Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Juniper Mist Secure Edge Connector

Juniper Mist provides pre-built connectors specifically designed for the Juniper Networks® SRX Series Firewalls and Juniper® Session Smart™ Routers deployed as WAN edge devices. These connectors facilitate seamless integration with your Secure Service Edge (SSE) deployments. With minimal configuration, you can integrate the SSE into the Juniper Mist portal. As a result, your WAN Edge device establishes connections to the SSE using either IPsec or GRE protocols.

Figure 1: Traffic Inspection by Juniper Secure Edge Traffic Inspection by Juniper Secure Edge

In this solution, an IPsec tunnel is configured between the WAN Edge device and SSE using the Secure Edge Connector within the WAN Edge template. Additionally, a BGP over IPsec connection is configured to dynamically learn routing destinations from the SSE device.

Following types of connectors are pre-built for you in Juniper Mist portal:

  • Juniper Secure Edge (manual provisioning and auto provisioning)
  • Zscaler (manual provisioning and auto provisioning)
  • Custom

High-level workflow for setting up secure edge connectors with Juniper Secure Edge, custom, or Zscaler deployment to offload traffic from your WAN edge device (SSR Series Routers or SRX Series Firewalls):

  1. Create and deploy a basic branch template for device connectivity.

  2. Optionally configure a remote network in SSE. This step defines a remote source for inbound connectivity through the tunnel.

  3. Configure a Secure Edge Connector and provider in the device template. This step creates a custom IPsec tunnel to the remote location and define encryption parameters.

  4. Optionally configure a BGP peer to learn routes dynamically.

  5. Configure an Application to allow traffic to be steered toward the IPsec tunnel. This application will be used in Application Policy to allow client networks to access the BGP learned routes.

  6. Configure a Traffic Steering Policy to steer the Internet-bound traffic from the LAN side of a spoke or hub device to Secure Edge.

Application Policies for Secure Edge Connector

An Application Policy in the Juniper WAN Assurance design is a combination of Networks and Users as the source with Applications as the destination. These security rules define which networks/users can access these applications with Traffic Steering defining which path should be used.

To set up these policies, you need to create Networks, Applications, Traffic-steering profiles. For outbound traffic the Traffic Steering profile will include the Secure Edge Connector. For inbound use cases where traffic initiates from the Secure Edge Connector you include the remote network in the Secure Edge Connector and then use that network in an Application Policy to allow inbound access from the Secure Edge Connector. With this feature, you can securely connect to cloud-hosted services which need to initiate inbound traffic to a site.

Traffic Steering Profiles for Secure Edge Connector

Traffic Steering is required for SEC on both SRX Series Firewalls and Session Smart Routers before Juniper Mist creates the tunnels.

This requirement remains unless:

  • A remote network is assigned to a Secure Edge Connector
  • A BGP peer is assigned to a Secure Edge Connector

Dynamic Routing for Secure Edge Connectors

You can configure BGP peering over a Secure Edge Connector. This configuration leverages BGP for dynamic routing and uses BGP path selection to install routes in the route table. High-Level steps include:

  • Verify that your Secure Edge Connector is established and is configured using the custom Secure Edge provider.

  • Configure BGP import and export policies.

  • Configure BGP neighbor options.

  • Select the Secure Edge Connector for this BGP neighbor.

  • Assign import and export policies.

  • Verify that the BGP peers are exchanging routes over the tunnel interface.

Related Documentation