Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Setup Secure Edge Connector with Juniper Secure Edge (Manual Provisioning)

The Juniper Mist™ cloud works with Juniper® Secure Edge to perform traffic inspection from edge devices by using the Secure Edge connector feature. This feature allows the Juniper® Session Smart™ Routers, deployed as WAN edge device, to send a portion of traffic to Juniper Secure Edge for an inspection.

Secure Edge capabilities are all managed by Juniper Security Director Cloud, Juniper’s simple and seamless management experience delivered in a single user interface (UI).

For more information, see Juniper Secure Edge.

Configuration Overview

In this task, you send the Internet-bound traffic from the LAN side of a spoke or hub device to Secure Edge for an inspection before the traffic reaches Internet.

To perform traffic inspection by Secure Edge:

  • In Juniper Security Director Cloud, create and configure the service locations, IPsec profiles, sites, and policies for Secure Edge. These are the cloud-based resources that provide security services and connectivity for the WAN edge devices.

  • In Mist Cloud, create and configure the WAN edge devices (Session Smart Routers or SRX Series Firewalls), that connect to the LAN networks. These are the physical devices that provide routing, switching, and SD-WAN capabilities for the branches or campuses.

  • In Mist WAN-Edge, create and configure the Secure Edge tunnels that connect the WAN edge devices to the service locations. These are the IPsec tunnels that provide secure and reliable transport for the traffic that needs to be inspected by Secure Edge.

  • In Mist Cloud, assign the Secure Edge tunnels to the sites or device profiles that correspond to the WAN edge devices. This enables the traffic steering from the LAN networks to the Secure Edge cloud based on the defined data policies and other match criteria.

Topics in the following table present the overview information you need to use the cloud-based security of Secure Edge with the Juniper Mist™ cloud.

Table 1: Secure Edge Connector Configuration Workflow
Step Task Description
1 Access Juniper Security Director Cloud and Check Active Subscriptions Access Juniper Security Director Cloud, go to your organization account, and check Secure Edge subscriptions. The subscription entitles you to configure Secure Edge services for your deployments.
2 Configure a Service Location in Juniper Security Director Cloud

Create service locations. This is where the vSRX-based VPN gateways creates secure connections between different networks.
3 Generate Device Certificates in Juniper Security Director Cloud Generate digital certificates for Juniper Secure Edge to establish secure communications between Secure Edge and user endpoints.
4 Create an IPsec Profile in Juniper Security Director Cloud Create IPsec profiles to establish IPsec tunnels for communication between the WAN edge devices on your Juniper Mist cloud network with Secure Edge instance.
5 Create a Site in Juniper Security Director Cloud Create a site that hosts a WAN edge device (Session Smart Router or SRX Series Firewall). The traffic from the device is forwarded to the Secure Edge instance through a secure tunnel for an inspection.
6 Deploy a Secure Edge Policy in Juniper Security Director Cloud Configure policies that define the security rules and actions for the traffic originating from or destined to the site.
7 Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud Note down the details such as service location IP or hostname, the IPsec profile name, and the pre-shared key. You need these details to set up IPsec tunnels from Juniper Mist side.
8 Create Secure Edge Connectors in the Juniper Mist Cloud Portal Create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between WAN edge device managed by Mist and the Secure Edge instance.
9 Modify an Application Policy Create a new or change an existing application policy to direct the traffic from WAN edge device to the Internet through Juniper Security Director Cloud instead of going through a hub for centralized access.
10 Verify the Configuration Confirm if your configuration is working by checking the established IPsec tunnels in:
  • WAN Insights in Mist portal
  • Security Director Cloud dashboard
  • Tunnel traffic flow on the WAN edge device CLI.

Before You Begin

Access Juniper Security Director Cloud and Check Active Subscriptions

A tenant in Juniper Secure Edge is an organization account that you create to access the Juniper Security Director Cloud portal and manage your Secure Edge services. A tenant is associated with a unique e-mail address and a subscription plan. A tenant can have multiple service locations, which are vSRX based VPN gateways hosted in a public cloud for your organization.

