Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How does a DMI device establish a connection to NSM?



Article ID: KB13940 KB Last Updated: 20 Apr 2009Version: 1.0

Information on DMI device connection to NSM



When a device is first added into NSM as reachable or unreachable mode, the first required step will manually or automatically setup the device DMI agent settings.  This setting is required in order for the device to connect to NSM. This first initial setup phase is the only time NSM will try to initiate a TCP session from NSM to the device using SSH when done in automatic mode. Some devices support only a manual configuration of the DMI agent and must be added using the unreachable workflow.

The client side settings for a DMI agent are the following:

  • NSM server Primary and Secondary IP address: The agent will try to connect to the primary IP first and then the secondary if no response is received. The agent tries indefinitely to connect to the NSM server.
  • Device-ID: Unique identifier provided by NSM which is associated with a specific device in the database of the NSM server.
  • OTP (One Time Password): Also referred as “HMAC” or “secret”, is a passphrase which is shared between the NSM server and the device used to perform an initial or first phase authentication.
  • Admin User/Password: The local user which the DMI agent will use to perform a 2nd phase authentication for the management channel and establishes the privilege level and access to the device configuration for NSM.

Once the DMI agent is correctly configured, the following procedure is followed:

  1. The device opens a TCP connection to the NSM server on port 7804.
  2. The transport used inside the TCP port 7804 is an SSH connection
  3. The device sends its Device-ID and OTP.
  4. NSM validates the Device-ID against the list of added devices and verifies the HMAC/OTP and allow/denies the device connection.
  5. If allowed, NSM will then open a new tunnel within the existing SSH TCP 7804 connection to the DMI agent. This will serve as the management channel for NSM directives.
  6. The NSM server needs to authenticate to the device using a device-side configured admin or privileged user and password in order to gain access to manage the device.
  7. If authenticated by the device, NSM will now report the connection as “Up” and will be able to manage the device with import or update of the configuration.
  8. NSM and the device will open several other tunnels inside the SSH transport connection in order to allow for other channels to be created. For example, device logs are sent to the NSM server on a specific channel opened for logging.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search