Upload
duongnhi
View
263
Download
0
Embed Size (px)
Citation preview
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 1 of 29
Release Notes
NCP Secure Enterprise VPN Server Major Release 10.0 r27571 (Windows) January 2016
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 R2 64 Bit
Update Prerequisites
Please read the instructions for updates of previous versions carefully! (See NCP_RN_SES_10_and_HAS_10_Update_and_License_de.PDF)
Prerequisites for Configuration by Secure Enterprise Management (SEM)
Secure Enterprise Management Server: Version 3.02 or later
Management Plugin - Server Configuration: Version 10.00 r26953 or later
Please note: From version 10.0, a license key for the same version of Secure Enterprise VPN Server and the Secure Enterprise HA Server is required to use both products together.
To run this Secure Enterprise Server (10.0.0 r27252) in combination with HA, you will need HA Server version 10.0 r26952.
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
VRRP address of the server
An error occured when the VVRP function was enabled if the VVRP address in SES was not in the same IP address range of the LAN adapter. This issue has now been resolved.
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 2 of 29
Release Notes
Major Release 10.0 r26968 (Windows) December 2015
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 R2 64 Bit
Update Prerequisites
Please read the instructions for updates of previous versions carefully!
(See NCP_RN_SES_10_and_HAS_10_Update_and_License_de.PDF)
Prerequisites for Configuration by Secure Enterprise Management (SEM)
Secure Enterprise Management Server: Version 3.02 or later
Management Plugin - Server Configuration: Version 10.00 r26953 or later
Please note: From version 10.0, a license key for the same version of Secure Enterprise VPN Server and
the Secure Enterprise HA Server is required to use both products together.
To run this Secure Enterprise Server (10.0.0 r26968) in combination with HA, you will need HA Server
version 10.0 r26952.
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
Sorting in the SES filter table SES
The entries in the server filter table are now sorted alphabetically. This is resolved in the Server
Configuration Plugin from version 10.00 r26953.
Number of domain groups HA + SES
The error which occurred in the management services for a large number of domain groups has been fixed. This is resolved in the Server Configuration Plugin from version 10.00 r26953.
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 3 of 29
Release Notes
Major Release 10.0 rev 25102 (Windows 64) August 2015
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 R2 64 Bit
Update Prerequisites
Please read the instructions for updates of previous versions carefully!
(See NCP_RN_SES_10_and_HAS_10_Update_and_License_de.PDF)
Prerequisites on Combination with Secure Enterprise Management (SEM)
Secure Enterprise Management Server: version 3.01 015 or later
Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_ Windows_1000_rev24357
1. New Features and Enhancements
Licensing of NCP Secure Enterprise VPN Server and NCP Secure Enterprise HA Server
With version 10.0 a license key of the same version is required to use the software productively. Previous
server versions 8.x or older updated to version 10.0 without updating the license key to version 10 will not work anymore.
With version 10.0 and upcoming versions an according license key of the same version must be used.
IPsec over L2TP is no longer supported
IPsec over L2TP is not available anymore with version 10.0.
Compatibility with Built-in IPsec/IKEv2 Clients
Built-in IPsec clients of Blackberry and Windows Phone 8.1 platforms are compatible with version 10.0
using IKEv2 key exchange in combination with one of the following authentication modes: User name and password
certificate (EAP-TLS/EAP-MD5/EAP-OTP/EAP-MSCHAPv2)
IP Address Assignment for Clients
Version 10.0 now support external DHCP servers for client IP address assignment based on:
MAC address
host name or
user name
Support of Suite B Cryptography Algorithms
The following algorithms are supported:
AES-CTR/GCM
Elliptic Curve Digital Signature Algorithm/Diffie-Hellman
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 4 of 29
Release Notes
Secure Hash Algorithm 2 (SHA-256, SHA-384)
Advanced Configuration Rules
Within an NCP Secure Enterprise VPN Server’s domain group different Active Directory/LDAP attributes (e.g. group membership) can be used to define the following client parameters:
IP pool
Filter-group
User priority
Policy name / filter group
DHCP source IP address / network mask
The Advanced Configuration Rules are part of the domain groups.
IPv6 within the VPN Tunnel
IPv6 is now supported within the VPN tunnel. The following parameters are IPv6 enabled:
Link profile / routing
Link profile / IPsec selectors
Link profile / IPsec options
Filter networks
Filter
Domain groups / RADIUS
Domain groups / OTP
Domain groups / Link profiles
Currently not all functionalities are IPv6 enabled, e.g. IP address assignment. IPv6 support will be continuously enhanced with future service releases.
Load Balancing Support for Apple iOS Devices (with or without VRRP)
The built-in VPN IPsec client of Apple iOS is able to connect to NCP Secure Enterprise VPN Servers in load
balancing mode. The client will automatically be redirected to the server with the least load.
NCP VPN Path Finder II
The NCP VPN Path Finder protocol being part of the NCP Secure Enterprise VPN Server provides a fallback
mechanism in case regular IPsec connection attempts fail due to firewall or proxy servers blocking this kind of traffic. The NCP VPN Path Finder II protocol is an enhancement offering full TLS communication
which will not be blocked by highly restrictive application level firewall/proxies. If a regular IPsec connection cannot be established the NCP Secure Client will automatically switch to NCP VPN Path Finder.
If the client still cannot get through to the gateway it will enable NCP VPN Path Finder II using the full
TLS negotiation.
Performance Enhancements
With version 10.0 the NCP Secure Enterprise VPN Server’s multiprocessor support has been significantly improved providing a maximum of performance.
Using the OpenSSL library in FIPS mode has a substantial effect on the performance of the NCP Secure Enterprise VPN Server. Therefore the FIPS mode is not in use by default since this version of the NCP
Secure Enterprise VPN Server. To enable the FIPS mode the administrator has to configure the following:
Set the Registry Entry "EnableFipsMode" under HKLMSystemCurrentControlSetServices cpwsup = 1. The NCP Secure Enterprise VPN Server’s ncpwsupd daemon has to be restarted after this change.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 5 of 29
Release Notes
2. Improvements / Problems Resolved
None
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 6 of 29
Release Notes
Service Release 8.11 Build 249 (Windows 64) March 2015
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 64 Bit
Windows Server 2012 R2 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
OCSP
When the OCSP responder was not available, clients not establish connections, although „in case of error“
was configured.
SNMP
Error in GETNEXT function has been resolved.
Certificate Check
An error was eradicated within the certificate check which is configured inside the „Domain Groups“.
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 7 of 29
Release Notes
Service Release 8.11 Build 242 (Windows 64) January 2015
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 64 Bit
Windows Server 2012 R2 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
Multiprocessor Support
Errors in multiprocessor support have been resolved.
DH Exchange Processing
Dependent on the type of random number generated (by an NCP Client) for the DH exchange, the server
now either successfully completes establishment of the connection or terminates the establishment. In the
latter case, a corresponding message is logged.
Use of IPNAT
When IPNAT is being used on a network interface, Pathfinder connections are also accepted, but now without generating a broadcast.
Removal of Domain Groups
Domain Groups can now be removed during live operation.
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 8 of 29
Release Notes
Service Release 8.11 Build 238 (Windows 64) October 2014
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 64 Bit
Windows Server 2012 R2 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
Activated IP NAT functionality on the Routing Interface
In previous releases of the NCP Secure Enterprise VPN Server, if a single NAT entry was configured for a
network interface, this entry was be ignore. This problem is now resolved.
CVE-2014-3566 / "POODLE" issue – SSL v2.0 and v3.0 withdrawn from this product.
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC
padding, which makes it easier for man-in-the-middle attackers to obtain clear-text data via a padding-oracle attack, aka the "POODLE" issue.
For this reason the SSL v2.0 and v3.0 protocols are no longer incorporated in this product. The TLS
protocol now provides all underlying secure web service (HTTPS) encryption and authentication services.
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 9 of 29
Release Notes
Service Release 8.11 Build 235 (Windows 64) July 2014
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2008 R2 64 Bit
Windows Server 2012 64 Bit
Windows Server 2012 R2 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
Incorrectly set routes at system start
From Windows Server 2008 onwards, start of the ncpmgmsrv service is delayed. This resolves a problem with routes being set incorrectly at system start.
Behavior changed when re-connecting Client to a different gateway in Load Balancing mode
When re-connecting a Client to another gateway in the Load Balancing network, DHCP Release is no longer issued by the previously used gateway (which received a Session Manager Disconnect signal). This
ensures that the Client is uniquely addressable from the central site.
Open SSL 1.0.1 H after OpenSSL Security Advisory of 5. June 2014
The 5 June 2014 advisory resulted in the release of Open SSL 1.0.1 H and this version has been implemented in the latest version of the NCP Secure Enterprise VPN Server. (See https://www.openssl.org/news/secadv_20140605.txt)
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 10 of 29
Release Notes
Service Release 8.11 Build 225 (Windows 32/64) April 2014
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
Windows Server 2012 Datacenter 64 Bit
Windows Server 2012 R2 Datacenter 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
OpenSSL Heartbleed-Bugs (CVE-2014-0160)
OpenSSL Heartbleed Bug - cryptographic library - problem resolved
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 11 of 29
Release Notes
Service Release 8.11 Build 219 (Windows 32/64) April 2014
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
Windows Server 2012 Datacenter 64 Bit
Windows Server 2012 R2 Datacenter 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
None
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 12 of 29
Release Notes
Service Release 8.11 Build 215 (Windows 32/64) March 2014
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
Windows Server 2012 Datacenter 64 Bit
Windows Server 2012 R2 Datacenter 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
Buffer Handling
Problems resolved
Routing Information Protocol (RIP) Handling
Problems associated with RIP and DHCP addresses resolved
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 13 of 29
Release Notes
Service Release 8.11 rev 209 (Windows 32/64) January 2014
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
Windows Server 2012 Datacenter 64 Bit
Windows Server 2012 R2 Datacenter 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management Server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
Buffers in MultiProcessor Configurations
Number of buffers in MP configurations has been increased to 400 per processor.
MultiProcessor and IPsec Compression
Problems associated with MP and IPsec compression have been resolved.
Advanced Authentication Connector
Various problems associated with Advance Authentication have been resolved.
The timeout for receipt of the SMS at the Client has been increased to 2 minutes (IKEv2) and to 1 minute
(IKEv1).
Java 7 Update 51
Support for Java 7 update 51 has been included in the NCP Secure Enterprise VPN Server.
IPv6
Various problems in connection with IPv6 have been resolved.
3. Known Issues None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 14 of 29
Release Notes
Service Release 8.11 rev 182 (Windows 32/64) November 2013
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 Enterprise 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
Windows Server 2012 Datacenter 64 Bit
Windows Server 2012 R2 Datacenter 64 Bit
Prerequisites for management by Secure Enterprise Management
Secure Enterprise Management server: version 3.01 015 or later Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
1. New Features and Enhancements
Windows Internet Explorer version 11 Support
From this revision onwards Windows Internet Explorer version 11 can be used as the web browser for:
accessing the VPN Server configuration web interface
connecting via an SSL VPN tunnel to corporate resources
RESTRICTION: IE 11 cannot be used in connection with Virtual Private Desktop or Port
Forwarding - please discuss detailed requirements with NCP support.
This release incorporates cache protection for Internet Explorer 9, 10 and 11.
2. Improvements / Problems Resolved None
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 15 of 29
Release Notes
Service Release 8.11 rev 180 (Windows 32/64) October 2013
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 Enterprise 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
Windows Server 2012 Datacenter 64 Bit
1. New Features and Enhancements
IKEv2 Configuration via Web Interface
The Web Interface has been enhanced to enable IKEv2 to be consistently configured in the Link Profiles,
Domain Groups and Local System configuration folders.
The following are required in order to configure IKEv2 features via SEM:
Secure Enterprise Management server: version 301 build 015 or later
Management Plugin - Server Configuration: NCP_MgmPlugin_SrvCfg_Win32_811_051 or later
SNMP Enhancements
SMNP support enhancements in connection with statistic enquiries about Domain Groups.
2. Improvements / Problems Resolved
IPsec over L2TP and Packet Fragmentation
IPsec over L2TP now works correctly, even when packets are being fragmented.
3. Known Issues
IKEv2 authentication
Although the EAP TLS method can be configured within the IKEv2 authentication, it is not yet implemented.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 16 of 29
Release Notes
Service Release 8.11 Build 168 (Windows 32/64) August 2013
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32/64 Bit
Windows Server 2008 Enterprise 32/64 Bit
Windows Server 2008 R2 Enterprise 64 Bit
1. New Features and Enhancements
Multi processor-/core support
Support for modern multi core architectures for better use of current hardware to enhance VPN throughput.
Support for ECC (ECC: Elliptic curve cryptography)
Support for certificates whose signature was created with the elliptic curve algorithm instead of the RSA
algorithm.
Accessing the Gateway
The Secure Enterprise VPN Server can be accessed from an NCP HA Server using IPv6 addressing.
Pre-requisites:
HA Server (Win): Version 3.04 from build 020
Secure Enterprise Server (Win): Version 8.11 from build 168
Server Plug-in (SEM): Version 8.11 from build 48
Prioritization of clients
NCP Secure Enterprise VPN Server, operating in Load Balancing Mode of an HA Server environment enables the HA Server to prioritize VPN access by Clients.
This is particularly important when the HA Server is overloaded or when there are insufficient licenses available for all Clients; in such circumstances, only users with a high priority are allowed access.
Setting the Priority in the Server Configuration:
User priority is defined at the server in the HA Server configuration, in the template of the respective HA Server and is effective for all gateways connected to it . The User Priority, defined there for the users of a
Domain Group, defines the priority Clients must have been assigned, in order to be allowed access.
Highest priority is "1", lowest is "255", and access is allowed for users with the highest priority.
The default setting, "0" means that priority based access is switched off and all VPN users are allowed access.
If User Priority functionality is in use, all VPN users with priority less than the priority value configured
here will be blocked from establishing VPN connections. Highest priority is "1".
For example, if User Priority "5" is defined at the Server, all users with a lower priority, i.e. 6 to 255, will
be blocked. This happens immediately on setting the parameter. VPN tunnels from Clients which, at this
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 17 of 29
Release Notes
point in time, have been assigned a lower priority, will be disconnected, and renewed attempts to
establish a connection will be rejected. Disconnections and rejections of VPN connection establishment attempts are logged with a corresponding message.
Assigning User Priority in the Client Configuration:
The priority allocated to a specific user can only be defined in the RADIUS or LDAP configuration of the
respective Client.
Highest priority is "1", lowest is "255", and access is allowed for users with the highest priority.
Important: at the Client, "0" is the default value for User Priority, and the centrally applied priority-based
restriction of Client access does not apply to Clients with User Priority "0". Such Clients are ALWAYS allowed access.
Text in the GUI (Domain-Groups):
As soon as User Priority functionality is in switched on, all VPN users with priority less than the priority value configured here will be blocked from establishing VPN connections. Highest priority is "1", lowest is
"255".
VPN tunnels already established from Clients with a lower priority are immediately disconnected.
"0" switches off the prioritized tunnel-use functionality.
2. Improvements / Problems Resolved
An issue when using LDAP attributes with a length of 256 characters has been resolved.
3. Known Issues
Operating System
Installation on Microsoft Windows Server 2012 is NOT supported.
IKEv2 authentication
Although the EAP TLS method can be configured within the IKEv2 authentication, it is not implemented.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 18 of 29
Release Notes
Service Release 8.10 Build 085 (Windows 32/64) May 2013
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32 bit
Windows Server 2008 Enterprise Service Pack 2 32 and 64 bit
Windows Server 2008 R2 Enterprise Service Pack 64 bit
Windows Server 2012 Datacenter 64 bit
1. New Features and Enhancements
None
2. Improvements / Problems Resolved
VPN Connection Aborted after IKE Phase 2 Rekeying
After expiry of the "Duration" timer (IPsec Policies - Configuration - Duration / Default 8 hours), instead of the phase 2 re-keying being carried out, the connection was aborted. This problem has now been
resolved.
3. Known Issues
None
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 19 of 29
Release Notes
Service Release 8.10 Build 079 (Windows 32/64) March 2013
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32 bit
Windows Server 2008 Enterprise Service Pack 2 32 and 64 bit
Windows Server 2008 R2 Enterprise Service Pack 64 bit
Windows Server 2012 Datacenter 64 bit
1. New Features and Enhancements The following new feature has been introduced in this release:
Support of Windows Server 2012
The NCP Secure Enterprise VPN Server supports the Windows Server 2012 (64 bit) operating system.
2. Problems Resolved None
3. Known Issues
Failure to download Endpoint Policies (EP) from Secure Enterprise Management (SEM
versions earlier than 3.0) to Secure Enterprise VPN Server (SES) 8.10
Endpoint policies download to a SES v8.10 will fail IF from a SEM version earlier than v3.0 AND the SES is not managed by the SEM.
Background: SEM v2.x transmitted packets with an incorrect length. SES v8.10 now checks and ignores packets with incorrect length. SEM v3.0 has been corrected to transmit packets with correct length.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 20 of 29
Release Notes
Service Release 8.10 Build 064 (Windows 32/64) June 2012
Prerequisites
Operating System Support
The following Microsoft Operating Systems are supported with this release:
Windows Server 2003 R2 Enterprise Edition 32 bit
Windows Server 2008 Enterprise Service Pack 2 32 and 64 bit
Windows Server 2008 R2 Enterprise Service Pack 64 bit
1. New Features and Enhancements
The following new features have been introduced in this release:
New, separate switches for IKEv1 and IKEv2
Connections via IPsec Native and IPsec over L2TP can only be established if the key exchange is handled
via either the IKEv1 or IKEv2 protocol. If these neither of these key exchange protocols is selected, connections can only be established via L2Sec or L2TP.
The switches are located at the Local System level and both protocols are active by default.
IKEv2 including MobIKE
The gateway now supports IKEv2 including MobIKE. The following EAP types are supported with this
implementation:
EAP-MD5-Challenge
EAP-TLS
EAP-MSCHAP-V2
Seamless Roaming
Seamless Roaming provides the user with an “always on“ capability: in the event that a communication medium fails, Seamless Roaming in an NCP Secure Enterprise Client (for Windows from version 9.30)
automatically switches to the next available medium, choosing from LAN, WiFi and 3G. Applications that make use of the VPN tunnel are not disturbed by the switchover from one medium to another.
This version of the NCP Secure Enterprise VPN Server includes the functionality necessary to support
Seamless Roaming at the NCP Secure Clients.
Seamless Roaming – Force Single VPN Connection
This switch (in HA Server) prevents multiple VPN connections, from a single NCP Secure Client, remaining open when Seamless Roaming is in operation.
When set (the default state) and a VPN connection request is received at a gateway, that gateway sends
a message to all other gateways in the load balancing/HA group, indicating that this user is now connected to gateway x and all other connections for this user must be terminated.
Pre-requisites:
HA Server (Win): Version 3.03 from build 004
Secure Enterprise VPN Server (Win): Version 8.10 from build 051
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 21 of 29
Release Notes
Server Plug-in (SEM): from build 15
Execute Endpoint Security only for NCP Clients
A feature (a switch in "Local System") has been added to enable Endpoint Security to be executed only
with NCP Clients. Other Clients that do not support NCP Endpoint Security, e.g. iPads, can now use the same profile, even when Endpoint Security is enabled.
This is especially useful when, in addition to NCP Clients, mixed operation is supported and, for example,
iPADs with their integrated VPN Client are in use.
If this function is NOT activated, then connection requests from clients from other manufacturers, i.e. that
do not support NCP Endpoint Security, or that do not fulfill the security policies will be rejected.
IP Address Assignment by DHCP [Domain Groups]
The VPN gateway can automatically assign an available address to each Client when that Client connects
to the gateway. This address can be assigned either from a pool or by means of IP address assignment from a DHCP server, and is assigned for the duration of the session. A Domain Group can contain the
configuration details of one DHCP server (with IP address and DHCP Source IP Address).
IF-MAP
The ESUKOM project aims to develop a real-time security solution for enterprise networks that works based upon the correlation of metadata. A key challenge for ESUKOM is the steadily increasing adoption
of mobile consumer electronic devices (smartphones) for business purposes which generate new threats
for enterprise networks ESUKOM focuses on the integration of available and widely deployed security measures (both commercial and open source) based upon the IF-MAP (Interface for Metadata Access
Points) specification from the Trusted Computing Group (TCG).
As of release 8.10 of the NCP Secure Server, the IF-MAP Server in Hannover University can be used, cost
free, for test purposes. The URL is http://trust.inform.fh-hannover.de.
Realtime Enforcement through the IF-MAP Protocol
Using IF-MAP Protocol Events, the Server can trigger an action such as disconnecting a connection or
switching the Filter Group. IF-MAP Events can be configured accordingly in the Domain Group.
Single Sign-on for SSL VPN
Single Sign-on can be used when the web server application (configured under Web Proxies) being
accessed requires the same access data as that being used by the SSL VPN client. Usernames and passwords can then be centrally managed by Active Directory, RADIUS or LDAP.
Dependent on application, Single Sign-on authentication can be performed with HTTP Authentication (Basic (RFC2617), HTTP Digest (RFC2617) and NTLM (Microsoft)), or using the Post Form Method.
SSO with web applications has been tested with Outlook Web Access (OWA) 2003, 2007 and 2010, RDP Client and CITRIX Webinterface 4.5, 5.1.
SSO with port forwarding is only supported for an application that can accept parameters (username and
password) via its command line.
Virtual Private Desktop
The Virtual Private Desktop is a work area (sandbox), decoupled from the underlying operating system and made available to the user by means of the SSL VPN session. Applications started and running in this
work area, together with any files created, are disconnected from the underlying operating system. Files
such as e-mail attachments are stored in the Virtual Private Desktop in a private container that is encrypted using AES. When the SSL VPN session is terminated, all files in the container are deleted.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 22 of 29
Release Notes
Only NCP Clients allowed
This switch ensures that connections can only be established from NCP VPN Clients. If connection establishment attempts are made from clients of other manufacturers, these will be refused. The function
can be applied globally or on a domain group basis.
Automatic Thin Client Authentication at a Proxy
If a proxy, located within the same Windows domain as the Thin Client, is being used for access to the
Internet and authentication of accesses via the proxy is handled by the HTTP Negotiate / Kerberos protocol, the details of the user’s existing domain registration at his/her associated Windows system will
be used to authenticate the connection from the Thin Client to that proxy. If all these conditions are
fulfilled, authentication of the Thin Client at the proxy will be automatic. If not, the user will be presented with the proxy’s authentication request prompt.
Note: this feature is independent of the Single Sign-on for SSL VPN functionality mentioned above.
2. Problems Resolved None
3. Known Issues
Failure to download Endpoint Policies (EP) from Secure Enterprise Management (SEM
versions earlier than 3.0) to Secure Enterprise VPN Server (SES) 8.10
Endpoint policies download to a SES v8.10 will fail IF from a SEM version earlier than v3.0 AND the SES is
not managed by the SEM.
Background: SEM v2.x transmitted packets with an incorrect length. SES v8.10 now checks and ignores packets with incorrect length. SEM v3.0 has been corrected to transmit packets with correct length.
4. Getting Help for the NCP Secure Enterprise VPN Server To ensure that you always have the latest information about NCP’s products, always check the NCP website at:
http://www.ncp-e.com/en/downloads.html For further assistance with the NCP Secure Enterprise VPN Server, visit:
http://www.ncp-e.com/en/support.html Mail: [email protected]
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 23 of 29
Release Notes
5. Features
Operating Systems
See the Prerequisites for the Microsoft operating systems supported by the corresponding Secure
Enterprise VPN Server release on Page 1.
Recommended System Requirements
Computer CPU:
Pentium III (or higher) 150 MHz or comparable x86 processor, 512 MB RAM (minimum), per 250
concurrently useable tunnels 64 MB RAM. Clock speed:
Data throughput of circa 4,5 mbit/s can be achieved for each 150 MHz with a Single Core CPU
(including encryption) Data throughput of circa 9 mbit/s can be achieved for each 150 MHz with a Dual/Quad Core CPU
(including encryption).
Web Browser for Web Interface and SSL VPN Use one of the newer versions of these web browsers:
Internet Explorer
Firefox or other Mozilla based browser
Safari
Chrome
System Requirements for Concurrent SSL VPN Sessions
10 Concurrent Users (CU)
CPU: Intel Pentium III 700 MHz or comparable x86 processor, 512 MB RAM
50 Concurrent Users CPU: Intel Pentium III 1.5 MHz or comparable x86 processor, 512 MB RAM
100 Concurrent Users
CPU: Intel Dual Core 1.83 GHz or comparable x86 processor, 1024 MB RAM
200 Concurrent Users CPU: Intel Dual Core 2.66 GHz or comparable x86 processor, 1024 MB RAM
Dependent on the type of end-device. Mobile end-devices such as Tablet PCs (using iOS or Android),
Smartphones, PDAs and others have some restrictions.
The above are approximate values that are significantly influenced by user activity profiles or applications. If a large number of concurrent file transfers (file upload and download) are anticipated
then we recommend increasing the memory value by 50%.
Network Protocols
IP (Internet Protocol), VLAN support
IPv4 protocol
IP traffic inside and outside VPN tunnel can use IPv4 protocol
IPv6 protocol
IP traffic used to establish and maintain the VPN tunnel can use IPv6 protocol (Client to VPN
gateway and Client to NCP Secure Enterprise HA Server), IP traffic inside any VPN tunnel MUST use IPv4 protocol.
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 24 of 29
Release Notes
Management
The NCP Secure Enterprise VPN Server is configured and managed either via an NCP Secure Enterprise Management using the Secure Server plug-in or directly via the Web Interface.
Network Access Control (Endpoint Security)
Endpoint Policy Enforcement for incoming data connections.
Verification of predefined, security relevant Client parameters.
Measures in the event of target/actual deviation in IPsec VPN:
Disconnect or continue in the quarantine zone with instructions for action
Message in Messagebox or start of external applications (e.g. virus scanner update), Logging in Logfiles (see the Secure Enterprise Management data sheet for more information).
Measures in the event of attempts to perform other than just pre-defined activities in SSL VPN:
Granular reduction in access authorization to certain applications in accordance with defined
security levels. Dynamic Switching of Filter Rules dependent on Endpoint Security Requirements
Execute Endpoint Security only for NCP Clients
IF-MAP (Interface for Metadata Access Points) Support
Realtime Enforcement through the IF-MAP Protocol
Dynamic DNS (DynDNS/DDNS)
Connection establishment via Internet with dynamic IP addresses.
Registration of each current IP address with an external Dynamic DNS provider. In this case the
VPN tunnel is established via name assignment (prerequisite: The VPN client must support DNS
resolution - NCP Secure Clients support this functionality) Extension of the Domain Name Server (DNS), reachability of the VPN client under a (permanent)
name despite a varying IP address
Periodic updating of DNS server with username and IP address of currently connected Client
Multi Company Support
Group capability,
support of max. 256 domain groups (i.e. configuration of: authentication, forwarding, filter
groups, IP pools, bandwidth limitation, etc.)
User Administration Local user administration (up to 750 users),
External authentication via
OPT server
RADIUS LDAP
Support for LDAP over SSL
Novell NDS
MS Active Directory Services RADIUS, LDAP and SEM Forwarding
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 25 of 29
Release Notes
Statistics and Logging
Detailed statistics,
Logging functionality,
Sending SYSLOG messages
Client/User Authentication Process OTP token,
User and hardware certificates (IPsec) according to X.509 v.3,
User name and password (IKEv1 - XAUTH, IKEv2 - EAP )
External Authentication with LDAP Bind
Certificates (X.509 v.3)
Server Certificates Certificates can be used that are provided via the following interfaces:
PKCS#11 interface for encryption tokens (USB and smart cards);
PKCS#12 interface for private keys in soft certificates
Creation and Distribution of Server Certificates with SEM PKI Enrollment Plug-in
Transfer of SubCA Certificate
Server Certificates can be queried via SNMP
Revocation Lists EPRL (End-entity Public-key Certificate Revocation List, formerly CRL),
CARL (Certification Authority Revocation List, formerly ARL)
Online Check
Automatic download of revocation lists from the CA at predefined intervals.
Online check: Checking certificates via OCSP or OCSP relative to the CA over http
IPsec VPN and SSL VPN – Connections
Transmission Media
LAN
Direct operation on the WAN: Support of max. 120 ISDN B-channels (So, S)
Line Management DPD with configurable time interval
Short Hold Mode
Channel bundling (dynamic in ISDN) with freely configurable threshold value
Timeout (controlled by time and charges)
Point-to-Point Protocols
PPP over ISDN,
PPP over GSM,
PPP over PSTN,
PPP over Ethernet,
LCP, IPCP, MLP, CCP, PAP, CHAP, ECP
Pool Address Management
Reservation of an IP address from a pool for a defined period of time (lease time)
Trigger Call
Direct dial of the distributed VPN gateway via ISDN, "knocking in the D-channel"
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 26 of 29
Release Notes
Virtual Private Networking with IPsec
Virtual Private Networking IPsec (Layer 3 tunneling), RFC-conformant
MTU size fragmentation and reassembly
DPD (Dead Peer Detection)
NAT-Traversal (NAT-T)
IPsec modes: Tunnel Mode, Transport Mode
Seamless Rekeying;
PFS (Perfect Forward Secrecy)
Automatic Return Route Determination (ARRD)
Support for Seamless Roaming in NCP Secure Enterprise Clients
Internet Society RFCs and Drafts RFC 2401–2409 (IPsec)
RFC 3947 (NAT-T negotiations)
RFC 3948 (UDP encapsulation)
RFC 4306/5996 (IKEv2)
RFC 4555 (MOBIKE)
IP Security Architecture
ESP
ISAKMP/Oakley
IKEv1
XAUTH
IKECFG DPD
IPCOMP
IKEv2 including MobIKE.
EAP protocols supported: EAP-PAP
EAP-MD5-Challenge
EAP-MSCHAP-V2
EAP-TLS
IKECFG
FIPS Inside
Optionally the FIPS Mode can be enabled (via the configuration file ncpwsupd.conf for Linux, or via
the Registry Entry cpwsup for Windows). The Secure Enterprise VPN Server incorporates cryptographic algorithms conformant to the FIPS standard. The embedded cryptographic module
incorporating these algorithms has been validated as conformant to FIPS 140-2 (certificate #1051).
FIPS conformance will always be maintained when any of the following algorithms are used for
establishment and encryption of the IPsec connection:
Diffie Hellman Group: Group 2 or higher (DH starting from a length of 1024 Bit)
Hash Algorithms: SHA1, SHA 256, SHA 384, or SHA 512 Bit
Encryption Algorithms: AES with 128, 192 or 256 Bit or Triple DES
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 27 of 29
Release Notes
Encryption
Symmetric processes: DES; Triple-DES 112,168 bits; Blowfish 128,448 bits; - IKEv1 & IKEv2 & IPsec
AES 128,192,256 bits - IKEv1 & IKEv2 & IPsec AES-CTR 128, 192, 256 - IKEv2 and IPsec
Dynamic processes for key exchange:
RSA to 4096 bits; Diffie-Hellman Groups:
1, 2, 5, 14-18 - IKEv1, IKEv2 and IPsec 19-21, 25-26 (using Elliptical Curve Cryptography), - IKEv2 and IPsec
AES-GCM:
128, 256 - IKEv2
Hash algorithms MD5, SHA1, SHA 256, SHA 384, SHA 512
IKEv2 Pseudo Random Functions
HMAC MD5, HMAC SHA1, HMAC SHA2-256, HMAC SHA2-384, HMAC SHA2-512
Firewall
Stateful Packet Inspection
IP-NAT (Network Address Translation)
Port filtering
LAN adapter protection
VPN Path Finder
NCP Path Finder Technology: Fallback IPsec/ HTTPS (port 443) if port 500 respectively UDP
encapsulation is not possible.
Authentication Processes IKEv1 (Aggressive and Main Mode), Quick Mode
XAUTH for extended user authentication
IKEv2
EAP Support for certificates in a PKI: Soft certificates, smart cards, and USB tokens
Pre-shared keys
One-time passwords, and challenge response systems
RSA SecurID ready.
Advanced Configuration Rules to define properties of the clients
IP Address Allocation
DHCP (Dynamic Host Control Protocol) over IPsec;
DNS: Selection of the central gateway with changing public IP address by querying the IP address
via a DNS server; IKE config mode for dynamic assignment of a virtual address to clients from the internal address
range (private IP), or IP address assignment by DHCP
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 28 of 29
Release Notes
Data Compression
IPCOMP (lzs), Deflate
Other Features HA support (Load Balancing) for Apple iOS Clients
Compatibility to native IPsec Clients (Blackberry und Windows Phone 8.1)
SSL VPN
Protocols SSLv1,
SSLv2,
TLSv1 (Application Layer Tunneling)
Web Proxy (Web Applications)
Access to internal web applications and Microsoft network drives via a web interface.
Prerequisites for the end device:
SSL-capable web browser with Java Script functionality
Single Sign-on (SSO) for SSL VPN
Support for SSO in Web Proxy (Web Applications).
Single Sign-on authentication:
Web server application must require the same access data as the SSL VPN client; usernames and
passwords can then be centrally managed by Active Directory, RADIUS or LDAP. Support for HTTP Authentication protocols (Basic (RFC2617), HTTP Digest (RFC2617) and NTLM
(Microsoft)), or using the Post Form Method.
Supported web applications:
Predefined SSO configuration files for Outlook Web Access (OWA) 2003, 2007 and 2010, and
CITRIX Webinterface 4.5 and 5.1. Customer specific application configurations.
Secure Remote File Access (Network Sharings)
Upload and download, creation and deletion of directories, corresponds approximately to the functionalities of the Windows Explorer under Windows.
Prerequisites for the end device: See Web Proxy
SSO functionality – Network Sharing username and password can be instantiated from SSL username and password
Port Forwarding Access to client/server applications (TCP/IP), including web applications.
Support for Port Forwarding under Mac OS X
SSO Support – application dependent. Support only for applications, such as RDP, which take
username/password as command parameter.
Prerequisites for the end device:
SSL-capable web-browser with Java Script support,
Java Runtime Environment (>= V5.0) or ActiveX,
SSL Thin Client for Windows 8, 7, Vista or XP (32/64 bit)
© NCP engineering GmbH , e-mail: [email protected] , www.ncp-e.com
NCP_RN_Secure_Enterprise_VPN_Server_10_0_Win_27571_en.docx Technical specification subject to change
page 29 of 29
Release Notes
Not supported using Microsoft Windows Internet Explorer 11 - please discuss specific requirements
with NCP support
PortableLAN
Transparent access to corporate network
Prerequisites for the end device:
SSL-capable web-browser with Java Script support,
Java Runtime Environment (>= V5.0) or ActiveX control,
PortableLAN Client for Windows 8, 7, Vista or XP (32/64 bit)
Virtual Private Desktop
Work area (sandbox), decoupled from the underlying operating system and made available to the user by means of the SSL VPN session.
Prerequisites for the end device:
Applications tested under Virtual Private Desktop: Microsoft Word, Excel, Powerpoint, Outlook and
Outlook Web Access, Adobe Acrobat Reader and Flashplayer, Foxit Reader, SSH (putty) and
WinZip. Detailed OS / application support matrix available on request.
Microsoft Windows 8, 7, Vista or XP (32/64 bit)
Not supported using Microsoft Windows Internet Explorer 11 - please discuss specific requirements with NCP support
Cache Protection for Internet Explorer V.6, 7, 8, 9, 10 and 11 Required when using Internet Explorers. All transmitted data on the end device will be deleted
automatically after the connection is disconnected.
Prerequisites for the end device:
SSL-capable web-browser with Java Script support
Java Runtime Environment (>= V5.0),
SSL Thin Client for Windows 8, 7, Vista or XP (32/64 bit)
Security Features
Restriction of the Cipher Suite (only AES256-SHA or DES-CBC3-SHA or AES128-SHA)
Prevention of Cross Site Scripting
Other Features Extended SSL VPN Support for mobile end-user devices
Configuration and User Interface (SSL VPN Start Page)
The SSL service start page can be customized with company specific text and graphics
Placeholders (%SSLVPNPARAMn%) simplify the customization of complex configurations