A tenant can have one or more service locations, which are the connection points for end users. To create a tenant, you need to have an account on Juniper Security Director Cloud. See Create Your Secure Edge Tenant for details.

After you create your Secure Edge tenant in the Juniper Security Director Cloud portal, access the portal and check your subscriptions.

To access Juniper Security Director Cloud and check active subscriptions:

  1. Open the URL to the Juniper Security Director Cloud. Enter your e-mail address and password to log in and start using the Juniper Security Director Cloud portal.
    Figure 1: Access Juniper Security Director Cloud Access Juniper Security Director Cloud
  2. Select the required tenant in the upper right corner of the portal to continue.
  3. Select Administration > Subscriptions to access the Juniper Security Director Cloud subscriptions page.
    Figure 2: Secure Edge Subscriptions Secure Edge Subscriptions
  4. Scroll to the Secure Edge Subscriptions section to check whether you have an active subscription.
    Note: You do not need to click the SRX Management Subscription tab, even if you are using a Juniper Networks® SRX Series Firewall. In this task, you are not using Juniper Security Director Cloud for managing WAN edge devices.

    For details, see About the Subscriptions Page.

    Assuming that you have active subscriptions, continue with next steps.

Configure Service Locations

After ensuring that you have an active license to Juniper Security Director Cloud, you configure a service location. This step is your first main task in setting up a Secure Edge connector for Session Smart Routers.

A service location in Juniper Security Director Cloud is also known as POP (point of presence) and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.

Service locations are places where vSRX creates secure connections between different networks using a public cloud service. The public IP address (unique per tenant and service location) is used to:

  • Set up an IPsec tunnel between the branch device and the Juniper Security Director Cloud.

  • Centrally distribute the traffic when the destination is on the Internet.

To configure a service location in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud menu, select Secure Edge>Service Management>Service Locations.

    The Service Locations page appears.

  2. Click the Add (+) icon to create a new service location.
    Enter the details for the following fields:

    • Region—Choose the geographic region where you want to create a Secure Edge instance.

    • PoP—Select the location for the Secure Edge in the region.

    • Number of Users—Enter the total possible number of users this service location may need to serve.

    Table 2 shows examples of service locations.

    Table 2: Service Location Fields
    Field Service Location Service Location
    Region North America North America
    PoP Ohio Oregon
    Number of Users 50 (we split the exiting equally) 50
  3. Click OK.

    Security Director Cloud creates a service location and lists it on the Service Locations page.

    The status of the service location shows In Progress until the Secure Edge instance is fully deployed, as shown in Figure 3.

    Figure 3: Service Locations Status Service Locations Status

    When you create a service location, the system starts the deployment of two vSRX instances as VPN gateways for your tenant system. In this deployment, vSRX instances are not shared with other tenants.

Generate Device Certificates in Juniper Security Director Cloud

Now that you have configured service locations in Juniper Security Director Cloud, you generate device certificates to secure network traffic.

You use a Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificate to establish secure communications between Secure Edge and WAN edge devices. All the client browsers on your network must trust the certificates signed by the Juniper Networks and SRX Series Firewalls to use an SSL proxy.

In Juniper Security Director Cloud, you have the following choices for generating certificates:

  • Create a new certificate signing request (CSR), and your own certificate authority (CA) can use the CSR to generate a new certificate.

  • Select the option to have Juniper Networks create a certificate.

Note:

This topic describes how to generate a TLS/SSL certificate. How you import and use the certificate depends on your company's client-management requirements and is beyond the scope of this topic.

To generate device certificates in Juniper Security Director Cloud:

  1. Select Secure Edge>Service Administration>Certificate Management.

    The Certificate Management page appears.

    From the Generate list, you can generate either a new Certificate signing request (CSR) or a Juniper issued certificate.

    Figure 4: Certificate Management Certificate Management
  2. Select the relevant option:
    1. If your company has its own CA, and you want to generate a CSR, click Certificate signing request.

