Encapsulating Security Payload (ESP):
The Encapsulating Security Payload (ESP) header is designed to provide a mix of security services in IPv4 and IPv6. ESP may be applied alone, in combination with the IP Authentication Header (AH), or in a nested fashion, e.g. through tunnel mode. The ESP header is inserted after the IP header and before the upper layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode).
ESP (defined in RFC 2406) is one of the key protocols of IPSec, and utilizes traditional encryption and authentication methods (AES/SHA1/MD5) to provide confidentiality, origin authentication, integrity, and anti-replay protection.
ESP uses IPSec with AES/SHA1/MD5 as encryption methods. It uses port 4500 and UDP for the connection (per RFC 3948).
Note: By default, ESP mode is selected in VPN Tunneling Connection Profile and the UDP port configured has to be opened between Network Connect / Pulse Secure client and Pulse Connect Secure device.
When ESP mode is selected, whether you specify a custom port number or choose to use the default port number (4500) configured on the Pulse Secure Connect gateway, you must also ensure that other devices along the encrypted tunnel allow UDP traffic to pass between the Pulse Connect Secure device and Pulse Secure / Network Connect clients.
For example, if you employ an edge router and a firewall between the Internet and your corporate intranet, you must ensure that port 4500 is enabled on both the router and the firewall and that port 4500 is configured to pass UDP traffic. A firewall will see two connections per user when using ESP; one for the Control Channel on port 443 (SSL) and one for the data channel on port 4500 (Default for ESP).
The main advantage for ESP transport mode is the increase in performance over SSL transport mode.
NCP/oNCP are the internal protocols which are used to communicate between the Pulse Connect Secure device and client applications.Network Communications Protocol (NCP)
— Standard NCP has been replaced by oNCP. Windows client applications, including the Secure Meeting Windows client, WSAM, and Terminal Services, fallback to NCP if oNCP fails.Optimized NCP (oNCP)
— Optimized NCP significantly improves the throughput performance of the client applications over NCP because it contains improvements to protocol efficiency, connection handling, and data compression. Windows client applications, including the Secure Meeting Windows client, WSAM, Network Connect and Terminal Services use oNCP by default.
oNCP uses SSL encryption methods (RC4-128). It uses port 443 and TCP for the connection. When oNCP/NCP (SSL) mode is selected, you will see security as SSL instead of AES/MD5 and Transport Mode to be SSL instead ESP.
The main advantage for SSL is maximum compatibility for end users as TCP port 443 is a common port that firewalls are not configured to deny.Note
- If you are using Network Connect to provide client access, we recommend that you exercise caution when employing the Auto-select Disabled option, as Mac and Linux clients cannot connect using the traditional NCP protocol. If you disable the oNCP/NCP auto-selection feature and a UDP-to-oNCP/NCP fail-over occurs, the Pulse Connect Secure gateway will disconnect Macintosh and Linux clients.
- NCP is an older protocol used only with Windows clients. oNCP supports Windows too, but also Mac and Linux clients. Unless the auto-select feature has been disabled (System > Configuration > NCP), oNCP is used first and will only fail over to NCP in cases where an oNCP connection is not possible (such as when a Web proxy is required). Disabling NCP auto-select is no longer supported.