Juniper Networks Simply Connected Workshop

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Our Company Notre entreprise En France : 50 collaborateurs 4/23/2017 Our Company Notre entreprise En France : 50 collaborateurs Fondée en 1992, 5 agences 80m $ ATC et centre de support Paris Nantes Lyon Toulouse Marseille

Produits ● Services ● Formations 4/23/2017 Our Company Notre entreprise Produits ● Services ● Formations Partenariats avec les leaders du marché de la sécurité Des services innovants : Prestations d’installation Support téléphonique 24x7 et support matériel sous 4h Centre de formation agréé Nous intervenons sur des problématiques de : Sécurité (réseau, web, postes clients, nomadisme…) Mobilité Disponibilité et optimisation des applications Conformité légale Wifi

Des équipes dédiées pour vous accompagner à chaque étape du cycle de vente Déploiement et support Formations Offre commerciale Nouveaux clients Nouveaux Projets Architecture Argumentation 5

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Juniper Wireless LAN Product Portfolio 4/23/2017 Juniper Wireless LAN Product Portfolio Access Points Best price performance, Mass deployment ready Controller Scalable, Flexible, Fastest, Highest capacity Mobility Mgmt & Services Unified Infrastructure and services Wlan Life Cycle Mngt Guest Access Location Awareness Mobility System Software Secure, Reliable, Seamless Mobility Services Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 4/23/2017 Slide 7 7

Juniper WLC Series controller family 64 - 512 11n AP WLC2800 WLC Series Highlights Simplest solution in the Industry Highest reliability in the industry Only vendor with in-service upgrades Full featured distributed deployment 16 - 256 11n AP WLC880 Enterprise 16 - 128 11n AP WLC800 WLC100 New JunosV WLC Campus 4 - 32 11n AP WLC8 12 AP 4 AP WLC2 Branch 4 12 16 32 64 128 192 256 512 # of AP

Juniper WLA Series Access Point Next Generation Family WLA Series Highlights Highest performance APs in the industry Most cost effective APs in the industry Full featured Intelligent switching Spectrum analysis across the portfolio Bridging and mesh Q3/ 2014 Q2/ 2014 3x3 MIMO Dual Radio All Weather WLA632 11ac 3x3 MIMO Dual Radio All Weather Firefox 11ac 3x3 MIMO Dual Radio Gigabit Performance RAPTOR 3 Stream MIMO Dual Radio High Performance WLA532/E Dual Radio Entry-level AP NG Outdoor Functionality Single Radio Low Cost AP NG Indoor WLA322 WLA321 Entry level 802.11n Indoor 11n/11ac Outdoor 11n/11ac

WLA532: High Performance, Enterprise-Grade AP Features Interfaces Concurrent 3-stream dual-radio operation Up to 450Mbps link speed on 5GHz Up to 195Mbps link speed on 2.4GHz 10x better performance than 802.11a/g 802.3af PoE power Security Encryption at “air” rate 802.11i, WPA2/AES, WPA/TKIP, WEP No stored configuration, no serial port, special tool lock screw on bracket AP to MX data path encryption Performance and Mobility Local switching for low latency, high performance Advanced AP VLAN tunneling Management AutoTune Dynamic RF management Antenna Six Internal cross-polarized antennas with 5 degree down-tilt for best signal strength Usability & Ease-of-Installation Versatile mounting options for ceiling, wall mount and wall plugs Product Ordering WLA532-US: For US operation WLA532-IL: For Israel operation WLA532-WW: For Worldwide operation except US and IL

Indoor 11n AP Product Portfolio Comparison

Juniper WLM Series Life Cycle Management RingMaster Planning and deployment 3D predictive planning tool Indoor and outdoor network plan Configuration and Verification Complete offline configuration System and service wizards Pushes configuration to WLCs Monitoring and reporting By user, radio, AP, WLC, SSID 30 day history aids compliance WIDS/WIPS integration Location aware Search by location Roaming history Geo fencing Plan Config Monitor Trouble shoot Report

Juniper WLM Series Guest Management Web-based access control suite Guest access module Ease of use / Bulk user creation API for 3rd part application integration SMS / Email creation of guest coupons with Self-Provisioning Accounting database Detailed client accounting history Reporting available via RingMaster Access control module RFC 3576 (Dynamic Radius) Location awareness for client sessions. Allow or deny access based on location Change any AAA attribute based on location Access Rules (location based, time based or a combination of both) SmartPass Centralized Guest Access Database

Juniper WLM Series Device Onboarding SmartPass Connect Automated, Self-Service Onboarding Automatically provision client devices Secure 802.1x or PSK access to the wireless network Secure 802.1x access to the wired network Authentication Leverages built-in supplicants in today’s modern OSs Credentials (PEAP, TTLS) or Certificates (TLS) Automates certificate enrollment process Self service client certificate deployment from Microsoft CA Devices iOS, Android, Windows, Mac