      After Juniper Secure Edge generates CSR, download the CSR and submit it to your CA to generate a new certificate. Once generated, click Upload to upload the certificate on the Certificate Management page.

    2. If your company does not have its own CA, click Juniper issued certificate, and then click Generate to generate the certificate. Juniper Networks will generate and keep the certificate on the system.
      In this task, select Juniper issued certificate and continue with next step.
  3. Enter the certificate details. In the Common name field, use the certificate's fully qualified domain name (FQDN).
    Figure 5: Generate a Juniper-Issued Certificate Generate a Juniper-Issued Certificate

    The Certificate Management page opens with a message indicating that the certificate is created successfully.

  4. Download the generated certificate.
    Figure 6: Download the Certificate Download the Certificate

    The following sample shows the downloaded certificate:

    After you download the certificate to your system, add the certificate to client browsers.

Create an IPsec Profile in Juniper Security Director Cloud

After you generate the certificates to establish secure communications between Secure Edge and WAN edge devices, you're ready to create IPsec profiles.

IPsec profiles define the parameters with which an IPsec tunnel is established when the WAN edge devices on your Juniper Mist™ cloud network start communicating with your Secure Edge instance.

To create an IPsec profile in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge > Service Management > IPsec Profiles .
  2. Click the Add (+) icon to create an IPsec profile.
    The Create IPsec Profile page appears.
  3. For the profile name, use default-ipsec. Retain all default values for Internet Key Exchange (IKE) and IPsec; currently, they are not configurable on the Juniper Mist cloud portal.
    Figure 7: Create an IPsec Profile Create an IPsec Profile

    You use this IPsec profile to create a site in the next task. On the Create Site page, if you select IPsec as the tunnel type on the Traffic Forwarding tab, you will attach the IPsec profile.

Create a Site in Juniper Secure Edge Cloud

You have now created IPsec profiles. These profiles define the parameters for the IPsec tunnel between WAN edge devices on your Juniper Mist™ cloud network and your Secure Edge instance.

At this point, you need to create a site in Juniper Security Director Cloud. A site represents a location that hosts a WAN edge device. The traffic from the WAN edge device is forwarded to the Secure Edge instance through a secure tunnel, and then inspected and enforced by the Secure Edge cloud services.

You can configure to forward some or all of the Internet-bound traffic from customer sites to the Juniper Secure Edge cloud through generic routing encapsulation (GRE) or IPsec tunnels from the WAN edge devices at the site.

Note:

Overlapping branch addresses are not supported to the same POP within Secure Edge when using a stateful firewall at branch locations. Reverse path traffic to these overlapping IPs will be routed using equal-cost multipath (ECMP) across all connections. Traffic is routed using ECMP rather than per-session routing to the interface from which traffic originated. Consider reverse path traffic through ECMP when you configure the protected networks for a site.

To create a site in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge >Service Management > Sites.

    The Sites page appears.

  2. Click the Add (+) icon to create a site.
  3. Complete the Site Details page as follows:

    1. Enter a unique site name and a description.

    2. Select the corresponding country from the list where the site is located.

    3. (Optional) Enter the zip code where the customer branch is located.

    4. (Optional) Enter the location (street address) of the site.

    5. Select the number of users who can use the network at the site.

    6. In the Protected networks field, click the Add (+) icon to add the private IP address range of the interface to be used for traffic flow through the tunnel.

    Figure 8 and Table 3 show an example of a site.
    Figure 8: Create Site in Juniper Secure Edge Cloud Create Site in Juniper Secure Edge Cloud
    Table 3: Site-Creation Details
    Fields Values
    Primary service location jsec-oregon
    Secondary service location jsec-ohio
    Number of Users 10
    Name spoke1-site
    Country Germany
    Protected networks 10.99.99.0/24 (LAN network)
  4. Click Next.
  5. On the Traffic Forwarding page, enter the details according to the information provided in Figure 9
    Figure 9: Create Site: Traffic-Forwarding Details Create Site: Traffic-Forwarding Details
    Table 4: Details for Traffic Forwarding Policy
    Field Value
    Tunnel type IPsec
    IP address type Dynamic

