cancel
Showing results for 
Search instead for 
Did you mean: 

JunosPulse : SSL or ESP transport

SOLVED
Highlighted
Occasional Contributor

JunosPulse : SSL or ESP transport

Dear all,

 

In my company, we use a cluster of Juniper SA platform ( 2 x 4500). We used these platform to access Corporate network through VPN connexion with JunosPulse client.

 

In the configuration in Resource Policies > VPN Tunneling > Connection Profiles, we have 2 choices about the transport : ESP or SSL. Which transport is better between ESP or SLL ? When it's better to used ESP and when it's better to configure SSL transport ?

 

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Respected Contributor

Re: JunosPulse : SSL or ESP transport

ESP is better when your environment allows it and so does the client network (for example, some Middle East countries block all traffic for ports 500 & 4500; this means that the default ESP tunnel will not work and if they do protocol blocking, all ESP is denied).
If you are using FIPS on the SA and you want FIPS on the client, you need SSL. otherwise, use ESP

View solution in original post

6 REPLIES 6
Highlighted
Frequent Contributor

Re: JunosPulse : SSL or ESP transport

ESP is normally used by most - because of the performance factor.

However, if you have your ISP blocking UDP 4500, then you need to think of SSL which is more of a compatibility reason why you use this.

 

Hope the above helps.

 

 

Highlighted
Frequent Contributor

Re: JunosPulse : SSL or ESP transport

By default, Juniper VPN client supports SSL fallback.

So, when a VPN client tries to establish a ESP tunnel, if there is anything which is blocking the ESP traffic, then the client auto-fallsback to SSL for compatibility seamlessly and the client is normally enabled to connect.

 

However, suggestion is - on the SA - Try to set the default connection as ESP.

Frequent Contributor

Re: JunosPulse : SSL or ESP transport

Please go to

 

http://kb.pulsesecure.net

 

and search for KB8569 for more detail on this.

 

 

 

If the above have answered your query completely, please accept solution and close this thread.

Highlighted
Occasional Contributor

Re: JunosPulse : SSL or ESP transport

and when we said ESP is more faster than SSL transport configuration, is-it only when the connexion is established or it's also the case for the communication inside the VPN ? If we used ESP, the communication inside the VPN (access to Exchange or CIFS share for example) will be most faster than SSL configuration ?

 

And concerning the security, the ESP and SLL are the same level or SSL is more secure because, it's not necessary to open a new port (UDP 4500) on the FW ?

Highlighted
Valued Contributor

Re: JunosPulse : SSL or ESP transport

ESP vs SSL mode is the transport mechanism between the client and the SA.  Between the SA and the backend will the protocol the client would normally use if they were on the LAN (usually tcp port 80 or 443).

 

In short, ESP is faster than SSL due to the chatty nature of SSL and TCP protocol.  ESP utilizes UDP on port 4500.  For more detailed information between the two transport methods, please refer to http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB8569

Highlighted
Respected Contributor

Re: JunosPulse : SSL or ESP transport

ESP is better when your environment allows it and so does the client network (for example, some Middle East countries block all traffic for ports 500 & 4500; this means that the default ESP tunnel will not work and if they do protocol blocking, all ESP is denied).
If you are using FIPS on the SA and you want FIPS on the client, you need SSL. otherwise, use ESP

View solution in original post