Work with Juniper Networks SA Series SSL VPN gateway settings to enable instant and secure connection for data transfer and file management from an iOs device. The suite supports multiple types of hardware and reads data from any compatible corporate network. Junos Pulse 5.1 for Mac is available as a free download on our application library. The most popular versions of the tool are 5.0, 4.2 and 3.1.
ON THIS PAGE
The NCP Exclusive Remote Access Client is partof the NCP Exclusive Remote Access solution for Juniper SRX SeriesGateways. The VPN client is only available with NCP Exclusive RemoteAccess Management. Use the NCP Exclusive Client to establish secure,IPsec -based data links from any location when connected with SRXSeries Gateways.
Understanding IPsec VPNs with NCP Exclusive Remote Access Client
Thissection describes IPsec VPN support on SRX Series devices for NCPExclusive Remote Access Client software.
NCP Exclusive Remote Access Client
Users running NCP Exclusive Remote Access Client software onWindows and MAC OS devices can establish IKEv1 or IKEv2 IPsec VPNconnections with SRX Series devices. NCP Exclusive Remote Access Clientsoftware is available for download at https://www.ncp-e.com/ncp-exclusive-remote-access-client/.
Licensing
A two-user license is supplied by default on an SRX Series device.A license is required for additional users. Contact your Juniper Networksrepresentative for all remote access licensing.
Licensing is based on the number of users. For example, if thenumber of licenses installed is for 100 users, then 100 differentusers can establish VPN connections. Because of traffic selectors,each user can establish multiple tunnels. When a user disconnects,their license is released one minute after the IKE and IPsec securityassociations (SAs) expire.
License enforcement is verified only after Phase 2 negotiationis completed. This means that a remote access user can connect tothe SRX Series device and IKE and IPsec SAs can be established, butif the user exceeds the licensed user limit, the user is disconnected.
Licensing for vSRX instances is subscription-based: connectedremote access users are not disconnected immediately when an installedlicense expires. When a remote access user disconnects and the correspondingIKE and IPsec SAs expire, subsequent reconnection of the user dependson whether the currently installed license is expired or not.
AutoVPN
The NCP Exclusive Remote Access Client is supported with AutoVPNin point-to-point secure tunnel interface mode. AutoVPN is only supportedon route-based IPsec VPNs on the SRX Series device.
Traffic Selectors
Traffic selectors configured on the SRX Series device and theNCP client determine the client traffic that is sent through the IPsecVPN tunnel. Traffic in and out of the tunnel is allowed only for thenegotiated traffic selectors. If the route lookup for a packet’sdestination address points to an st0 interface (on which traffic selectorsare configured) and the packet’s traffic selector does not matchthe negotiated traffic selector, the packet is dropped. Multiple Phase2 IPsec SAs and auto route insertion (ARI) are supported with theNCP Exclusive Remote Access Client. Traffic selector flexible matchwith port and protocols is not supported. For this feature, the remoteaddress of the traffic selector must be 0.0.0.0/0.
In many cases, all traffic from remote access clients is sentthrough VPN tunnels. The local address configured in the traffic selectorcan be 0.0.0.0/0 or a specific address, as explained in the next sections.
Configuring a traffic selector on the SRX Series device withthe remote address 0.0.0.0/0 is supported for NCP Exclusive RemoteAccess Client connections. After VPN negotiation is completed, theremote address for the traffic selector is expected to be a singleIP address (the address of the remote access client assigned by eithera RADIUS server or the local address pool).
Split Tunneling
Split tunneling uses a shorter prefix than 0.0.0.0/0 as theprotected resource’s address for the local address in a trafficselector configured on the SRX Series device. A corresponding traffic selector can be configured on the remote accessclient. The SRX Series device allows traffic on the VPN tunnel thatmatches the results of the flexible match from both traffic selectors.If the traffic selector configured on the remote access client cannotbe matched with the traffic selector configured on the SRX Seriesdevice, tunnel negotiation fails. For IKEv1, the local and remoteaddresses in the client's traffic selector configuration must be thesame addresses or a subset of the addresses in the corresponding trafficselector configured on the SRX Series device.