    For the Static IP address type, you need to provide the device IP address in the Site IP address field.
    IPsec profile default-ipsec

    If you do not have a preconfigured IPsec profile, click Create IPsec Profile to create an IPsec profile.
    Pre-shared key

    Define a unique PSK for each site. Example: Juniper!1
    IKE ID site1@example.com (resembles an email address and must be a unique value for each site).
  6. Click Next.
  7. On the Site Configuration page, for the Device Type select Non-Juniper Device.
    Figure 10: Create Site-Site Configuration Create Site-Site Configuration

    You must select this option because the devices that the Juniper Mist cloud portal manages do not have their configuration pushed through Juniper Security Director Cloud.

  8. Click Next.
  9. On the Summary page, review the configuration.
    Figure 11: Create Site-Summary Create Site-Summary
  10. Click Back to edit any fields or Finish to create the new site.
  11. Add two more sites using the same procedure. The following paragraphs describe the details to include in each site.
    1. Create a second site with the details provided in Table 5 and Table 6.
      .
      Table 5: Site Creation for Second Site
      Fields Value
      Primary service location jsec-oregon
      Secondary service location jsec-oregon
      Number of Users 10
      Name spoke2-site
      Country Germany
      Protected networks 10.88.88.0/24 (LAN network)
      Table 6: Traffic Forwarding for Second Site
      Field Value
      Tunnel type IPsec
      IP address type Dynamic
      IPsec profile default-ipsec
      Pre-shared key

      Define a unique PSK for each site. Example: Juniper!1
      IKE ID site2@example.com (resembles an email address and must be a unique value for each site).
    2. Select Devices Type=Non-Juniper Device .
    3. Create a third site with details as provided in Table 7 and Table 8.
      Table 7: Create a Third Site: Site Details
      Fields Value
      Primary service location jsec-oregon
      Secondary service location jsec-ohio
      Number of Users 10
      Name spoke3-site
      Country Germany
      Protected networks 10.77.77.0/24 (LAN network)
      Table 8: Create a Third Site: Traffic-Forwarding Details
      Field Value
      Tunnel type IPsec
      IP address type Dynamic
      IPsec profile default-ipsec
      Pre-shared key

      Define a unique PSK for each site. Example: Juniper!1
      IKE ID site3@example.com (Resembles an email address and must be a unique value for each site).
    4. Select Devices Type=Non-Juniper Device .
  12. Review the Summary page. Modify any incorrect entries.
    Figure 12 displays the list of sites you created.
    Figure 12: Summary of Created Sites Summary of Created Sites

Deploy a Secure Edge Policy in Juniper Security Director Cloud

Now that you have created sites in Juniper Security Director Cloud, its time to deploy one or more Juniper® Secure Edge policies.

Secure Edge policies specify how the network routes traffic. By default, when you create a new tenant, the Security Director Cloud creates a Secure Edge policy rule set with predefined rules.

Note:

Even if you do not change the default rule set, you must use the Deploy option to load the rules in your service locations.

To deploy a Secure Edge policy in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, click Secure Edge > Security Policies.

    A Secure Edge Policy page with default rules appears. You modify the default security policy set for better debugging. The default rule set does not allow ICMP pings to the outside (Internet), preventing you from pinging anything through the cloud.

    Figure 13: Secure Edge Policy Details Secure Edge Policy Details
  2. Click the Add (+) icon to create a rule, or select the existing rule and click the pencil icon to edit the rule.
  3. Give the new rule the Rule Name=Allow-ICMP.
  4. Click Add (+) to add sources.
    Under Sources, use the following default values:

    • Addresses=Any

    • User Groups=Any

  5. Click Add (+) to add destinations.
    Under Destinations, for Addresses, use the default value =Any.
  6. Under Applications/Services, configure the following values:

    • Applications=Any

    • Services=Specific (via search)

    • Specific Service=icmp-all

    Using the Right Arrow (>), move specific service=icmp-all to the right pane to activate it before you click OK.

