Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Set Up a Secure Edge Connector for SRX Series Firewalls

Juniper® Secure Edge provides full-stack security service edge (SSE) capabilities to protect access to web, SaaS, and on-premises applications. These capabilities also provide consistent threat protection, an optimized network experience, and security policies that follow users wherever they go. Secure Edge acts as an advanced cloud-based security scanner. It enables organizations to protect data and provide users with consistent, secure network access whether users are in the office, on campus, or on the move.

Mist works with Juniper Secure Edge by providing a Secure Edge Connector (SEC) that can establish a secure tunnel with the Juniper Secure Edge cloud service.

Figure 1: Secure Edge Secure Edge

Secure Edge capabilities are all managed by Juniper Security Director Cloud, Juniper’s simple and seamless management experience delivered in a single user interface (UI).

Figure 2: Traffic Inspection by Juniper Secure Edge Traffic Inspection by Juniper Secure Edge

For more information, see Juniper Secure Edge.

Secure Edge Connector Overview

The Juniper Mist™ cloud works with Juniper® Secure Edge to perform traffic inspection from edge devices by using the Secure Edge connector feature. This feature allows the Juniper Networks® SRX Series Firewall, deployed as WAN edge device, to send a portion of traffic to Juniper Secure Edge for an inspection.

In this task, you send the Internet-bound traffic from the LAN side of a spoke or hub device to Secure Edge for an inspection before the traffic reaches Internet.

To perform traffic inspection by Secure Edge:

  • In Security Director Cloud, create and configure the service locations, IPsec profiles, sites, and policies for Secure Edge. These are the cloud-based resources that provide security services and connectivity for the WAN edge devices.

  • In Mist Cloud, create and configure the WAN edge devices, such as SRX Series Firewall that connect to the LAN networks. These are the devices that provide routing, switching, and SD-WAN capabilities for the branches or campuses.

  • In Mist WAN-Edge, create and configure the Secure Edge tunnels that connect the WAN edge devices to the service locations. These are the IPsec tunnels that provide secure and reliable transport for the traffic that needs to be inspected by Secure Edge.

  • In Mist Cloud, assign the Secure Edge tunnels to the sites or device profiles that correspond to the WAN edge devices. This enables the traffic steering from the LAN networks to the Secure Edge cloud based on the defined data policies and other match criteria.

Topics in in the following table present the overview information you need to use the cloud-based security of Secure Edge with the Juniper Mist™ cloud.

Table 1: Secure Edge Connector Configuration Workflow
Step Task Description
1 Access Juniper Security Director Cloud and Check Active Subscriptions Access Juniper Security Director Cloud, go to your organization account, and check Secure Edge subscriptions. The subscription entitles you to configure Secure Edge services for your deployments.
2 Configure a Service Location in Juniper Security Director Cloud

Create service locations. This is where the vSRX-based WAN edge creates secure connections between different networks.

3 Generate Device Certificates in Juniper Security Director Cloud Generate digital certificates for Juniper Secure Edge to establish secure communications between Secure Edge and user endpoints.
4 Create an IPsec Profile in Juniper Security Director Cloud Create IPsec profiles to establish IPsec tunnels for communication between the WAN edge devices on your Juniper Mist™ cloud network with Secure Edge instance.
5 Create a Site in Juniper Security Director Cloud Create a site that hosts a WAN edge device, such as a Juniper SRX Series Services Firewall. The traffic from the device is forwarded to the Secure Edge instance through a secure tunnel for an inspection.
6 Deploy a Secure Edge Policy in Juniper Security Director Cloud Configure policies that define the security rules and actions for the traffic originating from or destined to the site
7 Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud Note down the details such as service location IP or hostname, the IPsec profile name, and the pre-shared key. You need these details to set up IPsec tunnels from Juniper Mist side.
8 Create Secure Edge Connectors in the Juniper Mist Cloud Portal Create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between Mist and Secure Edge instance.
9 Modify an Application Policy Create a new or change an existing application policy to direct traffic from branches to the Internet through Juniper Security Director Cloud instead of going through a hub for centralized access.
10 Verify the Configuration Confirm if your configuration is working by checking the established IPsec tunnels in:
  • WAN Insights in Mist portal
  • Security Director Cloud dashboard
  • Tunnel traffic flow on the WAN edge device CLI.

