Management connections for Engines and how they work

When you connect the Engine to the Secure SD-WAN Manager, the Engine makes initial contact with the Management Server and receives a certificate.

The certificate allows the Engine to authenticate itself to other components in all further communications. When components contact each other, they check if the other component’s certificate is signed by the same internal certificate authority as their own certificate. The certificate authority runs on the Management Server, but is separate from the Management Server itself. The initial contact procedure is secured using a one-time password.

If using Engine appliances, you can connect them to the Secure SD-WAN Manager using the plug-and-play configuration method. In plug-and-play configuration, you upload the initial configuration to the Installation Server. When the appliance is turned on with all cables connected, it downloads the initial configuration from the Installation Server. After this, the Engine automatically installs the initial configuration and makes initial contact with the Management Server. You can also specify a policy to be installed on the Engine when it makes initial contact with the Management Server.

Note: There are special considerations when using plug-and-play configuration. For example, both the Secure SD-WAN Manager and the Engines must be registered for plug-and-play configuration before you configure the engines. See Knowledge Base article 9662.

Saving the initial configuration details on a USB drive allows automatic configuration by turning on the appliance with the USB drive inserted. Alternatively, you can import the configuration details from a USB drive in the Engine Configuration Wizard.

You can also save the initial configuration details in some other suitable location or on the clipboard. You can then copy and paste or enter them manually in the Engine Configuration Wizard.

CAUTION:
The information must be handled securely when saving the initial configuration details on a USB drive or in some other location. The initial configuration files include the one-time password for establishing the trust relationship between the Management Server and the engine.

Limitations

  • The plug-and-play configuration method is only available for Engine appliances. You must have a valid proof-of-serial (POS) code for each appliance you want to configure using the plug-and-play configuration method.
  • Virtual Engines do not communicate directly with the Secure SD-WAN Manager. All communication between Virtual Engines and the Secure SD-WAN Manager is proxied by the Master Engine.

What should I know before I begin?

  • Engine certificates expire three years after they are issued. If the automatic certificate renewal option is active, the certificate is renewed automatically before it expires.
  • If the certificate of the Engine is lost or expires, the initial contact procedure must be repeated to reconnect the Engine to the other components.
  • The internal certificate authority that signs the Engine certificates is valid for ten years. The internal certificate authority is automatically renewed six months before the expiration date and new certificates signed by the new internal certificate authority are automatically created for the Engines. If the automatic certificate renewal fails, you must again make initial contact with the Management Server so that the Engine receives a new certificate.
  • When a new internal certificate authority is created, its initial status is Ready to Use and it is not yet Active. A new internal certificate authority in a Ready to Use state only signs Management Server certificates. Certificates for other Secure SD-WAN Manager components are signed by the internal certificate authority that is used by the Management Server. In an environment with multiple Management Servers, the new internal certificate authority reaches Active status when all the Management Servers are using the new internal certificate authority.