Software Feature Highlights 4/23/2017 Software Feature Highlights Secure Client Mobility Roaming across APs, controllers Identity-based networking Controller Virtualization (cluster) 150 msec AP failover for controller outages. No session losses Single point of configuration Many-to-many in-service resiliency Dynamic AP load balancing across controllers In service maintenance - adds, moves, changes, upgrades cluster Distributed Forwarding Efficient and flexible data path forwarding AP to WLC, WLC to WLC tunneling Voice application awareness Active call management (CAC) SIP inspection / prioritization Call details record, audit trail Device Profiling Automatically detects client operation system Option to assign policies, depending on operating system AP Load Balancing APs dynamically assigned to least loaded controllers Eliminates management chore of AP-Controller mapping Scale capacity w/ zero config Less waste of AP licenses Band Steering & Client Load Balancing Preserves b/g bandwidth Prevents “front door” problem Maximizes per-user bandwidth QoS Management L2/L3/L4 classification, bandwidth, QoS controls By user, SSID or application Wireless Security WIDS/WIPS AAA, guest services Location Aware WLAN Access Per session, port, VLAN, AP ACLs Dynamic authentication (location, time, bandwidth usage…) Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 4/23/2017 Slide 15

Persistent AP Configuration Allows APs to survive reboot Enhanced Branch Survivability Enables deployments with periodic WLC access Feature Description AP boots without controller Service using ‘last-known’ config Seamless re-entry to WLC Needs APOS on the AP Supported on WLA-532/322/321 X

Remote AP RADIUS Client Overview Enhances Remote AP capabilities Extends Branch Survivability Enables longer latency WAN links Feature Description 802.1X/RADIUS authentication RADIUS MAC authentication RADIUS CoA Device Fingerprinting Failover/back session persistence Campus WLC SRX Centralized RADIUS WAN Branch SRX EX Local RADIUS

Controller Clustering Why order the HA-license? The cluster/HA feature is always available Why do I need the license? The cluster/HA license adds AP-count redundancy: Scenario: redundant setup for 250 AP’s Without the license: Each controller needs 256 AP licenses With the license: Each controller needs 128 AP licenses + HA license During a fail situation, the remaining controller will support 256 AP’s On WLC-880: HA license = $ 3895 // 128 AP licenses = $ 18580

Juniper Wireless Desinged to scale Vlan Pooling Ability to setup a pool of 32 VLANs per pool and 16 pools per Cluster Users connecting to that pool will be balanced across the member VLANs Vlan assignment is done using Round Robin mechanism

MICROSOFT LYNC WIFI PARTNER PROGRAM Set of certifications intended to ensure compatibility between Lync software and WiFi infrastructure networks 3 levels of certification requirements Fixed data: IM, web-conference, file-sharing Fixed RealTime Multimedia: audio or video conferencing from desk/conference room Mobile RealTime Multimedia: audio/video while on the move Juniper and a few other vendors have completed certification for wired networking products

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

What is JunosV Wireless LAN Controller? Virtualized Environment VM1 VM2 VM3 JunosV WLC Hypervisor X86 server platform Juniper is delivering its industry-leading Mobility System Software as a software appliance for deployment in virtualized environments

JunosV Wireless LAN Controller Overview Virtual WLAN Appliance WLC delivered as a virtual appliance on VMware-based hypervisors Runs on standard x86 hardware Maintains features and functionalities of appliance based WLCs Supports mix-and-match deployment with physical WLCs Performance and capacities dependent on host hardware APs, data plane throughput, session counts scale with host resources Supports Hypervisor VM functionality vMotion, snapshots, cloning, templates VMWare vCenter JunosV WLC VM VM VM VM WLC Virtual Distributed Switch Hypervisor on x86 HW EX Series WLA Access Points

JunosV Wireless LAN Controller Specifications Supports up to 256 APs (cluster up to 2048 APs) Supports 6400 users sessions 100% SW feature Parity with Appliance WLC Managed via RingMaster or Network Director 1.5 Requirements: VMware ESXi 5.0 (or higher) Minimum 320 MB RAM Recommended 2G RAM (for 256 APs/6400 user sessions) Minimum 16GB disk space Minimum 1 Ethernet Adapter, recommended 2 E1000 Network Adapter

JunosV WLC JSA Licensing 2 License options: Perpetual licenses one time charge. Maintenance must be purchased separately Subscription licensees include maintenance service Renewed annually Voice, Mesh and High-Availability included in AP license no separate license required You still need a Spectrum Analysis license

JunosV WLC Implementation Single vCPU / VM instance = 630Mbit/s throughput Not enough for .11n / .11ac implementations Your proposal/design should advise local switching Remember you can mix & match local & central switching per SSID Practical remark: Don’t setup all the interfaces in the same vlan The virtual controller doesn’t support STP (unlike physical WLC’s) Change the default config before you start your newly installed virtual appliance!