Before You Begin

Access Juniper Security Director Cloud and Check Active Subscriptions

A tenant in Juniper Secure Edge is an organization account that you create to access the Juniper Security Director Cloud portal and manage your Secure Edge services. A tenant is associated with a unique e-mail address and a subscription plan. A tenant can have multiple service locations, which are vSRX based WAN edge hosted in a public cloud for your organization.

A tenant can have one or more service locations, which are the connection points for end users. To create a tenant, you need to have an account on Juniper Security Director Cloud. See Create Your Secure Edge Tenant for details.

After you create your Secure Edge tenant in the Juniper Security Director Cloud portal, access the portal and check your subscriptions.

To access Juniper Security Director Cloud and check active subscriptions:

  1. Open the URL to the Juniper Security Director Cloud. Enter your e-mail address and password to log in and start using the Juniper Security Director Cloud portal.
    Figure 3: Access Juniper Security Director Cloud Access Juniper Security Director Cloud
  2. Select the required tenant in the upper right corner of the portal to continue.
  3. Select Administration > Subscriptions to access the Juniper Security Director Cloud subscriptions page.
    Figure 4: Secure Edge Subscriptions Secure Edge Subscriptions
  4. Scroll to the Secure Edge Subscriptions section to check whether you have an active subscription.
    Note: You do not need to click the SRX Management Subscription tab, even if you are using a Juniper Networks® SRX Series Firewall. In this task, you are not using Juniper Security Director Cloud for managing WAN edge devices.

    For details, see About the Subscriptions Page.

    Assuming that you have active subscriptions, continue with next steps.

Configure a Service Location in Juniper Security Director Cloud

After ensuring that you have an active license to Juniper Security Director Cloud, you configure a service location. This is your first main task in setting up a Secure Edge connector for SRX Series Firewalls.

A service location in Juniper Security Director Cloud is also known as POP (point of presence) and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.

Service locations are places where vSRX creates secure connections between different networks using a public cloud service. The public IP address (unique per tenant and service location) is used to:

  • Set up an IPsec tunnel between the branch device and the Juniper Security Director Cloud.

  • Centrally distribute the traffic when the destination is on the Internet.

To configure a service location in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud menu, select Secure Edge>Service Management>Service Locations.

    The Service Locations page appears.

  2. Click the Add (+) icon to create a new service location.
    Enter the details for the following fields:
    • Region—Choose the geographic region where you want to create a Secure Edge instance.

    • PoP—Select the location for the Secure Edge in the region.

    • Number of Users—Enter the total possible number of users this service location may need to serve.

    Table 2 shows examples of service locations.

    Table 2: Service Location Samples
    Field Service Location 1 Service Location 2
    Region North America North America
    PoP Ohio Oregon
    Number of Users 50 50
  3. Click OK.

    Security Director Cloud creates a new service location and lists it on the Service Locations page.

    The status of the service location shows In Progress until the Secure Edge instance is fully deployed, as shown in Figure 5.

    Figure 5: Service Location Status Service Location Status

    When you create a new service location, the system starts the deployment of two vSRX instances as WAN edges for your tenant system. In this deployment, vSRX instances are not shared with other tenants.

Generate Device Certificates in Juniper Security Director Cloud

Now that you have configured service locations in Juniper Security Director Cloud, you generate device certificates to secure network traffic.

You use a Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificate to establish secure communications between Secure Edge and WAN edge devices. All the client browsers on your network must trust the certificates signed by the Juniper Networks and SRX Series Firewalls to use an SSL proxy.

In Juniper Security Director Cloud, you have the following choices for generating certificates:

  • Create a new certificate signing request (CSR), and your own certificate authority (CA) can use the CSR to generate a new certificate.

  • Select the option to have Juniper Networks create a new certificate.

