服务编排

配置>云服务> Service Orchestration

观看视频的这个特性,明白了How to Integrate with Third-Party Service Providers。

Use the Service Orchestration tab to automate the integration of third-party services without an API. Service Orchestration automates the creation and deployment of IPSec tunnels and IP SLA probes and manages the lifecycle of the tunnels and probes.

服务编排为每个隧道创建本地隧道标识符（IKE ID）到第三方服务。创建隧道后，通过用本地隧道标识符（IKE ID）替换了为每个端点创建的本地隧道标识符（IKE ID）来完成第三方服务网站上的集成。

笔记：By default, Service Orchestration provides the framework for Netskope integration. The instructions on this page are specific to Netskope, but you can apply the same general procedure to other third-party services.

Prerequisites

• You must have loopback interfaces configured to use the Service Orchestration feature.

• 服务编排supports third-party services that use IPSec IKEv2 endpoints.

• You will need the following information from the third-party service for each endpoint you want to add:

  • 端点名称

  • IP address

  • Probe address

远程端点配置

Add the remote endpoints for Netskope. You can add one endpoint at a time or add endpoints in bulk by importing the information from a CSV file.

一次添加一个端点

1. 点击远程端点配置。

   The Add Remote Endpoints for Netskope dialog box opens.

2. 点击+Remote Endpoint。

3. 完成以下字段。Press theTabkey to navigate to the next field.

   Field	Description
   姓名	姓名of the Netskope endpoint. IMPORTANT:如果端点名称已退役或修改，则必须在此表中更新该值。
   IP Address	IP address of the Netskope endpoint. IMPORTANT:If an IP address is decommissioned or modified, you must update the value in this table.
   Interface Label	The interface labels that can be provisioned for this endpoint. Only labels in this list will be provisioned. 暗示：点击Interface Label Defaultto reset the Interface Label for every endpoint in the table to the default value ofAny。
   Pre-shared Key	The pre-shared key for the endpoint. To display the pre-shared key, click anywhere in the field. Do one of the following: Edit this field for each endpoint. This value can be an ASCII string, a hex-encoded string (if it has a 0x prefix), or a base64-encoded string (if it has a 0s prefix). 点击PSK默认值to create and save a pre-shared key. Every endpoint will use the pre-shared key you create. Because traffic going to these endpoints is encrypted, it will not compromise security to use the same pre-shared key for each endpoint.
   Probe Address	The Netskope endpoint that the IP SLA subsystem will ping. You can obtain the probe address from the third-party security provider. IMPORTANT:Orchestrator will prefill the Address field in the IP SLA Settings dialog box with this value. If you delete the value in the Probe Address field in this table, Service Orchestration will ping the value specified in the Address field in the IP SLA Settings for Netskope dialog box.
   Backup Remote Endpoint	Enter the Netskope endpoint that you want to use as a backup tunnel. For example, ATL1-Atlanta could use DFW1-Dallas as a backup remote endpoint. If you leave this field empty, the endpoint will not have a backup tunnel. The BIO determines how traffic will be handled if a single or single and backup tunnel go down.

4. 重复每个端点的步骤。

   TIP:要删除端点，请单击Xin the last column in the table.

5. 点击Save。

   更新立即精心策划。

Add Endpoints in Bulk

1. 点击远程端点配置。

   The Add Remote Endpoints for Netskope dialog box opens.

2. 点击Importto import a list of remote endpoints from a CSV file. The CSV file must contain columns for name, IP address, interface label, pre-shared key, probe address, and backup remote endpoint, in that order.

   笔记：雷莫ve any header rows before you import the file.

3. 点击选择文件。

4. 导航到文件，选择文件，然后单击打开。

5. 点击Save。

   更新立即精心策划。

Bulk Edits

来make bulk edits to the table:

1. 点击Export。

2. 打开the CSV file and delete the three header rows.

3. 修改，保存并关闭文件。

4. 点击Import, and then click选择文件。

5. Locate and select the file, and then click打开。

   Orchestrator updates the table.

6. 点击Save。

接口标签

为您的流量选择主要和备份接口标签。如果主接口标签无法实现，将使用备份接口标签。

笔记：NetSkope不支持主动备份。

1. 点击接口标签。

   The Build Tunnels using these Interfaces for Netskope dialog box opens.

2. Drag the interface labels you want to use into the Primary area. (The Peer/Service names in the Tunnels table will be NSK_Primary_1 and NSK_Primary_2.)

3. Drag the interface labels you want to use into the Backup area. (The Peer/Service names in the Tunnels table will be NSK_Backup_1 and NSK_Backup_2.)

4. Drag the interface labels up or down to reorder the list as necessary.

5. 点击Save。

Tunnel Settings

1. 点击Tunnel Settingsto configure the tunnel settings.

   The一般的tab displays by default.

2. Complete the following fields as required for security service. (To configure Netskope, accept the default values for all fields.)

   Field	Description
   Mode	IPSec. You cannot edit this field.
   Auto max BW enabled	This field causes tunnels to be automatically shaped to the interface bandwidth configured on the deployment screen. Enabled by default.
   IPSec Suite B	如果安全服务需要，请选择IPSEC套件B密码。 笔记：If an IPSec Suite B cipher is selected, various settings on the IKE tab and the IPSec tab are configured automatically, based on the cipher suite chosen. This setting is disabled by default.

3. 点击theIKEtab, and then complete the following fields. (To configure Netskope, accept the default values for all fields.)

