Link Search Menu Expand Document

Service Orchestration

Configuration > Cloud Services > Service Orchestration

To watch a video of this feature, see How to Integrate with Third-Party Service Providers.

Use the Service Orchestration tab to automate the integration of third-party services without an API. Service Orchestration automates the creation and deployment of IPSec tunnels and IP SLA probes and manages the lifecycle of the tunnels and probes.

Service Orchestration creates a local tunnel identifier (IKE ID) for each tunnel to the third-party service. After the tunnels are created, complete the integration on the third-party service’s site by replacing the source identity values with the local tunnel identifiers (IKE IDs) that Orchestrator created for each endpoint.

NOTE: By default, Service Orchestration provides the framework for Netskope integration. The instructions on this page are specific to Netskope, but you can apply the same general procedure to other third-party services.

Prerequisites

  • You must have loopback interfaces configured to use the Service Orchestration feature.

  • Service Orchestration supports third-party services that use IPSec IKEv2 endpoints.

  • You will need the following information from the third-party service for each endpoint you want to add:

    • Endpoint name

    • IP address

    • Probe address

Remote Endpoint Configuration

Add the remote endpoints for Netskope.

You can add one endpoint at a time or add endpoints in bulk by importing the information from a CSV file.

Add Endpoints One at a Time

  1. Click Remote Endpoint Configuration.

    The Add Remote Endpoints for Netskope dialog box opens.

  2. Click +Remote Endpoint.

  3. Complete the following fields—press the Tab key to navigate to the next field.

    Field Description
    Name Name of the Netskope endpoint.

    IMPORTANT: If an endpoint name is decommissioned or modified, you must update the value in this table.
    IP Address IP address of the Netskope endpoint.

    IMPORTANT: If an IP address is decommissioned or modified, you must update the value in this table.
    Interface Label The interface labels that can be provisioned for this endpoint. Only labels in this list will be provisioned.

    HINT: Click Interface Label Default to reset the Interface Label for every endpoint in the table to the default value of Any.
    Pre Shared Key The pre-shared key for the endpoint. To display the pre-shared key, click anywhere in the field. Do one of the following:

    Edit this field for each endpoint. This value can be an ASCII string, a hex encoded string (if it has a 0x prefix), or a base64-encoded string (if it has a 0s prefix).

    Click PSK Default to create and save a pre-shared key. Every endpoint will use the pre-shared key you create. Because traffic going to these endpoints is encrypted, it will not compromise security to use the same pre-shared key for each endpoint.
    Probe Address The Netskope endpoint that the IP SLA subsystem will ping. You can obtain the probe address from the third-party security provider.

    IMPORTANT: Orchestrator will prefill the Address field in the IPSLA Settings dialog box with this value. If you delete the value in the Probe Address field in this table, Service Orchestration will ping the value specified in the Address field in the IPSLA Settings for Netskope dialog box.
    Backup Remote Endpoint Enter the Netskope endpoint that you want to use as a backup tunnel. For example, ATL1-Atlanta could use DFW1-Dallas as a backup remote endpoint. If you leave this field empty, the endpoint will not have a backup tunnel. The BIO determines how traffic will be handled if a single or single and backup tunnel go down.
  4. Repeat these steps for each endpoint.

    TIP: To delete an endpoint, click the X in the last column in the table.

  5. Click Save.

    Updates are orchestrated immediately.

Add Endpoints in Bulk

  1. Click Remote Endpoint Configuration.

    The Add Remote Endpoints for Netskope dialog box opens.

  2. Click Import to import a list of remote endpoints from a CSV file. The CSV file must contain columns for name, IP address, interface label, pre-shared key, probe address, and backup remote endpoint, in that order.

    NOTE: Remove any header rows before you import the file.

  3. Click Choose File.

  4. Navigate to the file, select the file, and then click Open.

  5. Click Save.

    Updates are orchestrated immediately.

Bulk Edits

To make bulk edits to the table:

  1. Click Export.

  2. Open the CSV file and delete the three header rows.

  3. Modify, save, and close the file.

  4. Click Import, and then click Choose File.

  5. Locate and select the file, and then click Open.

    Orchestrator updates the table.

  6. Click Save.

Interface Labels

Select the Primary and Backup interface labels for your traffic. Backup interface labels will be used if the primary interface labels are unreachable.

NOTE: Netskope does not support Active – Active backup.