JunosV WLC Limitations No Webview interface in FRS (will return in MR1) No support for port groups No Spanning Tree No LLDP support

JunosV WLC is another step towards virtualisation of the control plane JunosV WLC Why? JunosV WLC is another step towards virtualisation of the control plane What will be next? Sooner CAPWAP tunnel termination on EX9200 New control-plane controller (used with EX9200) Later Tunnel termination on the access layer Embedded WLAN service on the access layer

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

802.11n Recap MIMO Antenna’s

Access Point technology evolution Base Multi-user MIMO Gigabit 802.11n 2 Spatial Streams 802.11n 3 Spatial Streams 450Mbps 300 Mbps Per Radio Speed 802.11b 802.11g 54 Mbps 11 Mbps Time

802.11ac High Speed WLAN Up to 7 gbps (aggregate) Wider channel bandwidth (80 MHz or 160 MHz) Be aware: wider channels leaes less overlapping free channel sets we have a max of 18 5 GHz channels 5 GHz Band High speed modulation (256 QAM) Up to 8 spatial streams (= up to 8 Antennas) Up to 4 per client

802.11ac Daterates with one spatial stream 6.933,6Mbit/s with 8 Spatial Streams!

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Wireless Management & Access Control WLM – Management and Access Control RingMaster WLM - Appliance SmartPass Plan - Configure - Monitor - Troubleshoot - Report WLM – RMTS Software Licenses With 8.0: 64 bit SW 5 – 1,000 APs -> 3500 Optimized Linux Server Platform 250 – 5,000 APs WLM1200 – RMTS WLM – SP Software Licenses WLAN Access Control Guest Provisioning

RingMaster Architecture 4/23/2017 RingMaster Architecture Controllers Guest Server CAMPUS 1 RingMaster Server Unified Management Console LAN / WAN CAMPUS 2 CAMPUS 3 Controller Controllers Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 4/23/2017 Slide 37

RingMaster Lifecycle Management 4/23/2017 RingMaster Lifecycle Management 3D RF Planning Configuration Management Monitoring and Troubleshooting Reporting Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 4/23/2017 Slide 38

RingMaster 9.0 Demo

Management: Next Step Juniper Network Director 1.5 Module for Junos Space Common Management for WLAN and LAN Configuration and Monitoring for WLAN and LAN devices Ringmaster feature parity in version 2.0

Network Director 1.5 Demo

SmartPass, Controller and RingMaster SOAP/XML Location Appliance Login Page:  from Controller or SmartPass RADIUS REST API for Mngt Integration RingMaster Guest User Capture Function:  Controller WLAN Controller

SmartPass 9.0 Demo

BYOD Issues to solve Provisioning How to configure high number of personal devices for access to secure SSID? SmartPass Connect Automated self-service onboarding of (mobile) devices: Windows, Linux, MAC, iOS, Andoid Vanishing Agent downloads from web server, performs configuration tasks, then deletes itself Java, ActiveX or html based depending on platform and capabilities (SPC server automatically figures out the best vehicle for a given platform) Credentials (PEAP) or Certificates (TLS) Install Client Certificates & Trusted Root CAs Handle Additional Dependencies (Software, Proxies, etc.) Cloud based service with local configuration server

How does SmartPass Connect Work? 1 2 Web Server (locally deployed= AAA Server Network Management Admin Console (Cloud Service) Open SSID Secure SSID SPC allows agent-less network provisioning: 4 IT Admin configures network parameters IT Admin deploys the configuration files to local web server User connects to local web server downloads configuration SPC’s (dissolvable) client runs through configuration on device User device connects to secure network After successfully accessing the network, SPC Client dissolves 1 3 5 6 2 3 4 5 6

Integration module for Microsoft CA The CA Integration Module allows the Configuration Wizard to request certificates from a MS PKI infrastructure Extends TLS (certificate based authentication) to Non-Domain Devices Plug & Play Integration with Microsoft Certificate Services Module requires that wizard package be installed on Windows IIS server (domain membership required) Works with MS CA only Web Server MS CA SPC Config Wizard