Multiple Subnetworks
On the SRX Series device, one traffic selector can be configuredfor each protected subnetwork. Subnetworks cannot overlap. On theNCP Exclusive Remote Access Client, one traffic selector must be configuredfor each traffic selector configured on the SRX Series device. Addressesthat are configured in the split tunnel window of the NCP ExclusiveRemote Access Client are used as the client's remote traffic selector;these addresses must be the same addresses or a subset of the addressesin the corresponding traffic selector configured on the SRX Seriesdevice. One IPsec SA pair is created for each traffic selector.
NCP Exclusive Remote Access Client Authentication
There are two forms of extended authentication of the NCP ExclusiveRemote Access Client, depending on the IKE version of the client:
IKEv1 NCP Exclusive Remote Access Client authenticationis supported with XAuth using either a RADIUS server or a local accessprofile. For IKEv1 remote access connections, preshared keys are usedfor IKE Phase 1 authentication. Extended Authentication (XAuth) isused to authenticate the remote access user. The SRX Series devicemust be configured for IKE aggressive mode.
Note For the IKEv1 NCP Exclusive Remote Access Client, presharedkey authentication is supported with AutoVPN. For AutoVPN deploymentsthat do not use user-based authentication, only certificate authenticationis supported.
IKEv2 NCP Exclusive Remote Access Client authenticationrequires a RADIUS server that supports EAP. The SRX Series deviceacts as a pass-through authenticator to relay EAP messages betweenthe NCP Exclusive Remote Access Client and the RADIUS server. Thefollowing EAP authentication types are supported:
EAP-MSCHAPv2
Note A master session key must be generated by the RADIUS serverfor EAP-MSCHAPv2.
EAP-MD5
EAP-TLS
For the IKEv2 NCP Exclusive Remote Access Client, a digitalcertificate is used to authenticate the SRX Series device. ExtensibleAuthentication Protocol (EAP) is used to authenticate the remote accessclient.
Remote Access Client Attribute and IP Address Assignment
Attribute Assignment
For IKEv1 or IKEv2 remote access clients, attributes can beassigned through a RADIUS server or through local network attributesconfiguration. If a RADIUS server is used for authentication but nonetwork attributes are assigned, network attributes (including IPaddresses) can be configured locally if needed.
The following client attributes are based on RFC 2865, Virtual Private Networks Identifier, and are supportedwith IKEv1 and IKEv2 NCP Exclusive Remote Access Client:
Framed-IP-Address
Framed-IP-Netmask
The following Juniper vendor-specific attributes (VSAs) aresupported with IKEv1 and IKEv2 NCP Exclusive Remote Access Client:
Juniper-Primary-DNS
Juniper-Primary-Wins
Juniper-Secondary-DNS (only available with IKEv2)
Juniper-Secondary-Wins (only available with IKEv2)
The VSA Juniper-Local-Group-Name is not supported.
Reed, PHR, SPHR, is the owner of Epoch Resources, a consulting firm specializing in the unique HR needs of small businesses. Preview exam day with bonus practice examsIf you're looking to showcase your skills and understanding ofthe HR function, PHR/SPHR Professionals in Human ResourcesCertification Deluxe Study Guide is your ideal resource forPHR/SPHR preparation. Test your knowledge with flashcards and exercises. Sandra has authored learning modules and case studies for the Society for Human Resource Management. Practice the practical with workbook templates.
IP Address Assignment
If an IP address is allocated from both a local address pooland by a RADIUS server, the IP address allocated by the RADIUS servertakes precedence. If the RADIUS server does not return an IP addressand there is a user-configured local address pool, an IP address isassigned to the remote client from the local pool.
NoteThe number of addresses in the local address pool or RADIUSserver address pool should be larger than the number of remote accessclient users. This is because when a user disconnects, it can takeup to one minute for the user to be logged off.
