NCP Secure Enterprise VPN Server
Universal Platform for Comprehensive Remote Access to Your Company Network

Features:

Universality

NCP's Secure Enterprise VPN Server is a component of NCP's comprehensive VPN solution based on NCP's Next Generation Network Access Technology.

The VPN gateway integrates mobile and stationary teleworkers into one cross-company data network. The software can be installed on a standard PC running on Windows or Linux and can be used as central switching and monitoring tool behind a firewall in the DMZ (Demilitarized zone) or directly on the public network (Wide Area Network) or as VM Ware.

In IPsec environments, NCP's Secure Enterprise VPN Server is compatible to VPN gateways of established third-party suppliers. It is a universal remote access platform that offers connectivity for all NCP clients and, what is more, for all third-party VPN clients based on the IPsec standard.

The solution is further based on international standards and can be smoothly integrated into already existing IT infrastructure.

The modular software architecture of NCP's Secure Enterprise VPN Server offers companies a high degree of planning and investment security. It is possible to scale the number of remote users and VPN tunnels according to need.

Management/Multi-tenancy

Multi-tenancy or "multi company support" enables the concurrent use of a VPN gateway by several companies (resource sharing). Administrators of the connected companies are able to use a comfortable access management system to manage their respective NCP VPN clients*.

The NCP Secure Enterprise VPN Server also now contains a virtual network interface adapter, which is particularly important for cloud and Software as a Service (SaaS) provider environments. It can completely seal off data communication from the gateway operator and surrounding operating systems, and better protect it by decrypting the data, automatically forwarding it into a different VPN tunnel and re-encrypting it.

In large remote access VPN networks with several VPN gateways, NCP's High Availability Services ensure high availability and consistent workload for all installed VPN gateways.

Flexible user management can be executed directly via the VPN gateway or back-end systems, such as RADIUS LDAP or MS Active Directory. Integrated IP routing and firewall functionalities ensure connectivity and security for networking a branch office for example.

Administrators configure and manage the NCP Secure Enterprise VPN Server via the NCP Secure Enterprise Management through plug-in or a web interface. The management feature serves for central control and monitoring of all VPN components. Integrated automatisms optimize performance, ensure transparency, security and economic efficiency of the VPN solution.

NCP VPN Path Finder

With its unique "NCP VPN Path Finder" NCP provides a technology that enables users to use secure remote access even behind firewalls, whose port settings generally deny IPsec communication (e.g. in hotels).

Security/Strong Authentication

The NCP Secure Enterprise VPN Server supports all standards for highly secure data transfer in all remote access environments.

The NCP server supports strong authentication features such as one-time-password-tokens (OTP), text messages (SMS) or hard and software certificates and certificates with elliptic curve cryptography. Based on revocation lists, the server verifies the validity of certificates relative to the Certification Authority offline or online at each dial-in.

The NCP Advanced Authentication integrates a Two-Factor Authentication with a One-Time Password (OTP) in the Secure Enterprise Management via SMS. Each password is created by a random number generator within the NCP Advanced Authentication Connector.

Endpoint Security and Sandbox (Network Access Control = NAC**)

The security status of mobile and stationary end-devices is verified prior to the device gaining access to the corporate network. All parameters are defined centrally and the teleworkers' access rights depend on their compliance to them.

For IPsec VPN access, the options are "disconnect" or "continue in the quarantine zone". For an SSL VPN access, authorization to certain applications will be granted on the basis of pre-defined security levels. During the SSL VPN session all data is stored in NCP's Virtual Private Desktop (Sandbox), which is a work space that is separated from the operating system. After the SSL VPN session has been terminated, the sandbox automatically deletes all data from this container.

This means, meeting the security policies is mandatory for each end-device and the user can neither avoid nor manipulate them.

IPsec and SSL

Using the NCP Secure Enterprise VPN Server, companies are able to set up data connections to their company network on the basis of an IPsec and/or SSL VPN.

With NCP's Secure Client Suite teleworkers have transparent access to all network applications and features - just like in the office. This also includes Voice over IP.

It is possible to assign an NCP Secure Client the same IP address at each connection setup. This IP address is a private IP address from the address range of the company. This enables identification of each teleworker through his IP address and simplifies remote administration and support for the user.

