NCP Secure Enterprise Management
Remote Access VPN that pays off

Features:

NCP Secure Enterprise Management consists of the Management Server and the Management Console with graphic user interface. The Management Server serves for configuration and management of all connected NCP components. This includes the NCP Secure Enterprise Clients for Windows, mac-OS/OS X, Android, iOS and, Linux as well as the NCP Secure Enterprise VPN Server. The Management Server is a database-based system and it corresponds with virtually any database via ODBC (e.g. Oracle, MySQL, MS SQL, MS Access, MaxDB). Optionally the Backup Management Server ensures high-availability of the Management Server, which always has the current data repository available through an integrated replication service.

Management Server Plug-ins:

• Client Configuration
• System Monitor
• Client Firewall Configuration
• Server Configuration
• Remote Server Configuration
• Network Access Control (NAC), PKI Enrollment, RADIUS

Overview – central management functionalities

In all of these cases administrators of legally autonomous companies must have the capability to manage their "shared" VPN. This is done by forming groups and using a convenient method of assigning rights. Administrators are created in such a manner that each has exclusive access to his area, in other words to the units that he is responsi-ble for managing. The possibility of encroaching on data of other clients in their protected areas is excluded.

The automatic update process enables the administrator to provision software updates centrally for all remote systems, which will be installed automatically the next time the connected to the VPN. If malfunctions occur during the transmission, then the previously existing software version, as well as the configuration, remain unaffected. The software is only updated after complete error-free transmission of all pre-defined files. All data are transmitted in a highly secure manner, (encrypted in the VPN tunnel). The update can also be done without a VPN connection, as long as the end device is within the corporate network. An integrated RADIUS server is used to store and manage all client link profiles.

The Software Update Service also organizes central distribution of all parameters that are relevant for remote access, such as:

• Configurations (profiles)
• Software (updates, upgrades)
• Soft certificates (PKCS#12 files) as user or machine certificate
• Issuer certificates (root certificates)
• International phonebooks (e.g. GoRemote (previously GRIC, Infonet, Uunet, iPass, MCI, etc.)

Optionally the Backup Management Server ensures high-availability of the Management Server, which always has the current data repository available through an integrated replication service.

Components and functionalities of a managed VPN

All relevant data can be input or transferred interactively via the NCP Management Console, or it can be input or transferred in script-driven processes; i.e. user data, license keys, provider passwords, can be transferred to the Management Server per remote system (= managed unit), e.g. for a rollout. The NCP Secure Enterprise Server, or a server supplied by any manufacturer (see the compatibility list at www.ncp-e.com) can be implemented as VPN gateway. Secure Enterprise Management can thus be integrated within any existing IT infrastructure and it enables operation even in complex VPN environments.

Another essential feature of the Management Server is license administration of the managed units. All licenses are transferred into a pool and are automatically managed in accordance with specified guidelines Functional examples:

• Transfer in a configuration per remote client or gateway
• Take-back when an employee leaves a company
• Message in the event that no more licenses are available.

Management Console:

The Management Console provides powerful plug-ins for configuration and management of the managed units:

• Client Configuration
• System Monitor
• Client Firewall Configuration
• Remote Server Configuration
• Network Access Control
• PKI enrollment
• RADIUS

Client Configuration Plug-In

This plug-in enables configuration and administration of NCP Secure Enterprise Clients. All relevant parameters are predefined and stored in templates.

An overview of the specific features:

• Assignment of licenses (serial numbers / activation key)
• Assignment of authentication codes for first connections during the rollout
• Creation and administration of user profiles
• Individual menu items and configuration values can be set as "not visible" or "not changeable" for the user.
• Automated configuration of the user profiles for central components (RADIUS, LDAP, SNMP)
• Pre-setting the Personal Firewall; it cannot be manipulated by the remote user
• Extensive logging (versions, time stamps for configuration changes, automatic upload of client log files…)
• VPN profile presets
• Configuration and software update in LAN – without VPN tunnel
• Update is dependent on media type (e.g. GPRS, UMTS, DSL, WLAN)

System Monitor Plug-In

This plug-in provides fast information about all important events within a VPN installation, in the form of bargraphs or line diagrams. The administrator can use the system monitor as needed to call up current status information in real time, or to access previously saved data repositories of the remote access environment.

System Monitor graphical interface (single point of administration)

Displays:

1. Status information
The following events can be displayed on a group basis:

• System restarts
• Administrator logons (e.g. successful, rejected)
• Client update logons (e.g. successful, rejected)
• Software downloads per package
• RADIUS logons (e.g. successful, rejected)

Ratio displays of two events is possible.