When an IP address is assigned from an external RADIUS serveror a local address pool, an IP address with a 32-bit mask is passedto the NCP Exclusive Remote Access Client. After the tunnel is established,auto route insertion (ARI) automatically inserts a static route tothe remote client’s IP address so that traffic from behind theSRX Series device can be sent into the VPN tunnel to the client’sIP address.
The configured traffic selectors might not cover the IP addressesallocated by the RADIUS server or a local address pool. In this case,a remote client may not be able to reach an IP address for anotherremote client in the subnetwork through a VPN tunnel. A traffic selectormust be explicitly configured that matches the IP address allocatedto the other remote client by the RADIUS server or local address pool.
Supported Features
The following features are supported on the SRX Series devicewith the NCP Exclusive Remote Access Client:
Traffic initiation from the SRX Series device as wellas the NCP Exclusive Remote Access Client
Remote access clients behind a NAT device (NAT-T)
Dead peer detection
Chassis cluster configuration of the SRX Series device
Caveats
The following features are not supported on the SRX Series devicewith the NCP Exclusive Remote Access Client:
Routing protocols
AutoVPN with the st0 interface in point-to-multipointmode
Auto Discovery VPN (ADVPN)
IKEv2 EAP with preshared keys
Note The IKEv2 NCP Exclusive Remote Access Client must use certificatesfor authenticating the SRX Series device.
Policy-based VPN
IPv6 traffic
VPN monitoring
Next-hop tunnel binding (NHTB), both auto and manual
Multiple traffic selectors in negotiation
Traffic selectors received from the NCP Exclusive RemoteAccess Client in the same virtual router must not contain overlappingIP addresses
See also
Understanding SSL Remote Access VPNs with NCP Exclusive RemoteAccess Client
In many public hotspot environments, UDP trafficis blocked while TCP connections over port 443 are normally allowed.For these environments, SRX Series devices can support SSL RemoteAccess VPNs by encapsulating IPsec messages within a TCP connection.This implementation is compatible with the third-party NCP ExclusiveRemote Access Client. This section describes the support for NCP ExclusiveRemote Access Client on SRX Series devices.
Benefits of SSL Remote Access VPNs with NCP Exclusive RemoteAccess Client
Secure remote access is ensured even when a device betweenthe client and the gateway blocks Internet Key Exchange (IKE) (UDPport 500).
Users retain secure access to business applications andresources in all working environments.
NCP Exclusive Remote Access Client
Users running NCP Exclusive Remote Access Client software onWindows, macOS, Apple iOS, and Android devices can establish TCP connectionsover port 443 with SRX Series devices to exchange encapsulated IPsectraffic.
NCP Exclusive Remote Access Client runs in either of the twofollowing modes:
NCP Path Finder v1, which supports IPsec messages encapsulatedwithin a TCP connection over port 443
NCP Path Finder v2, which supports IPsec messages withan SSL/TLS connection (NCP Path Finder v2 uses TLSv1.0.)
A proper SSL handshake takes place using RSA certificates. IPsecmessages are encrypted with keys exchanged during the SSL handshake.This results in double encryption, once for the SSL tunnel and againfor the IPsec tunnel.
NoteFor NCP Path Finder v2 mode support, RSA certificates have tobe loaded on the SRX Series device and an SSL termination profilethat references the certificate must be configured.
The NCP Exclusive Remote Access Client provides a fallback mechanismin case regular IPsec connection attempts fail due to firewall orproxy servers blocking the IPsec traffic. The NCP Path Finder v2 modeis an enhancement offering full TLS communication, which will notbe blocked by highly restrictive application level firewall or proxies.If a regular IPsec connection cannot be established, then the NCPExclusive Remote Access Client will automatically switch to NCP PathFinder v1 mode. If the client still cannot get through to the gateway,NCP will enable NCP Path Finder v2 mode using the full TLS negotiation.
Licensing
A two-user license is supplied by default on an SRX Series device.A license must be purchased and installed for additional concurrentusers.