With dynamic assignment of an IP address from a pool, the system reserves the address for a certain user within a defined period (lease time). In case changing IP addresses are used, the NCP Secure Enterprise VPN Server also supports Dynamic DNS (DynDNS) for reachability of the VPN gateway. NCP's SSL VPN solution offers the following options for access to the company network:

• Web Proxy - This module provides authorized users with secure access to internal web applications.
• Port Forwarding – The Thin Client provides access to Client-/Server Applications (TCP/IP). Connection to local client applications (http enabled) via port forwarding. The system automatically downloads the Thin Client to the end-device and is required for additional security options like cache protection, endpoint security and NCP's Virtual Private Desktop.
• PortableLAN – The Fat Client offers transparent network access and has to be installed on each end device.

Hybrid IPsec / SSL VPN gateway software
Universal platform for remote access to the company network

• Integrated IP routing and firewall features
• Integration of iPhone, iPad, iOS and Andoid
• Fallback IPsec / HTTPS (NCP VPN Path Finder Technology®)
• Bandwidth management
• Network Access Control*
• FIPS inside
• Multi-tenancy
• Endpoint Security (SSL VPN)
• Easy Virtualization, perfect for Cloud VPN
• Elliptic Curve Cryptography (ECC)
• Multi Processor Support

*) Only in connection with NCP's Secure Enterprise Management
**) Network Access Control is a fixed part of NCP's SSL VPN Gateways. An IPsec VPN, however, requires the use of NCP's Secure Enterprise Management.

Technical Data:

Secure Enterprise VPN Server: Technical Data
IPsec VPN and SSL VPN – general
Operating Systems	Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 Debian, Red Hat or other Linux distributions with kernel version from 3.10, glibc from 2.17
Management	Administrators configure and manage NCP's Secure Enterprise VPN Server via the NCP Secure Enterprise Management through VPN Server plug-in or a web interface.
Network Access Control(Endpoint Security)	Endpoint policy enforcement for incoming data connections. Verification of predefined, security-relevant client parameters. Measures in the event of target/actual deviations in Disconnect or continue in the quarantine zone with instructions for action (Message box) or start of external applications (e.g. virus scanner update), logging in Log files (Please refer to the Secure Enterprise Management data sheet for more information).
Dynamic DNS (DynDNS)	Connection set up via Internet with dynamic IP addresses. Registration of each current IP address with an external Dynamic DNS provider. In this case the VPN tunnel is established via name assignment (prerequisite: The VPN client has to support DNS resolution - as do NCP Secure Clients)
DDNS	Connected VPN clients are registered with the domain name server via Dynamic DNS (DDNS), meaning that VPN clients with dynamic IPs can be reached via a (permanent) name
Network Protocols	IP, VLAN support
Multi-Tenancy	Group capability; support of max. 256 domain groups (i.e. configuration of: authentication, forwarding, filter groups, IP pools, bandwidth limitation) Alternative default certificates can be configured for other domain groups. The Virtual Secure Enterprise VPN Server can select the most suitable certificate based on the client request (for example the certificate with the longest validity period).
User Administration	Local user administration (up to 750 users); OPT server; RADIUS; LDAP, Novell NDS, MS Active Directory Services
Statistics and Logging	Detailed statistics, logging functionality, sending SYSLOG messages
FIPS Inside	The IPsec client integrates cryptographic algorithms according to the FIPS standard. The embedded cryptographic module, containing the corresponding algorithms, is certified according to FIPS 140-2 (Certificate #1747). FIPS conformance will always be maintained when the following algorithms are used for set up and encryption of a VPN connection: Diffie Hellman-Group: Group 2 or higher (DH starting from a length of 1024 Bit) Hash Algorithms: SHA1, SHA 256, SHA 384 or SHA 512 Bit Encryption algorithms: AES with 128, 192 and 256 Bit or Triple DES
IF-MAP	The overall aim of the ESUKOM Project is the design and development of a real time security solution for company networks which works on the basis of consolidating meta data. The special focus of the project is the threat resulting from mobile end-devices, e.g. smartphones. ESUKOM focuses on the integration of existing security solutions (commercial and open source) which are based on a consistent meta data format according to IF-MAP specifications of the Trusted Computing Group (TCG). The IF-MAP server of the Hannover University of Applied Science and Arts can currently be used for free-of-charge testing. The URL is: http://trust.inform.fh-hannover.de
Client/User Authentication Processes	OTP token, certificates (X.509 v.3): User and hardware certificates (IPsec), user name and password (XAUTH)
Certificates (X.509 v.3)
Server Certificates	It is possible to use certificates which are provided via the following interfaces: PKCS#11 interface for encryption tokens (USB and smart cards); PKCS#12 interface for private keys in soft certificates
Revocation Lists	Revocation: EPRL (End-entity Public-key Certificate Revocation List, formerly CRL), CARL (Certification Authority Revocation List, formerly ARL),
Online Check	Automatic downloads of revocation lists from the CA at certain intervals; Online check: Checking certificates via OCSP or OCSP over http
Connection Management
Line Management	Dead Peer Detection (DPD) with configurable time interval; Timeout (controlled by duration and charges)
Point-to-Point Protocols	LCP, IPCP, MLP, CCP, PAP, CHAP, ECP
Pool Address Management	Reservation of an IP address from a pool within a defined period (lease time)
IPsec VPN
Virtual Private Networking	IPsec (Layer 3 tunneling), RFC-conformant; automatic treatment of MTU size, fragmentation and reassembly; DPD; NAT-Traversal (NAT-T); IPsec modes: Tunnel Mode, Transport Mode; Seamless Rekeying; PFS.
Internet Society RFCs and Drafts	RFC 2401 –2409 (IPsec), RFC 3947 (NAT-T negotiations), RFC 3948 (UDP encapsulation), IP Security Architecture, ESP, ISAKMP/Oakley, IKE, IKEv2 (incl. MOBIKE), IKEv2 Signature Authentication, XAUTH, IKECFG, DPD, NAT Traversal (NAT-T), UDP encapsulation, IPCOMP, IKEv2 authentication conformant to RFC 7427 (padding process)
Encryption	Symmetric processes: AES (CBC/CTR/GCM) 128, 192, 256 bits; Blowfish 128,448 bits; Triple-DES 112,168 bits; Dynamic processes for key exchange: RSA to 4096 bits; Diffie-Hellman Groups 1, 2, 5, 14-21, 25-30; Hash algorithm: SHA-1, SHA 256, SHA 384 or SHA 512
Firewall	Stateful Packet Inspection; IP-NAT (Network Address Translation); port filtering; LAN adapter protection
VPN Path Finder	NCP Path Finder Technology: Fallback to HTTPS from IPsec (port 443) if neither port 500 nor UDP encapsulation are available
Seamless Roaming	With Seamless Roaming in the NCP Secure Client, the system can automatically transfer the VPN tunnel to a different communication medium (LAN / Wi-Fi / 3G / 4G) without changing the IP address to avoid interrupting communication via the VPN tunnel or disconnecting application sessions.
Authentication Processes	IKEv1 (Aggressive and Main Mode), Quick Mode; XAUTH for extended user authentication; IKEv2, EAP-PAP / MD5 / MS-CHAP v2 / TLS Support for certificates in a PKI: Soft certificates, certificates with ECC technology; Pre-shared keys; One-time passwords and challenge response systems; RSA SecurID ready
IP Address Allocation	DHCP (Dynamic Host Control Protocol) over IPsec; DNS: Selection of the central gateway with dynamic public IP address by querying the IP address via a DNS server; IKE config mode for dynamic assignment of a virtual address to clients from the internal address range (private IP) Different pool can be assigned depending on the connection medium. (Client VPN IP)
Data Compression	IPCOMP (lzs), Deflate
Recommended VPN Clients / Compatibility
NCP Secure Entry Clients	Windows 32/64, macOS, Android
Windows 32/64, macOS, Android	Windows 32/64, macOS, iOS, Android, Linux

Documentation:

Download the NCP Secure Enterprise VPN Server Datasheet (PDF).

Download the Quick Configuration Guide – Connecting iOS to an NCP Secure Enterprise VPN Server (PDF).