Note:

This topic describes how to generate a TLS/SSL certificate. How you import and use the certificate depends on your company's client-management requirements and is beyond the scope of this topic.

To generate device certificates in Juniper Security Director Cloud:

  1. Select Secure Edge>Service Administration>Certificate Management.

    The Certificate Management page appears.

    From the Generate list, you can generate either a new Certificate signing request (CSR) or a Juniper issued certificate.

    Figure 6: Certificate Management Certificate Management
  2. Select the relevant option:
    1. If your company has its own CA and you want to generate a CSR, click Certificate signing request.

      After Juniper Secure Edge generates CSR, download the CSR and submit it to your CA to generate a new certificate. Once generated, click Upload to upload the certificate on the Certificate Management page.

    2. If your company does not have its own CA, click Juniper issued certificate, and then click Generate to generate the certificate. Juniper Networks will generate and keep the certificate on the system.
      In this task, select Juniper issued certificate and continue with next step.
  3. Enter the certificate details. In the Common name field, use the certificate's fully qualified domain name (FQDN).
    Figure 7: Generate a Juniper-Issued Certificate Generate a Juniper-Issued Certificate

    The Certificate Management page opens with a message indicating that the certificate is created successfully.

  4. Download the generated certificate.
    Figure 8: Download the Certificate Download the Certificate

    The following sample shows the downloaded certificate:

    After you download the certificate to your system, add the certificate to client browsers.

Create an IPsec Profile in Juniper Security Director Cloud

After you generate the certificates to establish secure communications between Secure Edge and WAN edge devices, you're ready to create IPsec profiles.

IPsec profiles define the parameters with which an IPsec tunnel is established when the WAN edge devices on your Juniper Mist™ cloud network start communicating with your Secure Edge instance.

To create an IPsec profile in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge > Service Management > IPsec Profiles .
  2. Click the Add (+) icon to create an IPsec profile.
    The Create IPsec Profile page appears.
  3. For the profile name, use default-ipsec. Retain all default values for Internet Key Exchange (IKE) and IPsec; currently, they are not configurable on the Juniper Mist cloud portal.
    Figure 9: Create an IPsec Profile Create an IPsec Profile
  4. Click OK.

    You use this IPsec profile to create a site in the next task. On the Create Site page, if you select IPsec as the tunnel type on the Traffic Forwarding tab, you will attach the IPsec profile.

Create a Site in Juniper Security Director Cloud

You have now created IPsec profiles. These profiles define the parameters for the IPsec tunnel between WAN edge devices on your Juniper Mist™ cloud network and your Secure Edge instance.

At this point, you need to create a site in Juniper Security Director Cloud. A site represents a location that hosts a WAN edge device, such as an SRX Series Services Firewall. The traffic from the WAN edge device is forwarded to the Secure Edge instance through a secure tunnel, and then inspected and enforced by the Secure Edge cloud services.

You can configure to forward some or all of the Internet-bound traffic from customer sites to the Juniper Secure Edge cloud through generic routing encapsulation (GRE) or IPsec tunnels from the WAN edge devices at the site.

Sites are typically Juniper Networks® SRX Series Firewalls using Juniper Security Director Cloud service locations.

Note:

Overlapping branch addresses are not supported to the same POP within Secure Edge when using a stateful firewall at branch locations (Example: SRX Series Firewalls). Reverse path traffic to these overlapping IPs will be routed using equal-cost multipath (ECMP) across all connections. Traffic is routed using ECMP rather than per-session routing to the interface from which traffic originated. Consider reverse path traffic through ECMP when you configure the protected networks for a site.

To create a site in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge >Service Management > Sites.

    The Sites page appears.

  2. Click the Add (+) icon to create a site.
  3. Complete the Site Details page as follows:
    1. Enter a unique site name and a description.

    2. Select the corresponding country from the list where the site is located.

    3. (Optional) Enter the zip code where the customer branch is located.

    4. (Optional) Enter the location (street address) of the site.