Operation
On an SRX Series device, a TCP encapsulation profile defines the data encapsulation operation for remote access clients.Multiple TCP encapsulation profiles can be configured to handle differentsets of clients. For each profile, the following information is configured:
Name of the profile.
Optional logging of remote access client connections.
Tracing options.
SSL termination profile for SSL connections.
TCP connections from NCP Exclusive Remote Access Client areaccepted on port 443 on the SRX Series device.
The TCP encapsulation profile is configured with the edit security] hierarchy level. Theencapsulation profile is then specified with the edit security ike gateway set security zones security-zone set security zones security-zone Note TCP connections from NCP Exclusive Remote Access Clientsuse port 443 on SRX Series devices. Device management on TCP connections,such as J-Web, can use port 443 on SRX Series devices. TCP encapsulationsystem service must be configured for host inbound traffic on thezone in which NCP Exclusive Remote Access Client connections are received(the untrust zone in this example). If J-Web is used on port 443,Web management system service must be configured for host inboundtraffic on the required zone. Configure the NCP Exclusive Remote Access Client. Seethe documentation for the NCP Exclusive Remote Access Client for informationon how to do this. The configuration of the NCP Exclusive Remote Access Clientprofile must match the VPN configuration on the SRX Series device. In this example, an external RADIUS server (such as anActive Directory server) authenticates IKEv2 Exclusive Remote AccessClient users using the EAP-TLS protocol. In this example, the RADIUSserver is configured with the IP address 192.0.2.12. See your RADIUSserver documentation for information on configuring user authentication. In this example, IKEv2 Exclusive Remote Access Client usersare authenticated with an external RADIUS server using EAP-TLS. Anauthenticated client is assigned an IP address and a primary DNS serverfrom a local address pool configured on the SRX Series device. Thetraffic selector is configured with 0.0.0.0/0 for the remote and localaddresses, which means that any traffic is permitted on the tunnel. TCP encapsulation and IKE host inbound system services are configuredon the untrust security zone. If J-Web is used on port 443, HTTPShost inbound system service should also be configured. In this example, the security policies permit all traffic.More restrictive security policies should be configured for productionenvironments. Table 1 shows the IKE and IPSec values configured on the SRX Series deviceto support NCP Exclusive Remote Access Client connections in thisexample. Table 1: IKEand IPSec Options on the SRX Series Device for NCP Exclusive RemoteAccess Client Connections Option Value IKE proposal: Authentication method rsa-signatures Diffie-Hellman (DH) group group19 Encryption algorithm aes-256-gcm IKE policy: Certificate local-certificate IKE gateway: Dynamic user-at-hostname IKE user type group-ike-id Version v2-only IPsec proposal: Protocol esp Encryption algorithm aes-256-gcm IPsec policy: Perfect Forward Secrecy (PFS) group group19 Figure 1 shows thenetwork connections in this example. In this example, the first step is to enroll a certificateauthority (CA) certificate and a local certificate in the SRX Seriesdevice. The local certificate is used to authenticate the SRX Seriesdevice to remote clients using a Microsoft Certificate Authority.Else the URL below will be different. Keep in mind that below examplerequire the CA server to support SCEP. The configuration of the CA profile depends on the CA serverused. In this example, CRL is used to check certificate revocation.Use the appropriate enrollment and CRL URLs for your environment. The CA profile configuration must be committed before you canproceed. Type [edit] When SSL termination profile is not configured then theonly NCP Path Finder v1 mode is supported. NCP Path Finder v2 supportneeds SSL termination profile configured. NCP Path Finder v1 is supportedwhen SSL termination profile is configured. From configuration mode, confirm your configurationby entering the show security commands. If the output does not display the intended configuration,repeat the instructions in this example to correct the configuration. If you are done configuring the device, enter show securityike security-associations command. From operational mode, enter the show securityike active-peer command. From operational mode, enter the show securitytcp-encap connections command. From operational mode, enter the Overview
Topology
Configuration
Enroll Certificates in the SRX Series Device
Step-by-Step Procedure
hierarchylevel, and then enter Results