Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Running Space Virtual Appliance on a VMware hosting site running vCloud Director

0

0

Article ID: KB26917 KB Last Updated: 23 Jul 2020Version: 3.0
Summary:
Junos Space is available for download as a virtual appliance and can be deployed on a number of virtual host infrastructures including a customer’s own vSphere infrastructure. vCloud Director is a web portal that can be used as a managed end-user interface to a vSphere infrastructure. vCloud can be used within an enterprise infrastructure, but it is also commonly used by cloud-based virtual machine (VM) hosting providers.

For customers who wish to run Junos Space on a cloud provided platform, they will need to use a provider which allows OVF upload, static IP assignment, and video console access. For these requirements a VMware hosting provider can be used. Commodity cloud providers may not be able to meet these requirements. In this guide, the examples are utilizing VM Hosting provided by StratoGen. They currently offer a trial period which can be used to trial Junos Space in a cloud hosted environment.

This document outlines deploying Junos Space in a VMware vCloud environment and provides instructions for requesting a free trial from StratoGen to deploy and evaluate Junos Space.

For more information on VMware’s vCloud Director, please see this overview from VMWare.
 
Symptoms:
• Run Junos Space virtual appliance on enterprise vCloud Director
• Run Junos Space virtual appliance on provider cloud hosted vCloud Director
 
Solution:

Upload Junos Space virtual appliance to vCloud Director

Create a catalog for the Junos Space virtual appliance OVF

vCloud requires the VM image to be stored in a catalog, which can then be accessed and deployed as part of a vApp. In vCloud 5.1 you can go to “Home” and click “New Catalog”




Click through to Finish. If you have multiple users you have defined within your organization you can share this catalog at that step. You can now see it listed in Catalogs under My Organization’s catalogs.

Upload Junos Space virtual appliance OVF into the catalog.

vCloud Director does not currently support upload of the Open Virtualization Format (OVF) VM in a single file archive (OVA), which is how Juniper provides the Junos Space virtual appliance for download. In order to upload it to vCloud Director you must first unpack and do some conversions on the OVF. The OVA to OVF conversion process is described in “How to convert a Junos Space OVA to OVF with uncompressed image for upload to vCloud Director” (KB26449).

To upload the converted image, go to Catalogs, and select vApp Templates. This will allow an upload dialog. Note that in this screenshot, there is already one image uploaded.



In the upload dialog, you can specify the catalog to associate the image with.



A window will appear showing progress. It can be closed, and if so, it can be called back through the Catlogs vApp Templates Actions icon.



Create the Junos Space VM in vCloud

Build a vApp template for the VM

From Catalogs, you can select the image to deploy and select the action of “Add to My Cloud….” This can also be accomplished from Home by clicking “Build new vApp”.





The name can be changed if desired to be more descriptive (e.g. changed to Space12.2).

At Configure Networking, switch to Advanced Networking Flow to allow specification of static IP assignments. This is necessary for allocation for the VM, since Junos Space does not support DHCP. Pick and specify two IP addresses for two interfaces from your allocation. In this case, the Routed Network had been assigned 192.168.2.0/24 by the vCloud administrator. You will use these 2 addresses later when configuring Junos Space. Junos Space requires 2 IP addresses for its management interface. vCloud does not allow allocation of multiple IP addresses per interface, so we are taking advantage of the fact that the virtual appliance descriptor calls for 4 interfaces, we are using this step to reserve the allocation on the network. Note also that “RoutedNetwork” has been chosen as the network for all NICs.



Click through to Advanced Networking for a summary and then click Finish. The new vApp will now appear under Home and vApps.

Deploy a Junos Space VM within the vApp

If there is only to be one VM, you can simply start the vApp through its action icon. Additional VMs can also be created within this vApp as needed, but we will demonstrate the configuration of one Junos Space VM.



After the VM is started, you can click the console and another browser window will appear with the VM’s VGA console output. You may need to maximize the browser window to full screen for it to work properly. If the VM upload and creation was successful, you will see a login for a new Junos Space node. If you instead see DHCP boot messages, it is likely that the OVF uploaded was not properly converted and was still compressed. (See KB26449).



At this point, the Junos Space node can be initially configured. Refer to the Junos Space documentation for more information.

Configure Junos Space VM and VPN

VPN configuration to connect vCloud to Customer Network

If you are utilizing a cloud based provider such as StratoGen, you will need to configure how your vCloud Datacenter connects to the devices in your network. By default, the RoutedNetwork is not even connected even to the Internet. A VPN will need to be established to have the RoutedNetwork instance of Space interact with your network. In addition, if you would like for that instance of Space to reach devices which are directly attached to the Internet, you would need to configure NAT and firewall rules. Below is a figure representing the connectivity.



You will need the following information
 
IP Address Network Example Your Values
vCloud Routd Network 192.168.2.0/24  
vShield Edge Gateway 212.54.145.70  
Juniper Edge Gateway 152.14.12.11  
Customer Network 10.192.101.10/24  


Configure vCloud vShield Edge VPN

In order to determine your external vCloud IP Addresses, go to Home -> Manage vDCs then click into your datacenter.



Your internal RoutedNetwork assignment can be seen under Org VDC Networks.



To see your external IP addresses, select Edge Gateways, select the External IP Allocations action for the RoutedNetwork.





In this case, the IP address to use for the VPN endpoint is 212.54.145.70, the vShield Edge (VSE) category. The Internet IP address you would use to access resources made available to the Internet through NAT would be 212.54.145.179.