  7. Configure Action=Permit, and retain the default values for the remaining fields.

    The system places the new rule at the bottom of the rules list and treats this rule as the last rule in the rule set. If the rule is placed after a global rule (that denies all traffic), it will never get applied, because the global rule stops all further traffic. Therefore, for this example you change the position of the rule by selecting the rule. Then, use the Move > Move > Move Top options to move the selected rule to the top of the rule set. Moving the rule to the top of the rule set ensures that the system applies this rule first.

    Note:

    Whenever you modify a rule set, ensure that you use the Deploy button to complete the task. Otherwise, service locations continue to use the outdated rule sets.

  8. Click Deploy.
  9. On the Deploy page, check the Run now option and click OK.

    Service locations get the updated rule set after few minutes.

  10. Select Administration > Jobs to view the status and progress of the deployed job.

Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud

In the preceding tasks, you completed several actions to set up an IPsec tunnels in Juniper Secure Edge and have deployed the Secure Edge policy in Juniper Security Director Cloud. The final step in Security Director Cloud is to collect configuration data for each site. You'll need these details to complete the secure edge connector configuration (Create Secure Edge Connectors in the Juniper Mist Cloud Portal) in the Juniper Mist™ cloud to set up an IPsec tunnel. In this step, you'll note down the details of the sites you created.

Note:

An automated configuration push to synchronize between Juniper Security Director Cloud and Juniper Mist cloud option not available.

To get IPsec tunnel configuration parameters to apply in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge >Service Management > Sites.
    The Site page opens, displaying deployed site details.
    Figure 14: Tunnel Configuration Details Tunnel Configuration Details
  2. For each spoke site, click the Tunnel Configuration option under Deployed Status, and then check the MIST Managed Device tab for information.

    Note down the following details, which you will use in Create Secure Edge Connectors in the Juniper Mist Cloud Portal:

    • Pre-Shared Key

    • Local ID

    • IP address and remote ID of each service location tunnel

    he following samples show extracted information for all three sites you created in Create a Site in Juniper Secure Edge Cloud:

    The following sample is of the extracted information for site2:

    The following sample is of the extracted information for site3:

    You need these site details when you configure tunnels in the Mist cloud portal.

Create Secure Edge Connectors in the Juniper Mist Cloud Portal

You are about halfway to your ultimate goal of setting up a Secure Edge connector for the Session Smart Routers or SRX Series Firewalls in Juniper Mist™.

You create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between WAN edge devices managed by Mist and Security Director Cloud. Before you create the connectors, ensure that your site has a deployed WAN edge device.

To create Secure Edge connectors:

  1. In the Juniper Mist cloud portal, click WAN Edges.

    The WAN Edges page displays site details.

    Figure 15: Configure WAN Edge Configure WAN Edge
  2. Click the device and scroll down to Secure Edge Connectors.
  3. In the Secure Edge Connectors pane, click Add Provider.
  4. Enter Secure Edge connector details.
    Note:

    Remember that these are same the details you gathered in Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud.
    Figure 16: Secure Edge Connector Configuration Secure Edge Connector Configuration
    Figure 17: Secure Edge Connector Configuration (Continued) Secure Edge Connector Configuration (Continued)
    Table 9: Secure Edge Connector Details
    Field Value
    Name site1-to-sdcloud
    Provider Juniper Secure Edge
    Local ID site1@example.com
    Pre-Shared Key Juniper!1 (example)
    Primary
    IP or Hostname <IP address> (from Juniper Security Director Cloud tunnel configuration)
    Probe IPs -
    Remote ID <UUID>.jsec-gen.juniper.net (from Juniper Security Director Cloud tunnel configuration)
    WAN Interface

    • WAN0=INET

    • WAN1=MPLS
    Secondary
    IP or Hostname <IP address> from (From Juniper Security Director Cloud tunnel configuration)
    Probe IPs -
    Remote ID <UUID>.jsec-gen.juniper.net (from Juniper Security Director Cloud tunnel configuration)
    WAN Interface