2. History
Display of all events within a certain period:

• Hour, last hour, or the last 2, 3, 4, 6, 12 or 24 hours
• Day; the last 2 or 4 days
• Week; the last week
• Month; last month or month before last
• Current day, current week, current month

Page forward, page back in the respective period in the displayed diagram Colors and views of the diagrams can be freely selected.

Client Firewall Configuration Plug-In

The NCP Secure Client software has an integrated Personal Firewall, which can be managed centrally for the enter-prise versions. The Client Firewall Configuration plug-in enables granular adjustment of firewall rules per teleworkstation.

The following configuration parameters can be set:

• Application-independent and connection-independent filter rules
• Filter rules based on protocol, port and address
• Specifications for detection of "friendly networks" (IP address network, network mask, IP address of the DHCP server, MAC address)
• Logging settings
• Central specification of the user's possibilities to access the firewall configuration.
• FND configuration (Friendly Net Detection)

Server Configuration Plug-In

Use this Plug-in, in order to configure and manage NCP's central Secure Enterprise Server and NCP's Secure Enterprise High Availability Server. If you use a gateway of a third-party supplier and the plug-in, only the features of our non-managed system (web interface) are available to you.

NCP Secure Enterprise Server
The administrator creates templates which are the basis for individual VPN gateway configuration. You can pre-define or configure the following parameter groups:

• Link profiles
• SSL VPN
• Network Access Control / Endpoint Security
• Firewall filter rules
• IKE- and IPsec policies
• Routing information / static routes
• Issuing of Certificates (Machine Certificates)
• License and version management

NCP Secure High Availability Server
The administrator creates templates which are the basis for individual HA Server configuration. You can pre-define or configure the following parameter groups:

• Secure Server (in combination with HA)
• Load factors (load balancing)
• External monitoring rules
• License and version management

Remote Server Configuration Plug-In

This plug-in enables configuration and administration of decentralized NCP Secure Enterprise Gateways. Analogous to the Client Configuration plug-in, general templates are created, which are used as the basis for individual VPN gateway configurations. In holistic remote access VPN solutions, the issue is managing individual teleworkstations, as well as geographically distributed VPN gateways. The following parameter groups can be predefined or config-ured:

• Link profiles
• IKE and IPsec policies
• Routing information
• Creating certificates (machine certificates)
• License and version management

PKI Enrollment Plug-In

This function module is the connecting link between a Public Key Infrastructure (PKI) and the remote access VPN environment. The PKI Enrollment plug-in functions as Registration Authority (RA) and manages the creation as well as the administration of electronic certificates (X.509 v3) in conjunction with different Certification Authorities (CA). Supported CAs: T-Telesec NetPass, Microsoft, NCP Demo CA, others (e.g. RSA Keon) are possible via CMP (Certifi-cate Management Protocol) A generated certificate can optionally be stored as soft certificate (PKCS#12) or on hardware, e.g. smart card or USB token (PKCS#12). The NCP Demo CA that ships with the product can be used to simulate a PKI during the test phase, however it is not intended for productive implementation. Conversion to an external CA is problem-free.

The most important functionalities:

• Creation of certificates (also bulk mode)
• Extension of certificates (PKCS#7)
• Blocking certificates
• Distributing certificates (also multi client certificates) via the NCP Secure Management Server
• Creating the user configuration via LDAP in the directory service
• Creating a PAC (Personal Authentication Code) letter for the initial connection (initialization, licensing)

Network Access Control Plug-In (endpoint security)

Use this plug-in to define all security-relevant parameters that must be checked prior to an access to the corporate network. Compliance with the specified security policies is mandatory and cannot be bypassed or manipulated by the User.

The system can check for the following client parameters:

• Operating system information e.g. version, hot fix status
• Secure Enterprise Client software version
• Services information
• File information
• Status of a virus scanner
• Contents of certain registry values
• Contents of certificates (user and hardware certificate)

Deviations from the target specifications are logged and can trigger different messages or actions, such as:

• Message display on the client
• Outputting a message in the monitor log
• Sending a message to the Management Server
• Sending a message to a Syslog server
• Release of all firewall rules or of a certain firewall rule
• VPN connection disconnect

RADIUS Plug-In

The RADIUS interface is optionally available for configuration of managed units (users) in the central VPN gateway. This plug-in is used to manage the integrated RADIUS server and it is responsible for the following functions:

• Automatic creation of RADIUS accounts via the client and remote server configuration plug-ins
• Support of PAP/CHAP requests
• Capture of accounting data
• Blocking users if there are repeated incorrect logon attempts
• Management of multiple RADIUS configurations of various gateways
• RSA Authentication Manager proxy functionality

Optionally: Redundancy through backup RADIUS servers
Advantage: Existing RADIUS servers can be combined, i.e. they can be replaced in an economical manner.