    5. Select the number of users who can use the network at the site.

    6. In the Protected networks field, click the Add (+) icon to add the private IP address range of the interface to be used for traffic flow through the tunnel.

    Figure 10 and Table 3 show an example of a site.
    Figure 10: Site-Creation Sample Site-Creation Sample
    Table 3: Site-Creation Details
    Fields Values
    Primary service location jsec-oregon
    Secondary service location jsec-ohio
    Number of Users 10
    Name spoke1-site
    Country Germany
    Protected networks 10.99.99.0/24 (LAN network)
  4. Click Next.
  5. On the Traffic Forwarding page, enter the details according to the information provided in Table 4.
    Figure 11: Create Site: Traffic-Forwarding Details Create Site: Traffic-Forwarding Details
    Table 4: Create Site: Traffic Forwarding Details
    Field Value
    Tunnel type IPsec
    IP address type Dynamic

    For the Static IP address type, you need to provide the device IP address in the Site IP address field.

    IPsec profile default-ipsec

    If you do not have a preconfigured IPsec profile, click Create IPsec Profile to create an IPsec profile.

    Pre-shared key

    Define a unique PSK for each site. Example: Juniper!1

    IKE ID site1@example.com (resembles an email address and must be a unique value for each site)
  6. On the Site Configuration page, for the Device Type select Non-Juniper Device.
    Figure 12: Create Site-Site Configuration Create Site-Site Configuration

    You must select this option because the devices that the Juniper Mist cloud portal manages do not have their configuration pushed through Juniper Security Director Cloud.

  7. Click Next.
  8. On the Summary page, review the configuration.
    Figure 13: Create Site Summary Create Site SummaryNo hyphen in common noun phrases like "site summary."
  9. Click Back to edit any fields or Finish to create the new site.
  10. Add two more sites using the same procedure. The following paragraphs describe the details to include in each site.
    1. Create a second site with the details shown in Table 5 and Table 6
      Table 5: Create Second Site: Site Details
      Fields Value
      Primary service location jsec-oregon
      Secondary service location jsec-ohio
      Number of Users 10
      Name spoke2-site
      Country Germany
      Protected networks 10.88.88.0/24 (LAN network)
      Table 6: Create a Second Site: Traffic-Forwarding Details
      Field Value
      Tunnel type IPsec
      IP address type Dynamic
      IPsec profile default-ipsec
      Pre-shared key

      Define a unique PSK for each site. Example: Juniper!1

      IKE ID site2@example.com (resembles an email address and must be a unique value for each site)
    2. Select Devices Type=Non-Juniper Device.
    3. Create a third site with the details shown in Table 7 and Table 8.
      Table 7: Create a Third Site: Site Details
      Fields Value
      Primary service location jsec-oregon
      Secondary service location jsec-ohio
      Number of Users 10
      Name spoke3-site
      Country Germany
      Protected networks 10.77.77.0/24 (LAN network)
      Table 8: Create a Third Site: Traffic-Forwarding Details
      Field Value
      Tunnel type IPsec
      IP address type Dynamic
      IPsec profile default-ipsec
      Pre-shared key

      Define a unique PSK for each site. Example: Juniper!1

      IKE ID site3@example.com (Resembles an email address and must be a unique value for each site)
    4. Select Devices Type=Non-Juniper Device .
  11. Review the Summary page. Modify any incorrect entries.

    Figure 14 displays the list of sites you created.

    Figure 14: Summary of Created Sites Summary of Created Sites

Deploy a Secure Edge Policy in Juniper Security Director Cloud

Now that you have created sites in Juniper Security Director Cloud, it's time to deploy one or more Juniper® Secure Edge policies.

Secure Edge policies specify how the network routes traffic. By default, when you create a new tenant, the Security Director Cloud creates a Secure Edge policy rule set with predefined rules.

Note:

Even if you do not change the default rule set, you must use the Deploy option to load the rules in your service locations.

To deploy a Secure Edge policy in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, click Secure Edge > Security Policies.