    • WAN0=INET

    • WAN1=MPLS
    Mode Active-standby
    Note:

    You don't need to enter the probe IP values. IPsec tunnels do not need additional monitoring like GRE needs.
    Note:

    Do not enable ICMP Probe IPs for Session Smart Router-based Secure Edge configuration. ICMP probes will be sourced from a nonroutable IP address toward the Secure Edge and dropped due to policy. In addition, if the source addresses are overlapping at all branches, routing to more than one branch with a probe IP address is not supported.
    Note:

    The system generates text, application, and email descriptions automatically.
  5. Verify that the Mist cloud portal has added the Secure Edge connector you just configured.
  6. Add a new traffic-steering path on the WAN edge template or WAN edge device.
    Figure 18: Add Traffic-Steering Options for Secure Edge Add Traffic-Steering Options for Secure Edge
    Table 10: Traffic-Steering Path Configuration
    Fields Value
    Name Cloud
    Strategy Ordered
    Paths Select Type and Destination
    Type Secure Edge Connector
    Provider Juniper Secure Edge
    Name site1-to-sdcloud

Modify an Application Policy

After you create Secure Edge connectors in the Juniper Mist™ cloud portal, next step is to modify application policies on the branch device. For example, you can allow traffic from a spoke device to a hub device. You can also allow traffic from a spoke device to another spoke device in the VPN tunnel. After that, you can send traffic from spokes to the Internet through Juniper Security Director Cloud instead of sending traffic from spokes to a hub for central breakout.

Use the following steps to confirm if the configuration is working:

  1. Add or edit an Application Policy on the WAN edge template or WAN edge device page.
  2. Select the policy that you want to modify, and apply the changes.
    Figure 19: Change Application Policies Change Application Policies

    If you are creating policies from the WAN edge device page, you ay want to select the Override Template Settings option as per requirement.

    • In the application policy, you can include the traffic steering you have created in the previous step. In this example, change the Traffic Steering to Cloud in the last rule (Internet-via-Cloud-CBO).

  3. Save the changes.
    Juniper Mist cloud builds new tunnels to Juniper Security Director Cloud.

Verify the Configuration

After you modify the application policy, now it is time to confirm that your configuration is working as expected. With the desired configuration saved, you can verify if Juniper Mist cloud routes the Internet-bound traffic from spokes to Juniper Security Director Cloud instead of routing it to a hub for central breakout.

To verify the configuration:

  1. (Optional) Depending on your environment, you can see the communication of the IPsec tunnel towards Juniper Security Director Cloud in CLI.

    Verify the established tunnels details WAN Insights of the device in Juniper Mist cloud portal.

    Figure 20: Secure Edge Connector with Tunnel Details Secure Edge Connector with Tunnel Details
    You can also check the established tunnels in the Juniper Security Director Cloud dashboard and in the service location.
  2. Check the new traffic flow using a VM desktop connected to the branch device. You can verify the traffic flow by using pings to the Internet.
    Note:

    You may experience latency depending on the physical distance between your WAN edge device and Juniper Secure Edge service location.
  3. Open a browser on a VM desktop and navigate to https://whatismyipaddress.com/ to view details about the source IP address used to route the Juniper Mist network traffic from a service location towards the Internet.

    Figure 21 and Figure 22 show traffic from the primary and secondary service locations.

    Figure 21: Traffic from Primary Service Location Traffic from Primary Service Location
    Figure 22: Traffic from Secondary Service Location Traffic from Secondary Service Location

    One of the two IP addresses of the service location is a public IP address and serves two purposes:

    • Terminates the IPsec tunnel

    • Routes traffic from branch devices to the Internet through Juniper Security Director Cloud

    You can view this same public IP address in the packet captures showing established tunnel to the service location using Juniper Security Director Cloud. See Verify the Configuration.

    Remember that a service location in Juniper Security Director Cloud is also known as POP and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.