As 2 seems no longer a valid option, I guess we are down to discussion of NCP vs Secure Connect?
Since the VPN will be newly deployed, we are open to any of them. However, I would like to know and compare if they have any difference or pros/cons using a particular solution?
Our end user will be connection from Windows and Mac mostly.
Hi all, here is some updates after discussing with Juniper’s Engineer.
After some days of email exchange, our confusion got escalated from local distributor to Juniper’s Team, and their engineers are helpful to explain and clarify.
So, as everyone knows Pulse is still usable but heading to EOL soon, NCP was the successor. And now Juniper Secure Connect (JSC) is the default remote access VPN suggested by Juniper.
NCP client itself need to be separately purchased from NCP (not provided by Juniper), which also provides many advanced feature (thus price tag…) including centralized endpoint management etc, and Juniper is only using its VPN features.
After the Pandemic, Juniper found many customer require SSLVPN feature without whole brunch of fancy NCP stuff. So they develop JSC on top the SSLVPN feature from NCP (you can see both GUI are nearly twins). So basically JSC is just lite version of NCP with only SSLVPN feature, and requires only remote access license on SRX device, and it should be capable to do everything a VPN should do. JSC is now the suggested way of remote access VPN on SRX, except for those (rich enough) to use the whole NCP solution.
JSC was release by Juniper around Nov 2020, it is quite new and are not well advertised, that’s why even our local distributor are mistakenly provided NCP by default.
IMO, Juniper Secure Connect simplifies the setup complexity quite a lot, both on SRX and client software, compared to previous versions. Still some distance compared to FortiGate but at least they seems making progress in right direction.
I see, is Juniper Secure Connect something new? Coz here (Hong Kong) our distributor is offering NCP by default as we’re asking for remote access license.
AFAIK they’re not concerning VoIP traffic…
Btw just curious, what do you mean by not handling VoIP well? Does it has high latency or jitter or unstable or sth else?
Yea, agree that SRX is not really competitive when it comes to remote access VPN, compare to SSL-VPN provided by other vendors…They are still using IPSec which I think is quite difficult to setup and troubleshoot, while others requires only a few clicks or drag-and-drop.And the Pulse/NCP/SecuerConnect changes is really messy, hope this time they will stick with their in-house solution longer…
FortiGate did quite a good job here, I haven’t had any issues dealing with FG, and they are also easy to manage and user-friendly, so clients don’t need to call us just to add an user.
IMO Juniper’s SRX is more like a “router with firewall features” rather than a modern NGFW.
It it not our choice though, client’s boss required the use of Juniper as aligned with other offices…
They all need a RAC license, deployed on the SRX. I was referring to the client/app license.
It’s true that Pulse is less secure. To get it to work properly, you’ll have to use algorithms/settings considered not secure these days. IIRC, we couldn’t get it to work with anything better than DH group 2.
It’s been around since the 15.1x49 release and is the recommended service for remote access VPN on SRX. That being said, it’s pretty rough and will not have the features that more mature VPN products have.
I’d recommend looking at Cloudflare for Teams (free for up to 50 users) or basically any other VPN solution than the SRX.
From a purely financial perspective, probably not. I work at a small consulting firm, and spend about 75% of my time doing client engagements… The remainder is spent on keeping our (very small) network going.
At the end of the day, NCP just works and the people paying for licenses don’t mind spending a little bit on them every year. A bigger company might feel very different.
Thanks for the info. I don’t know why our local distributor are suggesting NCP at first place, I will need to discuss with them? BTW I saw that Secure Connect is only supported on SRX “running Junos OS Release 20.3R1 or later” (System Requirements)
Our client just need to allow remote workers to be able to connect back to office and access internal resources, no advance stuff like endpoint management or antivirus is needed, so I guess that’s can be done with SRX’s rough VPN?
We did suggest our client with FortiGate and Palo-Alto at first, but it was client’s decision to follow other office which were using SRX and that’s the end of discussion…