    A Secure Edge Policy page with default rules appears. You modify the default security policy set for better debugging. The default rule set does not allow ICMP pings to the outside (Internet), preventing you from pinging anything through the cloud.

    Figure 15: Secure Edge Policy Details Secure Edge Policy Details
  2. Click the Add (+) icon to create a new rule, or select the existing rule and click the pencil icon to edit the rule.
  3. Give the new rule the Rule Name=Allow-ICMP.
  4. Click Add (+) to add sources.
    Under Sources, use the following default values:
    • Addresses=Any

    • User Groups=Any

  5. Click Add (+) to add destinations.
    Under Destinations, for Addresses, use the default value =Any.
  6. Under Applications/Services, configure the following values:
    • Applications=Any

    • Services=Specific (via search)

    • Specific Service=icmp-all

    Using the Right Arrow (>), move specific service=icmp-all to the right pane to activate it before you click OK.

  7. Configure Action=Permit, and retain the default values for the remaining fields.

    The system places the new rule at the bottom of the rules list and treats this rule as the last rule in the rule set. If the rule is placed after a global rule (that denies all traffic), it will never get applied, because the global rule stops all further traffic. Therefore, for this example you change the position of the rule by selecting the rule. Then, use the Move > Move > Move Top options to move the selected rule to the top of the rule set. Moving the rule to the top of the rule set ensures that the system applies this rule first.

    Note:

    Whenever you modify a rule set, ensure that you use the Deploy button to complete the task. Otherwise, service locations continue to use the outdated rule sets.

  8. Click Deploy.
  9. On the Deploy page, check the Run now option and click OK.

    Service locations get the updated rule set after few minutes.

  10. Select Administration > Jobs to view the status and progress of the deployed job.

Get IPsec Tunnel Configuration Parameters to Apply in Secure Edge Configuration

In the preceding tasks, you completed several actions to set up an IPsec tunnels in Juniper Secure Edge and have deployed the Secure Edge policy in Juniper Security Director Cloud. The final step in Security Director Cloud is to collect configuration data for each site. You'll need these details to complete the Secure Edge connector configuration (Create Secure Edge Connectors in the Juniper Mist Cloud Portal) in the Juniper Mist™ cloud to set up an IPsec tunnel. In this step, you'll note down the details of the sites you created.

Note:

An automated configuration push to synchronize between Juniper Security Director Cloud and Juniper Mist cloud option not available.

To get IPsec tunnel configuration parameters to apply in Juniper Security Director Cloud:

  1. In Juniper Security Director Cloud portal, select Secure Edge >Service Management > Sites.
    The Site page opens, displaying deployed site details.
    Figure 16: Tunnel Configuration Details Tunnel Configuration Details
  2. For each spoke site, click the Tunnel Configuration option under Deployed Status, and then check the MIST Managed Device tab for information.

    Note down the following details, which you will use in Create Secure Edge Connectors in the Juniper Mist Cloud Portal:

    • Pre-Shared Key

    • Local ID

    • IP address and remote ID of each service location tunnel

    The following samples show extracted information for all three sites you created in Create a Site in Juniper Security Director Cloud:

    The following sample is of the extracted information for site2:

    The following sample is of the extracted information for site3:

    You need these site details when you configure tunnels in the Mist cloud portal.

Create Secure Edge Connectors in the Juniper Mist Cloud Portal

You are about halfway to your ultimate goal of setting up a Secure Edge connector for SRX Series Firewalls in Juniper Mist™.

You create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between WAN edge devices managed by Mist and Security Director Cloud. Before you create the connectors, ensure that your site has a deployed SRX Series Firewall.

To create Secure Edge connectors:

  1. In the Juniper Mist cloud portal, click WAN Edges.

    The WAN Edges page displays site details.

    Figure 17: Configure WAN Edge Configure WAN Edge
  2. Select a site with a deployed branch device.
  3. In the Secure Edge Connectors pane, click Add Provider.
    Figure 18: Secure Edge Connector Configuration Secure Edge Connector Configuration
  4. Enter Secure Edge connector details according to the details provided in Table 9.
    Note:

    Remember that these are same the details you gathered in Get IPsec Tunnel Configuration Parameters to Apply in Secure Edge Configuration.

