JunOS SPACE installation notes

Installing JunOS SPACE can be a slog through documentation. These are my notes to help with the needed steps.

Edit: vSphere 6.5 can have issues installing the OVA file provided by Juniper. Until Juniper provides OVF files, you can install ovftools and convert the OVA using those.

ovftool -st=OVA -tt=OVF space-17.1R1.7.ova space-17.1R1.7.ovf

Source (.ova) and destination (.ovf) paths to be adjusted by you as needed.

-tt – Target Type (Explicitly express that the target is OVF, OVA, VMX, VMX, vSphere, vCloud, ISO, FLP, or vApprun)

-st – Source Type (Explicitly expresses that the source is OVF, OVA, VMX

Assuming SPACE is going to be installed on VMWare, as version 16.1 or better, this is the recommended sizing:

32GB RAM (OVA installs as 8GB, increase it)
4 vCPU
~ 500GB storage space total

The OVA installs as about 250G storage space. 100G of that is /var. You’ll want to add to that. Depending on the size of the environment being managed and whether this node will also handle integrated logs, anywhere from 250GB to 1TB of additional space is appropriate. It’s possible to add 250GB to start with and then add additional space if required.

SPACE can be deployed as a cluster, all in the same subnet, as well as in a DR scenario across L3 boundaries. Most of my customers run a single instance, as their environment is not large enough to warrant cluster deployment and they can rely on VMWare for DR purposes.

SPACE requires two IP addresses – one for the physical node and one for the VIP, used for HTTPS GUI access. Any additional nodes would need one additional address in the same subnet.

SPACE can use a second interface to communicate with devices if desired. This can be handy if the device management interface and the GUI access need to be in separate subnets.

SPACE does not offer a supported way of firewalling itself. You’ll want to firewall it in your environment, at a minimum restricting access to internal subnets, better yet restricting access to trusted subnets. This is a list of the services used, subject to revision should I miss a few. Juniper have a KB article on this which might be more accurate.

VIP:
– HTTPS inbound for GUI access. Optional Ping inbound.
– If you are using eth0 for device management (no dedicated device management interface), and you don’t have a dedicated monitoring node: SNMP Trap inbound

Physical IP:
– ssh inbound for admin console access. Optional Ping inbound.
– DNS, NTP and SMTP outbound to your DNS/NTP/SMTP servers. RADIUS / TACACS+ outbound to your AAA server(s), if configured. Optional Ping outbound.
– HTTPS and SSH outbound to “*.juniper.net”, or if deploying as a customer instance connecting back to a Juniper partner, *.juniper.net and the partner SPACE proxy. When in doubt, this can be HTTPS outbound “to the Internet.” Optional Ping outbound.
– SNMP inbound if you are using an SNMP monitoring solution to monitor JunOS SPACE itself
– If you have a SPACE cluster with several nodes, they’ll communicate on that subnet using multicast. If multicast does not function in your environment, you can switch to unicast. I’m not sure what the implications of doing so are and prefer to run the default multicast configuration.

Physical IP or Device Management IP, if it was configured:
– ssh, ping and snmp outbound to device subnets
– ssh on port TCP-7804 inbound from device subnets
– snmp-trap inbound from device subnets, if the option to configure SNMP traps upon device discovery is set

If you have a dedicated device monitoring node, snmp-trap will be sent to it. If some of your devices will reach SPACE through NAT, you’ll want to read Juniper’s guidance on it.

These are the parameters you should have before you install SPACE:

  • DNS server address
  • NTP server address
  • Time Zone
  • VIP IP
  • Physical IP
  • Gateway IP
  • If SPACE will be behind a NAT device for device access, you’ll need to specify that during setup and have the NAT addresses handy
  • Node Name – for display in GUI, not the FQDN
  • admin password
  • maintenance password
  • super password
  • Desired FQDN – for DNS entry you will create
  • Cert for that FQDN – to avoid security warnings when connecting to GUI. This can absolutely be an internal trusted CA
  • Desired user authentication method – your options are Local, RADIUS and TACACS+
  • Juniper.net user name and password – for download of schemas and setup of ASAP, the pro-active service app
  • Any apps you will install such as ASAP (aka Service Now), Security Director, Network Director
  • If using Security Director or Network Director, license authorization keys for those and JS-PLATFORM. You’ll “cut” the license once SPACE is installed. If only using ASAP (ne Service Now), you will receive a permanent license once you connect SPACE to juniper.net, free of charge as long as you have at least one device under active maintenance.
  • SMTP server (and any authentication you need) for SPACE to send email
  • Username and password (or ssh key) you will use to manage devices. A “service account” such as “spcadmin” is often a good idea. This account needs “admin” rights in JunOS.
  • SNMPv3 or SNMPv2 read-only for use by SPACE. Optional (but recommended), allows Network Director and OpenNMS to monitor devices.

Once the OVA is installed, has been increased to 32GB RAM and has had an additional disk allocated to it – do NOT increase the size of the disk the OVA creates for you, that won’t work – you are ready to power it up and go through initial configuration. It’s pretty straightforward and asks for many of the parameters you gathered above.

