical distance between your WAN edge device and Juniper Secure Edge service location.
  3. Open a browser on a VM desktop and navigate to https://whatismyipaddress.com/ to view details about the source IP address used to route the Juniper Mist network traffic from a service location towards the Internet.

    Figure 23 and Figure 24 show traffic from the primary and secondary service locations.

    Figure 23: Traffic from Primary Service Location Traffic from Primary Service Location
    Figure 24: Traffic from Secondary Service Location Traffic from Secondary Service Location

    One of the two IP addresses of the service location is a public IP address and serves two purposes:

    • Terminates the IPsec tunnel

    • Routes traffic from branch devices to the Internet through Juniper Security Director Cloud

    You can view this same public IP address in the packet captures showing established tunnel to the service location using Juniper Security Director Cloud. See Verify the Configuration.

    Remember that a service location in Juniper Security Director Cloud is also known as POP and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.

Secure Edge Connector Auto Provisioning

Mist now offers automated Juniper Secure Edge connector tunnel provisioning. This feature allows you to effortlessly establish connections using predefined settings.

Prerequisites

Watch the following video to learn how to configure Juniper Secure Edge tunnel auto-provisioning:

Add Juniper Secure Edge Connector Credentials in Juniper Mist Portal

  1. Provide Juniper Secure Edge credential details in Juniper Mist portal.
    • On Juniper Mist portal, select Organization > Settings.
    • Scroll-down to Secure WAN Edge Integration pane and click Add Credentials.
    • In Add Provider window, enter the details.
      Figure 25: Add Credentials for Juniper Secure Edge Add Credentials for Juniper Secure Edge
      • Provider—Select JSE.
      • Email Address—Enter user name (email address) (Credentials of the user created on the Juniper Secure Edge portal)
      • Password—Enter password for the user name.
    • Click Add to continue.

Configure Juniper Secure Edge Tunnel Auto-Provisioning

  1. On Juniper Mist portal, go to Organization > WAN Edge Templates and click an existing template.
  2. Scroll-down to Secure Edge Connector.
  3. Click Add Providers
    Figure 26: Add Provider Add Provider
  4. In Add Provider window, select Juniper Secure Edge (Auto) for automatic provisioning.
    Figure 27: Select Juniper Secure Edge as Provider Select Juniper Secure Edge as Provider
    Enter the following details:
    • Name—Enter a name for the JSE tunnel.
    • Provider—Select Juniper Secure Edge (Auto).
    • Probe IP—Enter probe IPs (primary and secondary). Enter probe IP 8.8.8.8 or any other well-known probe IP address.
    • WAN Interface—Assign WAN interfaces under primary and secondary tunnel details for provisioning of primary and secondary tunnels.
  5. Click Add.
  6. In the Secure Edge Connector Auto Provision Settingsenter the details. This option is available only if you have configured Juniper Secure Edge as provider in the previous step.
    Figure 28: Secure Edge Connector Auto Provision Settings Secure Edge Connector Auto Provision Settings

    • Number of Users—Enter the maximum number of users supported by the JSE tunnel

    • Organization Name—Enter the organization name. The drop-down box displays all organizations associated with the user name in Juniper Secure Edge account. This is the same user name that you have entered in Juniper Secure Edge credential in Organization > Settings. See step 1 for details.

  7. Click Add to continue.

When you assign a template enabled with the Juniper Secure Edge (Auto) option to a site, an associated JSE site (location object) is automatically created and a tunnel from the device to the closest network point of presence (POP) is brought up.

For the Secure Edge Connector configuration to take effect, you must create an application policy with Mist Secure Edge Connector-to-Juniper Secure Edge traffic steering.

Verify Juniper Secure Edge Tunnels

On Juniper Mist portal, you can verify the established tunnels details in WAN Insights of the device once WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.

Figure 29: WAN Edge Events WAN Edge Events

Get the established tunnels status details in WAN Edges > WAN Edge Insights page Juniper Mist cloud portal.

Figure 30: Established Secure Edge Tunnels Established Secure Edge Tunnels

You can check the established tunnels in the Juniper Security Director Cloud dashboard and in the service location.

See Also