    Figure 19: Secure Edge Connector Details Secure Edge Connector Details
    Table 9: Secure Edge Connector Details
    Field Value
    Name site1-to-sdcloud
    Provider Juniper Secure Edge
    Local ID site1@example.com
    Pre-Shared Key Juniper!1 (example)
    Primary
    IP or Hostname <IP address> (from Juniper Security Director Cloud tunnel configuration)
    Probe IPs -
    Remote ID <UUID>.jsec-gen.juniper.net (from Juniper Security Director Cloud tunnel configuration)
    WAN Interface
    • WAN0=INET

    • WAN1=MPLS

    Secondary
    IP or Hostname <IP address> from (Juniper Security Director Cloud tunnel configuration)
    Probe IPs -
    Remote ID <UUID>.jsec-gen.juniper.net (from Juniper Security Director Cloud tunnel configuration)
    WAN Interface
    • WAN0=INET

    • WAN1=MPLS

    Mode Active-standby
    Note:

    You don't need to enter the probe IP values. IPsec tunnels do not need additional monitoring like GRE needs.

    Note:

    The system generates text, application, and email descriptions automatically.

  5. Verify that the Mist cloud portal has added the Secure Edge connector you just configured.
    Figure 20: Secure Edge Connector Added Secure Edge Connector Added
  6. Add the traffic-steering paths.

    Add a new traffic-steering path on the WAN edge template or WAN edge device, according to the values provided in Table 10.

    Figure 21: Add Traffic-Steering Options for Secure Edge Add Traffic-Steering Options for Secure Edge
    Table 10: Traffic-Steering Path Configuration
    Fields Value
    Name Cloud
    Strategy Ordered
    Paths Select Type and Destination
    Type Secure Edge Connector
    Provider Juniper Secure Edge
    Name site1-to-sdcloud

    Figure 22 displays the configured traffic-steering paths.

    Figure 22: Traffic-Steering Paths Traffic-Steering Paths

Modify an Application Policy

After you create Secure Edge connectors in the Juniper Mist™ cloud portal, next step is to modify application policies on the branch device. For example, you can allow traffic from a spoke device to a hub device. You can also allow traffic from a spoke device to another spoke device in the VPN tunnel. After that, you can send traffic from spokes to the Internet through Juniper Security Director Cloud instead of sending traffic from spokes to a hub for central breakout.

To modify an application policy:

  1. In the Juniper Mist cloud portal, select Organization > WAN > Application Policy.
    The Application Policies page opens.
    Figure 23: Change Application Policies Change Application Policies
  2. Select the policy that you want to modify, and apply the following changes
    • Check the Override Template Settings option.

    • Change the Traffic Steering to Cloud in the last rule (Internet-via-Cloud-CBO).

  3. Save your changes.

    Juniper Mist cloud builds new tunnels to Juniper Security Director Cloud.

Verify the Configuration

After you modify the application policy, now it is time to confirm that your configuration is working as expected.
With the desired configuration saved, you can verify if Juniper Mist cloud routes the Internet-bound traffic from spokes to Juniper Security Director Cloud instead of routing it to a hub for central breakout.

To verify the configuration:

  1. (Optional) Depending on your environment, you can see the communication of the IPsec tunnel towards service locations in Juniper Security Director Cloud in CLI.
  2. Verify the established tunnels details WAN Insights of the device in Juniper Mist cloud portal.
    Figure 24: Secure Edge Connector with Tunnel Details Secure Edge Connector with Tunnel Details
    You can also check the established tunnels in the Juniper Security Director Cloud dashboard and in the service location.
  3. Check the new traffic flow using a VM desktop connected to the branch device. You can verify the traffic flow by using pings to the Internet.
    Note:

    A ping to the Internet works only if you have deployed the appropriate rule (allow-ICMP) in the Juniper Security Director Cloud poral by selecting Secure Edge > Security Policy option to allow ICMP as described in Deploy a Secure Edge Policy in Juniper Security Director Cloud.

