jspanitz your article works just fine to run netconf... even on 8.2R5.1. I'm just not sure if you can use netconf in any way with NCM to grab the config.
Things to note:
- You only need to configure inbound options
- You MUST change it to port 22 the default port of 430 if using the default SSH client port. With the Tufin config backup option I am using the plugin requires port 22.
- Make sure you configure the proper admin realm for the user account you will be authenticating with. I accidentally selected my local realm instead of my LDAP based realm for my AD user account
- Make sure your host or device has a route to the SA/MAG
So you need these things configured to make it work under Configuration | DMI Agent:
- DMI Connections | Inbound (checked)
- Accept Incoming Connections On: (whatever interface the IP you are trying to connect to is on)
- TCP Port for Incoming Connection MUST be 22 if testing with default SSH port
- Admin Realm (realm that contains your user account)
- DMI Logging (helpful for diagnostics)
Test by running ssh -l username a.b.c.d -s netconf
Enter password
Response should be:
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:2.0</capability>
<capability>http://xml.juniper.net/dmi/software/1.0</capability>
<capability>http://xml.juniper.net/dmi/software/2.0</capability>
<capability>http://xml.juniper.net/dmi/system/1.0</capability>
<capability>http://xml.juniper.net/dmi/ive-sa/8.2R5</capability>
<capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:capability:writable-running:1.0</capability>
</capabilities>
<session-id>28905</session-id>
</hello>
I was able to grab the configuration properly with Tufin's firewall analyzer after making these adjustments to the MAG DMI settings.