Employee Owned Device On Corporate Network Employee Self Provisioning SmartPass web portal presents captive portal and redirects client to provisioning portal 3 Unknown device connects to open captive portal SSID 1 User session is captured and redirected to SmartPass 2 SmartPass WLC  UAC Provisioning portal pushes native supplicant config wizard to client device 4 EX Series Wireless User Tablet/smartphone AP EX Series AD/Certificate Authority Provisioning wizard gets EAP-TLS configuration profile (and cert) from provisioning portal; agent dissolves 6 Provisioning portal gets user credentials from wizard; validates against AD; and requests user cert for end user 5 User selects secure wireless network and device authenticates to RADIUS without requiring user to enter credentials 7 SmartPass connect Corporate Data Center

SmartPass Connect Demo

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Simply Connected The Concept Holistic approach to enterprise mobility and BYOD access Coordinated Security Safe and simple mobility while protecting assets Switching Wireless Security Routing Performance at Scale Scalability without complicating the network Highly Resilient Automated, uninterrupted service

EX With UAC Enforce Security Policy Allows automatic and dynamic policy enforcement at the edge of the network including role based dynamic ACLs without any manual intervention MAG/UAC 3rd Party Supplicants EX Protected Resources Juniper Client 52

SRX… With User Role Firewall Allows different users to have different application policies based on their role and group, simply for IT MAG/UAC P2P apps blocked Youtube allowed Anti-virus applied WF profile A Marketing Department Branch SRX P2P, Youtube blocked Anti-virus applied WF profile B Sales Department No apps blocked Anti-virus applied WF profile C CEO (Individual) 53

Security Threat Response Manager (STRM) STRM supports SRX Series Intrusion Prevention System (IPS) and AppSecure 220+ out-of-the box report templates Fully customizable reporting engine: creating, branding and scheduling delivery of reports Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA Reports based on control frameworks: NIST, ISO and CoBIT

Wireless Device on Corp Network Application Restrict Done with the SRX SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM  Device authenticated on wireless network 1 Smart Pass Connect communicates User and IP information to UAC via IF-MAP 2 Active Directory /LDAP  WLC Data SRX  Finance  Wireless User Tablet/smartphone AP EX Series Video Smart Pass Connect  SRX AppSecure Polices block non-work related applications like Hulu and Netflix 5 SRX enforces user policies allowing user basic access to all servers except finance 4 UAC pushes role based ACL and FW policies to EX, WLC and SRX 3 Apps UAC Corporate Data Center   Internet

End To End Security Host Checking and Application Restrict Junos Pulse detects device is on corporate network and per user policy disables any active VPN sessions 1 During 802.1x authentication. MAG verifies PC meets company software and security policy requirements 2 Compliance check fails. Antivirus signatures are out of date and user is quarantined to remediation VLAN. Patch server updates signatures. User is now in compliance and granted network access 3  Active Directory /LDAP SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM  Data Virus signatures outdated WLCs  Finance SRX   EX4200 VC Patch Remediation  EX4500 VC and EX4200 VC Mobile User SRX AppSecure Polices block non-work related applications (based on user’s role in UAC) 6 SRX enforces user policies allowing user basic access to all servers except finance 5 Video MAG pushes role based FW policies to EX ,WLC and SRX 4  MAG Series (UAC) Apps Corporate Data Center  Internet 

Mobile Device Remote Network Access Policy and Access Control User needs to access company intranet over non-corporate network using iPad 1 User starts Junos Pulse and initiates a secure VPN session with MAG appliance 2 MAG verifies user login, establishes VPN and the device is allowed on the network. 3 Active Directory /LDAP Data WLCs SRX with IDP/ AppSecure Finance EX4500 VC and EX4200 VCs Video MAG with Radius, SSLVPN and UAC modules Apps Corporate Data Center  Internet Wireless User Tablet/smartphone

Juniper Wireless LAN Technical Education

Juniper Wireless LAN Technical Education Westcon Academy courses: Introduction to Juniper Wireless LANs (IJWL) 3 days Understand the requirements for a secure, Enterprise-grade Wireless LAN system and configure secure services. Use RingMaster management to plan, deploy, configure,manage, monitor and report on a WLS. Effectively troubleshoot a WLS system deployment and user connectivity

Juniper Wireless LAN Technical Education Westcon Academy courses: Advanced Juniper Wireless LANs (AJWL) 4 days Configure secure WLAN services using digital certificate-based authentications and machine authentication. Configure voice optimized services Deploy and manage remote APs Troubleshoot all aspects of a deployed WLS system

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail

Agenda 10h00 : Introduction Westcon Juniper Team 10h15 : Juniper WLAN Solution in depth 11h30 : WLAN technical Virtual WLAN controller 802.11ac Developments 12h30 : Lunch 13h30 : WLAN demo-time Ringmaster Demo SmartPass Demo 15h00 : Break 15h20 : Simply Connected Concept 16h00 : Q&A 16h15 : Network Drink - Closing Cocktail