   Field	Description
   IKE Version	IKE v2. You cannot edit this field.
   Authentication algorithm	Authentication algorithm can be set toSHA1,SHA2-256,SHA2-384,SHA2-512， 或者NULL。
   加密演算法	可以将加密算法设置为AES-256,AES-128,NULL,AES-GCM-128， 或者AES-GCM-256。
   Diffie-Hellman Group	Select the Diffie-Hellman group used for negotiating security association.
   Rekey interval/lifetime	在网络共享所有设备的组键的自动更改之间输入分钟内的间隔。
   延迟时间	Enter the interval in seconds to send DPD messages.
   Retry count	The number of attempts to establish a connection. You cannot edit this field.
   Phase 1 mode	The IPSec VPN phase. You cannot edit this field.
   ike标识符	By default, the Service Orchestration feature creates IKE IDs using the following fixed format:hostname_label@endpoint 您可以通过指定以下一个或多个宏来创建自定义IKE ID： %hostname%Appliance host name %标签%接口标签名称 ％tunnel_source_ip％Tunnel source IP ％tunnel_dst_ip％Tunnel destination IP/FQDN ％atherpiance_key％Appliance key 例如，要创建一个包含电子邮件域的IKE ID，请输入%hostname%_%label%@customerdomain.com

4. 点击theIPSectab, and then complete the following fields:

   Field	Description
   Authentication algorithm	Authentication algorithm can be set toSHA1,SHA2-256,SHA2-384,SHA2-512,NULL,AES-GCM-128， 或者AES-GCM-256。
   加密演算法	可以将加密算法设置为AES-CBC-256,AES-CBC-128,NULL,AES-GCM-128， 或者AES-GCM-256。
   IPSEC反复制窗口	Disable,1024,8192， 或者65536。
   Rekey interval/lifetime	在网络共享所有设备的组键的自动更改之间输入分钟内的间隔。
   Perfect forward secrecy group	Select the Diffie-Hellman group used for IPSec SA negotiation.

5. 点击Save。

TIP:点击Use Netskope Defaultto reset all tunnel settings to the global defaults for Service Orchestration.

IP SLA设置

1. 点击IP SLA设置。

   The IP SLA Settings for Netskope dialog box opens.

2. 如果所有字段都昏暗，请单击启用IP SLA规则编排。

3. 完成以下字段。

   Field	Description
   Monitor	Ping or HTTP/HTTPS.
   地址	IP SLA子系统将ping的NetSkope端点。编排者预填补地址带有来自远程端点配置表的值的字段。您最多可以配置三个地址。
   Source interface	选择一个精心策划的回环标签。

4. 接受其余字段的默认值，然后单击Save。

   乐队建造隧道。

暂停编排（可选）

When troubleshooting, you can clickPause Orchestrationand then clickSave暂停服务编排。要重新启动服务编排，请单击Resume Orchestration。

+BIO Breakout

By default, the tunnels associated with a third-party service will be available for BIOs. You can upload an icon to display on the Business Intent Overlays tab.

笔记：支持的文件类型包括PNG，JPEG，SVG和WebP。建议的尺寸为60 x 20像素。

1. 点击+BIO Breakout。

   The Configure BIO Breakout for Netskope dialog box opens.

2. 点击Upload Service Icon。

3. 找到并选择文件，然后单击打开。

4. 点击Save。

   This icon will display next to the service name on the Business Intent Overlays tab.

If you do not want this third-party provider to be available for BIOs, do the following:

1. 点击+BIO Breakout。

   The Configure BIO Breakout for Netskope dialog box opens.

2. Clear the生物突破复选框。

3. 点击Save。

远程端点关联

配置协调器中集成的最后一步是将edgeconnect设备与远程端点相关联。使用此页面添加或删除设备中的端点。建议您将每个eDgeConnect设备的一个远程端点关联。

1. In the Orchestrator appliance tree, select one or more appliances to associate with Netskope remote endpoints.

2. 点击远程端点关联。

   将设备设备对NetSkope远程端点对话框打开。

3. Select theAddor雷莫vecheck box next to the endpoints you want to associate with the selected appliances. Be sure to add the endpoints that are geographically closest to the appliances.

4. Verify the proposed changes to remote endpoints in the table to the right, and then clickSave。

将隧道本地标识符添加到Netskope

After the Service Orchestration integration is complete in Orchestrator, you must add the local tunnel identifiers (IKE IDs) to Netskope. You can simplify this process by exporting the Netskope configuration to a CSV file. The exported file contains all of the configuration details in the table on the Netskope page for all selected appliances, including IKE IDs.

笔记：The default tunnel local identifier value is a fixed format:hostname_labelname@IPaddress。例如，East3-aws_ineta@192.x.x.xxx。

如果您创建了一个自定义IKE ID，则本地隧道标识符值将遵循您在tunnel设置对话框上的IKE标识符字段中定义的格式。

1. In the Orchestrator appliance tree, select all appliances associated with Netskope remote endpoints.

2. 在Netskopepage on the Service Orchestration tab, clickExportto save the contents of the table to a CSV file.

3. Log in to Netskope.

4. In the IPSec configuration panel, replace the Source Identity values with the corresponding Tunnel Local Identifiers (IKE IDs) created by Orchestrator.

Verification

After Netskope is configured and the Netskope policy is applied successfully in the BIO, deployment will begin automatically. Go to theNetskopetab and view the Connection Status column to verify that the deployment was successful.

设置新服务

来set up a new third-party service:

1. 点击+Add Serviceand complete the following fields.

   Field	Description
   姓名	新服务的名称。
   Prefix	一个前缀，可以分​​配此服务的所有隧道。乐队将使用此前缀过滤隧道和IP SLA。

2. 点击Save。

   在“服务编排”页面上创建了一个新标签。

   TIP:来edit or delete a service, click the edit icon next to the service name.

3. Select the tab for the new service and follow the steps explained in Set Up Netskope Integration to integrate this new service.

---