  1. Click Interface Labels.

    The Build Tunnels using these Interfaces for Netskope dialog box opens.

  2. Drag the interface labels you want to use into the Primary area. (The Peer/Service names in the Tunnels table will be NSK_Primary_1 and NSK_Primary_2.)

  3. Drag the interface labels you want to use into the Backup area. (The Peer/Service names in the Tunnels table will be NSK_Backup_1 and NSK_Backup_2.)

  4. Drag the interface labels up or down to reorder the list as necessary.

  5. Click Save.

Tunnel Settings

Click Tunnel Settings to configure the Netskope tunnel settings.

IP SLA Settings

  1. Click IP SLA Settings.

    The IPSLA Setting for Netskope dialog box opens.

  2. If all fields are dimmed, click Enable IP SLA rule orchestration.

  3. Complete the following fields.

    Field Description
    Monitor Ping or HTTP/HTTPS.
    Address Netskope endpoint that the IP SLA subsystem will ping. Orchestrator prefills the Address field with the value from the Remote Endpoint Configuration table. You can configure up to three addresses.
    Source Interface Select an orchestrated loopback label.
  4. Accept the default values for the remaining field, and then click Save.

    Orchestrator builds the tunnels.

Pause Orchestration (Optional)

When troubleshooting, you can click Pause Orchestration and then click Save to pause the service orchestration. To restart the service orchestration, click Resume Orchestration.

+BIO Breakout

By default, the tunnels associated with a third-party service will be available for BIOs. You can upload an icon to display on the Business Intent Overlays tab.

NOTE: Supported file types include PNG, JPEG, SVG, and WEBP. The recommended dimensions are 60 x 20 pixels.

  1. Click +BIO Breakout.

    The Configure BIO Breakout for Netskope dialog box opens.

  2. Click Upload Service Icon.

  3. Locate and select the file, then click Open.

  4. Click Save.

    This icon will display next to the service name on the Business Intent Overlays tab.

If you do not want this third-party provider to be available for BIOs, do the following:

  1. Click +BIO Breakout.

    The Configure BIO Breakout for Netskope dialog box opens.

  2. Clear the BIO Breakout check box.

  3. Click Save.

Remote Endpoint Association

The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances with remote endpoints. Use this page to add or remove endpoints from an appliance. It is recommended that you associate one remote endpoint per EdgeConnect appliance.

  1. In the Orchestrator appliance tree, select one or more appliances to associate with Netskope remote endpoints.

  2. Click Remote Endpoint Association.

    The Associate an Appliance to Netskope Remote Endpoints dialog box opens.

  3. Select the Add or Remove check box next to the endpoints you want to associate with the selected appliances. Be sure to add the endpoints that are geographically closest to the appliances.

  4. Verify the proposed changes to remote endpoints in the table to the right, and then click Save.

Add Tunnel Local Identifiers to Netskope

After the Service Orchestration integration is complete in Orchestrator, you must add the local tunnel identifiers (IKE IDs) to Netskope. You can simplify this process by exporting the Netskope configuration to a CSV file. The exported file contains all of the configuration details in the table on the Netskope page for all selected appliances, including IKE IDs.

NOTE: The tunnel local identifier value is a fixed format: hostname_labelname@IPaddress. For example, EAST3-AWS_INETA@192.x.x.xxx.

  1. In the Orchestrator appliance tree, select all appliances associated with Netskope remote endpoints.

  2. On the Netskope page on the Service Orchestration tab, click Export to save the contents of the table to a CSV file.

  3. Log in to Netskope.

  4. In the IPSec configuration panel, replace the Source Identity values with the corresponding Tunnel Local Identifiers (IKE IDs) created by Orchestrator.

Verification

After Netskope is configured and the Netskope policy is applied successfully in the BIO, deployment will begin automatically. Go to the Netskope tab and view the Connection Status column to verify that the deployment was successful.

Set Up a New Service

To set up a new third-party service:

  1. Click +Add Service and complete the following fields.

    Field Description
    Name Name of the new service.
    Prefix A prefix to assign to all tunnels for this service. Orchestrator will use this prefix to filter tunnels and IP SLAs.
  2. Click Save.

    A new tab is created on the Service Orchestration page.

    TIP: To edit or delete a service, click the edit icon next to the service name.

  3. Select the tab for the new service and follow the steps explained in Set Up Netskope Integration to integrate this new service.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.