Technical Data:

Secure Enterprise Management: Technical Data
Operating Systems	Management Server: 64 bit: Windows Server 2016, 2012 R2   CentOS 7.4, Ubuntu Server 16.04.4 LTS
Managed Units	Secure Enterprise Client as of V 10.0 Secure Android Client as of V 2.32 Secure Enterprise Server as of V 10.0
Plug-ins	Automatic Update, Client Firewall Configuration, Client Configuration, Endpoint Policy Enforcement, License Management, PKI, RADIUS, Remote Server Configuration, Server Configuration, Script and System Monitor
Network Access Control (Endpoint Security)	Endpoint Policy Enforcement for incoming data connections. Verification of predefined, security-relevant client parameters. Measures in the event of target/actual deviations in IPsec VPN: Disconnect or continue in the quarantine zone with instructions for action (Message box) or start of external applications (e.g. virus scanner update), logging in Log files. Measures in the event of target/ actual deviations in SSL VPN: Individual grading of access authorization to certain applications in accordance with defined security levels
Advanced Authentication	2-Factor-Authentication via SMS Provider: NCP Advanced Authentication Connector (for smaller installations) Sophos MCS (2FA) Sophos MCS (SMS) Mobilant Multitech SMS Server OpenIT
Multi Company Support	Group capability; Support of max. 256 domain groups (i.e. configuration of: authentication, forwarding, filter groups, IP pools, bandwidth limitation, etc.)
User Administration	LDAP, Novell NDS, MS Active Directory Services
Databases	Windows: MySQL Server 5.x, Driver MySQL ODBC 5.x MariaBD 10.2.10, Driver Maria DB ODBC 3.0.x MS SQL Server 2016, Driver MS SQL Server 10.00.14393.00 Oracle 11g Express, Driver ODBC InstantClient 12.01.00.02 Oracle 12c Enterprise, Driver ODBC InstantClient 12.01.00.02 Linux: MariaDB 5.5.56, Driver MySQL libmysqlclient.so18 Version 5.5.56-MariaDB MySQL 5.7.22, Driver MySQL libmysqlclient.so18 Version 5.6.25-MySQL
Statistics and Logging	Detailed statistics, logging functionality, sending SYSLOG messages
IF-MAP	The overall aim of the ESUKOM Project is the design and development of a real time security solution for company networks which works on the basis of consolidating meta data. The special focus of the project is the threat resulting from mobile end devices, e.g. smartphones. ESUKOM focuses on the integration of existing security solutions (commercial and open source) which are based on a consistent meta data format according to IF-MAP specifications of the Trusted Computing Group (TCG).
Client/User Authentication Processes	OTP token, certificates (X.509 v.3): User and hardware certificates (IPsec), user name and password (XAUTH)
Certificates (X.509 v.3)
Certificates	It is possible to use certificates which are provided via PKCS#12 container (Clients and Server)
Revocation Lists	Revocation: EPRL (End-entity Public-key Certificate Revocation List, formerly CRL), CARL (Certification Authority Revocation List, formerly ARL)
Online Check	Automatic downloads of revocation lists from the CA at certain intervals; Online check: Checking certificates via OCSP or OCSP over http
Certification Authorities	Microsoft Certificate Services: as „stand alone CA”; As “integrated CA in the domain”: certificate templates can be adapted
Virus Scanner	Windows allows the system to request all virus scanner which deliver their status over WMI (Windows Management Instrumentation) or NAC (Network Admission Control) to the Security Center
Supported RFCs and Drafts	RFC 2138 Remote Authentication Dial In User Service (RADIUS); RFC 2139 RADIUS Accounting; RFC 2433 Microsoft CHAP; RFC 2759 Microsoft CHAP V2; RFC 2548 Microsoft Vendor-specific RADIUS Attributes; RFC 3579 RADIUS Support For Extensible Authentication Protocol (EAP); RFC 2716 PPP EAP TLS Authentication Protocol; RFC 2246 The TLS Protocol; RFC 2284 PPP Extensible Authentication Protocol (EAP); RFC 2716 Certificate Management Protocol; RFC 2511Certificate Request Message Format; Draft-ietf-pkix-cmp-transport-protocols-04.txt Transport Protocols for CMP; Draft-ietf-pkix-rfc2511bis-05.txt Certificate Request Message Format (CRMF)
Recommended VPN Clients
NCP Secure Enterprise Clients	Windows, Mac OS X, iOS, Windows Mobile, Android, Windows CE, Linux

Documentation:

Download the NCP Secure Enterprise Management Datasheet (PDF).