ON THIS PAGE
Access Juniper Security Director Cloud and Check Active Subscriptions
Configure a Service Location in Juniper Security Director Cloud
Generate Device Certificates in Juniper Security Director Cloud
Deploy a Secure Edge Policy in Juniper Security Director Cloud
Get IPsec Tunnel Configuration Parameters to Apply in Secure Edge Configuration
Create Secure Edge Connectors in the Juniper Mist Cloud Portal
Set Up a Secure Edge Connector for SRX Series Firewalls
Juniper® Secure Edge provides full-stack security service edge (SSE) capabilities to protect access to web, SaaS, and on-premises applications. These capabilities also provide consistent threat protection, an optimized network experience, and security policies that follow users wherever they go. Secure Edge acts as an advanced cloud-based security scanner. It enables organizations to protect data and provide users with consistent, secure network access whether users are in the office, on campus, or on the move.
Mist works with Juniper Secure Edge by providing a Secure Edge Connector (SEC) that can establish a secure tunnel with the Juniper Secure Edge cloud service.
Secure Edge capabilities are all managed by Juniper Security Director Cloud, Juniper’s simple and seamless management experience delivered in a single user interface (UI).
For more information, see Juniper Secure Edge.
Secure Edge Connector Overview
The Juniper Mist™ cloud works with Juniper® Secure Edge to perform traffic inspection from edge devices by using the Secure Edge connector feature. This feature allows the Juniper Networks® SRX Series Firewall, deployed as WAN edge device, to send a portion of traffic to Juniper Secure Edge for an inspection.
In this task, you send the Internet-bound traffic from the LAN side of a spoke or hub device to Secure Edge for an inspection before the traffic reaches Internet.
To perform traffic inspection by Secure Edge:
-
In Security Director Cloud, create and configure the service locations, IPsec profiles, sites, and policies for Secure Edge. These are the cloud-based resources that provide security services and connectivity for the WAN edge devices.
-
In Mist Cloud, create and configure the WAN edge devices, such as SRX Series Firewall that connect to the LAN networks. These are the devices that provide routing, switching, and SD-WAN capabilities for the branches or campuses.
-
In Mist WAN-Edge, create and configure the Secure Edge tunnels that connect the WAN edge devices to the service locations. These are the IPsec tunnels that provide secure and reliable transport for the traffic that needs to be inspected by Secure Edge.
-
In Mist Cloud, assign the Secure Edge tunnels to the sites or device profiles that correspond to the WAN edge devices. This enables the traffic steering from the LAN networks to the Secure Edge cloud based on the defined data policies and other match criteria.
Topics in in the following table present the overview information you need to use the cloud-based security of Secure Edge with the Juniper Mist™ cloud.
Step | Task | Description |
1 | Access Juniper Security Director Cloud and Check Active Subscriptions | Access Juniper Security Director Cloud, go to your organization account, and check Secure Edge subscriptions. The subscription entitles you to configure Secure Edge services for your deployments. |
2 | Configure a Service Location in Juniper Security Director Cloud |
Create service locations. This is where the vSRX-based WAN edge creates secure connections between different networks. |
3 | Generate Device Certificates in Juniper Security Director Cloud | Generate digital certificates for Juniper Secure Edge to establish secure communications between Secure Edge and user endpoints. |
4 | Create an IPsec Profile in Juniper Security Director Cloud | Create IPsec profiles to establish IPsec tunnels for communication between the WAN edge devices on your Juniper Mist™ cloud network with Secure Edge instance. |
5 | Create a Site in Juniper Security Director Cloud | Create a site that hosts a WAN edge device, such as a Juniper SRX Series Services Firewall. The traffic from the device is forwarded to the Secure Edge instance through a secure tunnel for an inspection. |
6 | Deploy a Secure Edge Policy in Juniper Security Director Cloud | Configure policies that define the security rules and actions for the traffic originating from or destined to the site |
7 | Get IPsec Tunnel Configuration Parameters to Apply in Juniper Security Director Cloud | Note down the details such as service location IP or hostname, the IPsec profile name, and the pre-shared key. You need these details to set up IPsec tunnels from Juniper Mist side. |
8 | Create Secure Edge Connectors in the Juniper Mist Cloud Portal | Create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between Mist and Secure Edge instance. |
9 | Modify an Application Policy | Create a new or change an existing application policy to direct traffic from branches to the Internet through Juniper Security Director Cloud instead of going through a hub for centralized access. |
10 | Verify the Configuration | Confirm if your configuration is working by checking the
established IPsec tunnels in:
|
Before You Begin
-
Read about the Juniper® Secure Edge subscription requirements. See Juniper Secure Edge Subscriptions Overview.
-
Ensure that you have completed the prerequisites to access the Juniper Security Director Cloud portal. See Prerequisites.