    Note:

    You may experience latency depending on the physical distance between your WAN edge device and Juniper Secure Edge service location.

  4. Open a browser on a VM desktop and navigate to https://whatismyipaddress.com/ to view details about the source IP address used to route the Juniper Mist network traffic from a service location towards the Internet.

    Figure 25 and Figure 26 show traffic from the primary and secondary service locations.

    Figure 25: Traffic from Primary Service Location Traffic from Primary Service Location
    Figure 26: Traffic from Secondary Service Location Traffic from Secondary Service Location

    One of the two IP addresses of the service location is a public IP address and serves two purposes:

    • Terminates the IPsec tunnel

    You can view this same public IP address in the packet captures showing established tunnel to the service location using Juniper Security Director Cloud. See Verify the Configuration.

    Remember that a service location in Juniper Security Director Cloud is also known as POP and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.

Secure Edge Connector Auto Provisioning

Prerequisites

Watch the following video to understand how to setup Secure Edge Connector auto provisioning:

Add Juniper Secure Edge Connector Credentials in Juniper Mist Portal

  1. Provide Juniper Secure Edge credential details in Juniper Mist portal.
    • On Juniper Mist portal, select Organization > Settings.
    • Scroll-down to Secure WAN Edge Integration pane and click Add Credentials.
    • In Add Provider window, enter the details.
      Figure 27: Add Credentials for Juniper Secure Edge Add Credentials for Juniper Secure Edge
      • Provider—Select JSE.
      • Email Address—Enter user name (email address) (Credentials of the user created on the Juniper Secure Edge portal)
      • Password—Enter password for the user name.
    • Click Add to continue.

Configure Juniper Secure Edge Tunnel Auto-Provisioning

  1. On Juniper Mist portal, go to Organization > WAN Edge Templates and click an existing template.
  2. Scroll-down to Secure Edge Connector.
  3. Click Add Providers
    Figure 28: Add Provider Add Provider
  4. In Add Provider window, select Juniper Secure Edge (Auto) for automatic provisioning.
    Figure 29: Select Juniper Secure Edge as Provider Select Juniper Secure Edge as Provider
    Enter the following details:
    • Name—Enter a name for the JSE tunnel.
    • Provider—Select Juniper Secure Edge (Auto).
    • Probe IP—Enter probe IPs (primary and secondary). Enter probe IP 8.8.8.8 or any other well-known probe IP address.
    • WAN Interface—Assign WAN interfaces under primary and secondary tunnel details for provisioning of primary and secondary tunnels.
  5. Click Add.
  6. In the Secure Edge Connector Auto Provision Settingsenter the details. This option is available only if you have configured Juniper Secure Edge as provider in the previous step.
    Figure 30: Secure Edge Connector Auto Provision Settings Secure Edge Connector Auto Provision Settings
    • Number of Users—Enter the maximum number of users supported by the JSE tunnel

    • Organization Name—Enter the organization name. The drop-down box displays all organizations associated with the user name in Juniper Secure Edge account. This is the same user name that you have entered in Juniper Secure Edge credential in Organization > Settings. See step 1 for details.

  7. Click Add to continue.

When you assign a template enabled with the Juniper Secure Edge (Auto) option to a site, an associated JSE site (location object) is automatically created and a tunnel from the device to the closest network point of presence (POP) is brought up.

For the Secure Edge Connector configuration to take effect, you must create an application policy with Mist Secure Edge Connector-to-Juniper Secure Edge traffic steering.

Verify Juniper Secure Edge Tunnels

On Juniper Mist portal, you can verify the established tunnels details in WAN Insights of the device once WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.

Figure 31: WAN Edge Events WAN Edge Events

Get the established tunnels status details in WAN Edges > WAN Edge Insights page Juniper Mist cloud portal.

Figure 32: Established Secure Edge Tunnels Established Secure Edge Tunnels

You can check the established tunnels in the Juniper Security Director Cloud dashboard and in the service location.