Installing Juniper Networks NSM (Network and Security Manager) on CentOS


Background

*******Note: This was based on NSM 2008, however 2009 can be installed in the exact same manner*****

Juniper Networks Network and Security Manager (formerly Netscreen Security Manager) is the management platform for many of Juniper's products. At the time of this writing, April 2009, it supports M-series routers, J-series routers, SRX security gateways, all ScreenOS firewalls, EX Switches, Secure Access SSL Vpn, Unified Access Control (equivalent to Cisco NAC) and the IDP (Intrusion Detection Prevention, an IDS/IPS). In the near future it will manage all of Juniper's products. NSM is a java based server with java based clients that run on windows or linux. The server can run on either solaris or linux. It has the ability to manage configs, take in device logs, build reports off of logs, templatize configs, show used/unsed ports on ex switches, upgrade software, RMA devices, etc. Many more features I won't list here. The downside is that NSM takes a dual core cpu to run as of 2008.X. I used to run 2007.X in a virtual machine, as of 2008 no more, it is too much of a beast. So I highly recommend buying your own dedicated server. Even with NSM as the only vm on a quad core xeon with 4GB of ram, it is painfully slow, usable, but slow. My dedicated NSM server is as follows
CPU: Intel(R) Xeon(R) CPU            3050  @ 2.13GHz this is a dual core
RAM: 4GB
Hard drive: 80GB Sata II


Nsm requires around 13GB of hard drive space. Leave enough room for logs on top of the 13GB.

NSM does not require a license when managing 25 devices or less and is free, provided you have a valid Juniper login.

Note: This is not supported by Juniper, Juniper only supports RHEL 4 and 5, they are currently trying to go away from the custom RHEL servers and pushing everyone towards the NSM Express appliance.

This is based on NSM 2008.2r1.

Install CentOS


CentOS is a free RedHat Linux Enterprise Clone, so if you do not want to pay for RHEL, use CentOS and of course in our case we don't want to pay.

I have created a document outlining how to create a minimal CentOS install. Follow these instructions, making sure to add GNUPG (gpg) and rsync as selected/installed packages, NSM requires these two pieces of software.
Here is the link to the CentOS install
Link ...
NSM requires centos 5.2. 5.2 is no longer maintained, you can obtain it from
http://vault.centos.org/5.2/



Download NSM software

To do a fresh install of NSM 2008 on centos
download
"Linux Server Installer" at
https://softserv.juniper.net/download/2008.2---12172008/NetScreen-Security_Manager/downloads/nsm2008.2r1_servers_linux_x86.zip
and
"Linux System Update utilities"
https://softserv.juniper.net/download/2008.2---12172008/NetScreen-Security_Manager/downloads/nsm2008.2r1-systemupdate-linux.zip

Also download the windows gui client
https://softserv.juniper.net/download/2008.2---12172008/NetScreen-Security_Manager/downloads/nsm2008.2r1_ui_win_x86.zip
and/or the linux gui client
https://softserv.juniper.net/download/2008.2---12172008/NetScreen-Security_Manager/downloads/nsm2008.2r1_ui_linux_x86.zip


Prep CentOS


Disable Firewall/Iptables


I would disable the linux firewall, or if you know what you are doing you can create your own rules to allow NSM traffic.
To disable the firewall

[root@nsm ~]# /etc/init.d/iptables stop (disables runtime)
[root@nsm ~]# chkconfig --level 12345 iptables off (disables on boot)
Verify iptables has been disabled at all run levels, output will look like the following.
[root@nsm ~]# chkconfig --list iptables
iptables           0:off    1:off    2:off    3:off    4:off    5:off    6:off


Make CentOS appear as if it is RHEL


You must make CentOS look like it is actually RHEL 5 (in the case of CentOS 5, CentOS 4 would be
RHEL 4). To do this modify /etc/redhat-release to read

Redhat Enterprise Linux Server release 5


If you take a look at the NSM install scripts, it looks for this.


Install

Copy nsm2008.2r1_systemupdate-linux.zip to the centos filesystem. Make sure where you are copying it to has enough room before and after the file is unzipped.

Unzip the system updates, run
[root@nsm ~]# unzip nsm2008.2r1_systemupdate-linux.zip


This will create two files
nsm2008.2r1_systemupdate-linuxES_5.tar
nsm2008.2r1_systemupdate-linuxES_4.tar

You need to untar the file nsm2008.2r1_systemupdate-linuxES_5.tar
[root@nsm~]# tar xf nsm2008.2r1_systemupdate-linuxES_5.tar

This will create a dir called es5, cd to es5 and run
[root@nsm ~]# sh rhes5.sh

this will install all the packages needed by NSM

then run
[root@nsm ~]# unzip nsm2008.2r1_servers_linux_x86.zip

this will unzip a huge shell script
called nsm2008.2r1_server_linux_x86.sh
it is huge because the is about 11000 lines of checks and the rest is packed binary of nsm install.

Then run
[root@nsm ~]# sh nsm2008.2r1_server_linux_x86.sh -niAPPLIANCE=n
this will take some time to unpack everything and then ask you some questions. Just allow the defaults.

After the script has finished change /var/netscreen/DevSvr/devSvr.cfg guiSvr1.addr to 0.0.0.0 otherwise if you change ip, you cannot add devices.

Now install the gui client and point it to the NSM server, with the username of super and the password you supplied during the NSM install.

You now have a running NSM server!

Comments

No /administration after install

This worked for me using 2010.1, however I cannot https to the server, neither direct to download the client, nor to the /administration page. I'll keep working at it to see if I can figure it out, but if anyone has run into this, please let me know. Thanks.

Last edited Apr 14, 2010 5:14 PM
Report abusive comment

Untitled

From the previous post, use tar xf to extract files from .tar archives, was a missing step


Unzip the system updates, run
[root@nsm ~]# unzip nsm2008.2r1_systemupdate-linux.zip

This will create two files
nsm2008.2r1_systemupdate-linuxES_5.tar
nsm2008.2r1_systemupdate-linuxES_4.tar

You need to untar the file nsm2008.2r1_systemupdate-linuxES_5.tar
[root@nsm~]# tar xf nsm2008.2r1_systemupdate-linuxES_5.tar

This will create a dir called es5, cd to es5 and run
[root@nsm ~]# sh rhes5.sh

Last edited Mar 16, 2010 6:28 AM
Report abusive comment

hi

I am trying to install this NSM on Centos.

I am stuck at

[root@nsm ~]# unzip nsm2008.2r1_systemupdate-linux.zip

it will create some dirs, cd es5 and run


No directory is created and only two files naming
nsm2008.2r1_systemupdate-linuxES_5.tar
nsm2008.2r1_systemupdate-linuxES_4.tar
are extracted .

Please tell what to do in this case

Last edited Mar 17, 2010 9:13 AM
Report abusive comment

Very Cool

I haven't tried this but can't see what it wouldn't work. You don't see many comments or instrunctions on NSM anywhere. Thanks for posting. I'm not 100% sure on this but people need to be careful if ou are going to run on CentOS. Last time I checked the only supported OS options by Juniper were RHES and Solaris. Might violate some weird rule in a support contract somewhere and void you support.

Last edited Feb 23, 2010 8:07 PM
Report abusive comment

NSM2009.1r1...

Hi,

I've tried with NSM2009.1r1 and it worked very well!
Thanks!

Fernando Silva
Brazil

Last edited Feb 16, 2010 4:42 AM
Report abusive comment
Article rating:
Your rating:

Categories

Activity for this knol

This week:

198pageviews

Totals:

8411pageviews
13comments