In order to configure the vShield Edge VPN, pick the “Edge Gateway Services” action on the Routed Network (this is from the same action list where External IP Allocations was selected earlier). All actions including NAT, Firewall and VPN are configured from here. First we will configure the VPN. Select that tab and hit “Add” to setup a new VPN tunnel to your networks VPN endpoint. The key step is to change the drop down for “Establish VPN to:” to “remote network”. That will enable configuration of the necessary parameters. Below is an Edit window which reflects the example values from the table above. This can be used as a guide for how to complete the Add form.



Note that after you add the VPN, you must select OK under Configure Services to return to the main window in order for your changes to be propagated to the vShield Edge configuration.

The vShield Edge VPN status can be checked by returning to the VPN tab of Configure Services action window for the RoutedNetwork.

Configure Junos Router VPN

The following two articles available at Juniper are useful for reference.

J Series / SRX Series Route-Based VPN Configuration and Troubleshooting
Implementing Policy Based IPSEC VPN using SRX Series Service Gateways

In our example we have implemented a route-based VPN.
On the Junos Router, the following relevant portions of the configuration used to terminate this IPSec VPN can be used for reference.

interfaces {
   ge-0/0/0 {
     description "DMZ";
       unit 0 {
        family inet {
          filter {
           input protectRE;
         }
         address 152.14.12.11/28;
       }
     }
   }
   ge-0/0/1 {
     unit 0 {
       family ethernet-switching {
         vlan {
           members vlan101;
         }
       }
      }
   }
   vlan {
     unit 101 {
       family inet {
         address 10.192.101.1/24;
       }
     }
   }
   st0 {
     unit 101 {
       family inet {
         address 1.1.1.1/30;
       }
      }
   }
}
routing-options {
   static {
     route 192.168.2.0/24 next-hop st0.101;
   }
}
security {
   ike {
     policy ike_policy {
       mode main;
       proposal-set standard;
       pre-shared-key ascii-text "$9$7vNV...";
     }
     gateway ike_gateway {
       ike-policy ike_policy;
       address 212.54.145.70;
      external-interface ge-0/0/0.0;
     }
   }
   ipsec {
     policy ipsec-policy {
       proposal-set standard;
     }
     vpn ipsec_vpn {
       bind-interface st0.101;
       ike {
         gateway ike_gateway;
         ipsec-policy ipsec-policy;
       }
     }
   }
   policies {
     from-zone v101 to-zone v101 {
       policy ok {
         match {
           source-address any;
           destination-address any;
           application any;
         }
         then {
           permit;
         }
       }
     }
   }
   zones {
     security-zone untrust {
       host-inbound-traffic {
         system-services {
           ping;
           ssh;
           snmp;
           ntp;
           ike;
         }
       }
       interfaces {
         ge-0/0/0.0;
      }
     }
     security-zone v101 {
       interfaces {
         vlan.101;
         st0.101;
       }
     }
   }
}
vlans {
   vlan101 {
     vlan-id 101;
     l3-interface vlan.101;
   }
}


When the IPSec VPN tunnel is successfully established, on the Junos Router it can be checked with the following commands.

jboyle@poi> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5584150 UP 72120af2504c8bf8 546bfd3b5d266895 Main 212.54.145.70

jboyle@poi> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:aes-128/sha1 35346ff7 3571/ unlim - root 500 212.54.145.70
>131073 ESP:aes-128/sha1 898a8674 3571/ unlim - root 500 212.54.145.70


Configuring vShield NAT and Firewall for Direct Internet Access to Junos Space

This step is only necessary if you would like to access space directly through the Internet. If you can access it through the secure VPN connection, this step is not necessary.

As above with VPN configuration, open Configure Edge Gateway Services action for the RoutedNetwork. The following configuration allows inbound HTTP and HTTPs to the web interface of Junos Space, inbound SSH to the administrative interface of Junos Space, and outbound NAT from the routed segment.



The following firewall limits the inbound TCP to a specific host (along with traffic with the VPN), and it allows any outbound traffic from the RoutedNetwork.

Exporting your VM from vCloud

Should you need to move your VM from vCloud, the best approach would be to use Junos Space capabilities to backup the database and load it into a new instance of Junos Space on the new infrastructure. The back-up and restore procedure is outlined in the Junos Space documentation.

If preferred, the vCloud VM can be exported as an OVF for redeployment. In order to export theVM from vCloud, stop the vApp then select Add to Catalog from actions for the vApp.



Then the OVF can be downloaded from the Catalog.


Contacting StratoGen to initiate a trial of Junos Space

1. Contact StratoGen for a trial via www.stratogen.com/trial
2. After submitting the web request for a trial, raise support ticket via support@stratogen.com requesting Juniper customer specific configuration using the following template
 
Subject: New trial request for (YOUR ACCOUNT NAME) – specialized request for trial of Junos Space
CC: ian.baumel@stratogen.com ; support-labs@juniper.net

This requested trial will be used to test Juniper Networks Junos Space application. Specialized requirements include the following:
o 64 GB disk storage
o 8 GB RAM (allows for 1 running VM)
o Org Routed Network and vShield Edge Gateway

 
3. Once your account is ready, proceed with the directions above to setup vCloud and Junos Space so that Junos Space can access your network devices.

 
Modification History:
2020-07-23: Fixed broken link

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search