- Created Create Your Secure Edge Tenant. See Create Your Secure Edge Tenant.
- We assume that, in the Mist cloud, you have adopted and configured the WAN edge devices, such as SRX Series Firewall that connects to the LAN networks.
Access Juniper Security Director Cloud and Check Active Subscriptions
A tenant in Juniper Secure Edge is an organization account that you create to access the Juniper Security Director Cloud portal and manage your Secure Edge services. A tenant is associated with a unique e-mail address and a subscription plan. A tenant can have multiple service locations, which are vSRX based WAN edge hosted in a public cloud for your organization.
A tenant can have one or more service locations, which are the connection points for end users. To create a tenant, you need to have an account on Juniper Security Director Cloud. See Create Your Secure Edge Tenant for details.
After you create your Secure Edge tenant in the Juniper Security Director Cloud portal, access the portal and check your subscriptions.
To access Juniper Security Director Cloud and check active subscriptions:
Configure a Service Location in Juniper Security Director Cloud
After ensuring that you have an active license to Juniper Security Director Cloud, you configure a service location. This is your first main task in setting up a Secure Edge connector for SRX Series Firewalls.
A service location in Juniper Security Director Cloud is also known as POP (point of presence) and represents a Juniper® Secure Edge instance in a cloud location. The service location is the connection (access) point for both on-premises and roaming users.
Service locations are places where vSRX creates secure connections between different networks using a public cloud service. The public IP address (unique per tenant and service location) is used to:
-
Set up an IPsec tunnel between the branch device and the Juniper Security Director Cloud.
-
Centrally distribute the traffic when the destination is on the Internet.
To configure a service location in Juniper Security Director Cloud:
Generate Device Certificates in Juniper Security Director Cloud
Now that you have configured service locations in Juniper Security Director Cloud, you generate device certificates to secure network traffic.
You use a Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificate to establish secure communications between Secure Edge and WAN edge devices. All the client browsers on your network must trust the certificates signed by the Juniper Networks and SRX Series Firewalls to use an SSL proxy.
In Juniper Security Director Cloud, you have the following choices for generating certificates:
-
Create a new certificate signing request (CSR), and your own certificate authority (CA) can use the CSR to generate a new certificate.
-
Select the option to have Juniper Networks create a new certificate.
This topic describes how to generate a TLS/SSL certificate. How you import and use the certificate depends on your company's client-management requirements and is beyond the scope of this topic.
To generate device certificates in Juniper Security Director Cloud:
Create an IPsec Profile in Juniper Security Director Cloud
After you generate the certificates to establish secure communications between Secure Edge and WAN edge devices, you're ready to create IPsec profiles.
IPsec profiles define the parameters with which an IPsec tunnel is established when the WAN edge devices on your Juniper Mist™ cloud network start communicating with your Secure Edge instance.
To create an IPsec profile in Juniper Security Director Cloud:
Create a Site in Juniper Security Director Cloud
You have now created IPsec profiles. These profiles define the parameters for the IPsec tunnel between WAN edge devices on your Juniper Mist™ cloud network and your Secure Edge instance.
At this point, you need to create a site in Juniper Security Director Cloud. A site represents a location that hosts a WAN edge device, such as an SRX Series Services Firewall. The traffic from the WAN edge device is forwarded to the Secure Edge instance through a secure tunnel, and then inspected and enforced by the Secure Edge cloud services.
You can configure to forward some or all of the Internet-bound traffic from customer sites to the Juniper Secure Edge cloud through generic routing encapsulation (GRE) or IPsec tunnels from the WAN edge devices at the site.
Sites are typically Juniper Networks® SRX Series Firewalls using Juniper Security Director Cloud service locations.
Overlapping branch addresses are not supported to the same POP within Secure Edge when using a stateful firewall at branch locations (Example: SRX Series Firewalls). Reverse path traffic to these overlapping IPs will be routed using equal-cost multipath (ECMP) across all connections. Traffic is routed using ECMP rather than per-session routing to the interface from which traffic originated. Consider reverse path traffic through ECMP when you configure the protected networks for a site.
To create a site in Juniper Security Director Cloud:
Deploy a Secure Edge Policy in Juniper Security Director Cloud
Now that you have created sites in Juniper Security Director Cloud, it's time to deploy one or more Juniper® Secure Edge policies.
Secure Edge policies specify how the network routes traffic. By default, when you create a new tenant, the Security Director Cloud creates a Secure Edge policy rule set with predefined rules.
Even if you do not change the default rule set, you must use the Deploy option to load the rules in your service locations.