The default username for console access is admin / abc123

The default username for GUI access is super / juniper123

When SPACE is up and running, you’ll have an option to expand virtual drive space. Choose it and assign all the additional disk space your VM guest received to /var. Be careful with this, if you accidentally assign it to another partititon (such as /, /tmp or /var/log), you’ll need to wipe the VM and start over.

Save your admin, maintenance and super passwords in an encrypted, centralized, backed up password safe. You can recover if you lose the admin password, but it takes access to the VMWare host and some effort.
“admin” is used for ssh access, “maintenance” is used for upgrades of the JunOS SPACE platform itself, and “super” is used for GUI access.

Additional housekeeping while on console and waiting for jboss and thus the GUI to start:

  • Change admin password expiration. Default is 70 days; you’ll likely want a longer timeout or “never”.
  • Change ssh session timeout. Default is 5 minutes. You can edit /etc/ssh/sshd_config and set ClientAliveInterval to 600 and ClientAliveCountMax to 3 and you’ll have 30 minutes.
  • Install VMWare Tools. Your VMWare admins will thank you.

If you want to avoid HTTPS security warnings when connecting to JunOS SPACE, create a DNS entry for its VIP address with the FQDN you chose, then create a cert (again, trusted internal CA is fine) for that. You’ll load that in the GUI under Administration -> CA/CRL certificates. Load the cert and any needed intermediate CAs.

Once in the GUI, you’ll want to change some of the default settings. Go to Administration -> Applications, right-click “Network Management Platform” and choose “Modify Application Settings”.
– “Allow Device Communication” is critical.
– “Add SNMP configuration to device for fault monitoring” can be useful if you want to use OpenNMS, but isn’t critical.
– “Configure commit synchronize” creates issues with single EX devices, uncheck that.
– “Manually resolve fingerprint conflicts” is probably more hassle than its worth for all but the most security-conscious customers.
– “Auto Resync”, “Approval workflow” and “commit confirmed” are useful
-Under “User”, set the timeout. 30 or 60 minutes seems reasonable for most environments.
– Under “Password”, set the password expiry in months. I’ve seen customers set this to “120” because they believe in the revised NIST guidelines and prefer good passwords over frequent changes.
– Under “Security”, the “Disable weak algorithms” checkbox will help the device pass an audit.

And hit “Modify”, wait for JunOS SPACE to restart its web server, and log back in.

If you are not going to use OpenNMS, you may disable it under Administration -> Applications -> Network Management Platform -> Manage Services

Under Administration -> DMI Schemas, set SPACE up to be able to pull DMI Schemas.
Click on the “Update Schema” icon, click the “SVN Repository” radio button and the “Configure” button. The URL is https://xml.juniper.net/dmi/repository/trunk/, the username and password are a juniper.net login that belongs to the organization running this SPACE instance. “Auto Install Schema” is a good idea as it avoids additional work. “Test Connection”, then “Save”.

Under Administration -> SMTP Servers, set up your mail server.

Under Administration -> Authentication Servers, set up your RADIUS/TACACS+ auth. I recommend “Remote-Local Authentication” so that you can still get into the unit using “super” if the remote authentication fails.

Under Administration -> Database Backup and Restore, you can set a backup to an scp server. It’s likely you’ll be relying on VMWare snapshots, but if you don’t have that in place, this is highly recommended.

Under Administration -> Purging Policy, set a policy to purge disk space periodically. Not really needed unless you take regular local DB backups or have very large device configuration files, in which case it becomes critical.

Under Administration -> CA/CRL certificates, install your HTTPS certificate.

Under Administration -> Fabric, enable the Cassandra service using Actions -> Enable Cassandra. This improves MySQL performance by offloading device image files to the Cassandra service.

Install any applications you’d like to use. ASAP (ne Service Now) is quite useful, and Security Director is the obvious choice for SRX policy management.

When deploying Security Director, I recommend also deploying a second node as Log Collector.  Unless you already have the SIEM IBM QRadar or Juniper JSA collecting logs, in which case you can just point Security Director towards those.
Log Collector will require another 16GB, 2 IP addresses (one in the same subnet as the main SPACE node for cluster comms and one for syslog, can be in the same subnet but need not be), and either 500GB of disk space and an NFS share, or 1TB (or more) of disk space to hold logs locally.

If you do use ASAP (Service Now), here are a few settings that’ll help you out:

You’ll add an “Organization”. If you are going through a partner proxy with PAR service instead of direct to Juniper, work with the partner on that setup. They’ll point your instance to their proxy, load a certificate file for their proxy, and they may set an auto-submit policy for incidents.

Administration -> Global Settings -> Core File Upload Configuration, set this to “Secure FTP upload through Service Now”. Otherwise devices will try to FTP directly to juniper.net and that will likely fail.

Here are some good videos by Juniper on using ASAP:

Video #1: https://www.youtube.com/watch?v=EM2w86T96Ac
Video #2: https://www.youtube.com/watch?v=HiAKA2ItROg
Video #3: https://www.youtube.com/watch?v=gU-f1hxttCY
Video #4: https://www.youtube.com/watch?v=a9mUSmJXST4

 

Lastly, when adding devices to SPACE, consider assigning them a public tag such as “All Devices” and configuring Configuration Files backup to act on that tag on a schedule, say once a day.

You can create schedules to find new devices automatically, and you can of course use the base JunOS SPACE application to upgrade firmware and make bulk configuration changes.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: