Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuring Dynamic VPN on SRX while using NCP client (GUI procedure)



Article ID: KB33935 KB Last Updated: 18 Feb 2020Version: 2.0

The Dynamic VPN on SRX devices is facilitated by using Pulse Secure software and is still being used. Starting with Junos OS version 15.1X49-D80, the NCP client software is used to achieve the Dynamic VPN functionality. Please refer to the VPN section of the Release Notes of release 15.1X49-D80 for more information.

This article provides a simple configuration example using J-Web for a remote access tunnel using IKEv1 and local authentication. For similar instructions using the CLI, refer to KB32418.

Note: The configuration of the NCP Exclusive Remote Access Client profile must match the VPN configuration on the SRX Series device.


The NCP client is documented in Understanding IPsec VPNs with NCP Exclusive Remote Access Client, along with an Example: Configuring the SRX Series Device for NCP Exclusive Remote Access Clients.

Here is another example using J-Web:

Configuring NCP client via J-Web (GUI procedure)
Topology example:[SRX]-ge-0/0/2( -------Internet------Remote clients

Navigate to the Configure tab.
  1. Select: Device Setup > Basic settings > Management access and make sure that HTTPS is enabled:

  2. Select Interfaces > Ports and configure the appropriate physical and tunnel interfaces:

  3. Select: Authentication > Access Profiles > Create access profile

    Enter the profile name.

  4. For Address Pool configuration, click 'Configure' and enter a pool name and the associated Network Address.

    Click 'OK'. The configuration will be validated and the GUI will bring you back to the Access Profile page. Click 'Next and then enter any LDAP details; if required.  Finally, click 'Next', followed by 'OK':

  5.  Select: Security > Objects > Zones and confirm that the correct interfaces are allocated to the correct zones. Also configure the host-inbound-traffic for all the relevant interfaces:

    Note: TCP connections from NCP Exclusive Remote Access Clients use port 443 on SRX Series devices. Device management on TCP connections, such as J-Web, can use port 443 on SRX Series devices. TCP encapsulation system service must be configured for host inbound traffic (in addition to system-services > ike) on the zone in which NCP Exclusive Remote Access Client connections are received (the untrust zone in this example). If J-Web is used on port 443, Web management system service must be configured for host inbound traffic on the required zone.

  6. Select Security > Firewall policies and configure the appropriate security policies.

  7. Select: Security > IPSec VPN > IKE (Phase 1) and configure the IKE Proposal, Policy (Choose Aggressive Mode and either Predefined or User Defined Proposal) and Gateway for the remote VPN.  Make sure you review both tabs (IKE Policy and IKE Policy Options & IKE Gateway and IKE Gateway Options).