To deploy a Secure Edge policy in Juniper Security Director Cloud:
Get IPsec Tunnel Configuration Parameters to Apply in Secure Edge Configuration
In the preceding tasks, you completed several actions to set up an IPsec tunnels in Juniper Secure Edge and have deployed the Secure Edge policy in Juniper Security Director Cloud. The final step in Security Director Cloud is to collect configuration data for each site. You'll need these details to complete the Secure Edge connector configuration (Create Secure Edge Connectors in the Juniper Mist Cloud Portal) in the Juniper Mist™ cloud to set up an IPsec tunnel. In this step, you'll note down the details of the sites you created.
An automated configuration push to synchronize between Juniper Security Director Cloud and Juniper Mist cloud option not available.
To get IPsec tunnel configuration parameters to apply in Juniper Security Director Cloud:
Create Secure Edge Connectors in the Juniper Mist Cloud Portal
You are about halfway to your ultimate goal of setting up a Secure Edge connector for SRX Series Firewalls in Juniper Mist™.
You create Secure Edge connectors in the Juniper Mist cloud portal. This task completes the configuration on the Mist cloud side of the tunnels to establish an IPsec tunnel between WAN edge devices managed by Mist and Security Director Cloud. Before you create the connectors, ensure that your site has a deployed SRX Series Firewall.
To create Secure Edge connectors:
Modify an Application Policy
After you create Secure Edge connectors in the Juniper Mist™ cloud portal, next step is to modify application policies on the branch device. For example, you can allow traffic from a spoke device to a hub device. You can also allow traffic from a spoke device to another spoke device in the VPN tunnel. After that, you can send traffic from spokes to the Internet through Juniper Security Director Cloud instead of sending traffic from spokes to a hub for central breakout.
To modify an application policy:
Verify the Configuration
To verify the configuration:
Secure Edge Connector Auto Provisioning
- Activate Juniper Secure Edge account and check licenses, subscriptions, certificates. See Access Juniper Security Director Cloud and Check Active Subscriptions.
- Launch the required number of service locations (with required capacity). See Configure a Service Location in Juniper Security Director Cloud
Watch the following video to understand how to setup Secure Edge Connector auto provisioning:
- Add Juniper Secure Edge Connector Credentials in Juniper Mist Portal
- Configure Juniper Secure Edge Tunnel Auto-Provisioning
- Verify Juniper Secure Edge Tunnels
Add Juniper Secure Edge Connector Credentials in Juniper Mist Portal
- Provide Juniper Secure Edge credential details in Juniper Mist portal.
- On Juniper Mist portal, select Organization > Settings.
- Scroll-down to Secure WAN Edge Integration pane and click Add Credentials.
- In Add Provider window, enter the
details.Figure 27: Add Credentials for Juniper Secure Edge
- Provider—Select JSE.
- Email Address—Enter user name (email address) (Credentials of the user created on the Juniper Secure Edge portal)
- Password—Enter password for the user name.
- Click Add to continue.
Configure Juniper Secure Edge Tunnel Auto-Provisioning
- On Juniper Mist portal, go to Organization > WAN Edge Templates and click an existing template.
- Scroll-down to Secure Edge Connector.
- Click Add ProvidersFigure 28: Add Provider
- In Add Provider window, select Juniper
Secure Edge (Auto) for automatic provisioning. Figure 29: Select Juniper Secure Edge as ProviderEnter the following details:
- Name—Enter a name for the JSE tunnel.
- Provider—Select Juniper Secure Edge (Auto).
- Probe IP—Enter probe IPs (primary and secondary). Enter probe IP 8.8.8.8 or any other well-known probe IP address.
- WAN Interface—Assign WAN interfaces under primary and secondary tunnel details for provisioning of primary and secondary tunnels.
- Click Add.
- In the Secure Edge Connector Auto Provision
Settingsenter the details. This option is available only if you
have configured Juniper Secure Edge as provider in the previous step. Figure 30: Secure Edge Connector Auto Provision Settings
Number of Users—Enter the maximum number of users supported by the JSE tunnel
Organization Name—Enter the organization name. The drop-down box displays all organizations associated with the user name in Juniper Secure Edge account. This is the same user name that you have entered in Juniper Secure Edge credential in Organization > Settings. See step 1 for details.
- Click Add to continue.
When you assign a template enabled with the Juniper Secure Edge (Auto) option to a site, an associated JSE site (location object) is automatically created and a tunnel from the device to the closest network point of presence (POP) is brought up.
For the Secure Edge Connector configuration to take effect, you must create an application policy with Mist Secure Edge Connector-to-Juniper Secure Edge traffic steering.
Verify Juniper Secure Edge Tunnels
On Juniper Mist portal, you can verify the established tunnels details in WAN Insights of the device once WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.
Get the established tunnels status details in WAN Edges > WAN Edge Insights page Juniper Mist cloud portal.
You can check the established tunnels in the Juniper Security Director Cloud dashboard and in the service location.