Describes the Prerequisites for Bastion Orchestrator Configuration.

The following are the prerequisites to configure two SD-WAN Orchestrators as a Bastion pair:
  • Set the session.options.enableBastionOrchestrator system property to True in both the SD-WAN Orchestrators (Bastion and Production). By default, this system property is set to False.
  • Ensure to make a note of Universal Unique Identifier (UUID) of both the Bastion and Production Orchestrators to be used for Bastion configuration. You can get the UUID from the vco.uuid System Property.
  • Ensure to make a note of Session Secret value of the Bastion Orchestrator from the session.secret System Property. The UUID and Session Secret values of the Bastion Orchestrator are required if you want to upgrade the Edge software image after Edge promotion. for more information, see the Limitations section in Bastion Orchestrator Overview.
  • In the Production Orchestrator, ensure you have created at least one Operator Super user account that can be used for staging to the Bastion Orchestrator. For steps, see Create New Operator User. This Operator Super user account is used for emergency purposes to gain access to the Bastion Orchestrator. Under normal operating process, the account must be disabled from the Production Orchestrator to reduce the attack surface.
  • In the Production Orchestrator, ensure that the Operator profile (used for Edge provisioning) have the respective Orchestrator IP address set in the Orchestrator Address field under Management Settings.
  • In the Production Orchestrator, create a new Enterprise profile with a minimum configuration (configuration without enterprise services, segments configuration, object groups) for the purpose of staging an Enterprise customer to a Bastion Orchestrator. for steps, see Create New Profile.