SSL VPN
Overview
Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software.
What You Can Do in this Chapter
Use the VPN > SSL VPN screen (see The SSL VPN Screen) to configure a SSL access policy.
Full Tunnel Mode
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.
Split Tunnel Mode
In split tunnel mode, only the traffic going to the networks behind the Zyxel Device is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device and is not encrypted.
SSL VPN Policy
An SSL VPN policy allows the Zyxel Device to perform the following tasks:
• limit user access to specific applications or file sharing server on the network.
• allow user access to specific networks.
• assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks.
SSL Access Policy Objects
The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed.
Object Type | Object screen | Description |
|---|---|---|
User Accounts | User Account/ User Group | Configure a user account or user group to which you want to apply this SSL access policy. |
Application | SSL Application | Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. |
IP Pool | Address | Configure an address object that defines a range of private IP addresses to assign to user computers so they can access the internal network through a VPN connection. |
Server Addresses | Address | Configure address objects for the IP addresses of the DNS and WINS servers that the Zyxel Device sends to the VPN connection users. |
VPN Network | Address | Configure an address object to specify which network segment users are allowed to access through a VPN connection. |
Please note that you cannot delete an object that is referenced by other settings.
The SSL VPN Screen
Configure the settings in this screen to create a new or edit an existing SSL access policy.
SecuExtender is a Zyxel subscription-based VPN client. A remote access VPN client must have SecuExtender VPN client installed on his device and uses a supported computer operating system. The supported computer operating systems are:
• Window 10 (64-bit) and later versions.
• macOS 10.15 and later versions.
Make sure the settings configured on the SSL VPN client matches the settings you configured on the Zyxel Device.
The following table describes the labels in this screen.
label | description |
|---|---|
Enable | Click the switch to enable the SSL access policy. |
Download | Click to download a VPN configuration script to send to clients using SecuExtender VPN client or OpenVPN Connect VPN client. The supported operating systems for SecuExtender are: • Windows 10 (64-bit) and later versions. • macOS 10.15 and later versions. |
VPN Server Address | |
Type | Select the method the Zyxel Device uses for incoming traffic from remote clients. • Interface: Use the public IP address of the interface. • Domain Name: Use a domain name. Select this if DDNS is assigning a dynamic IP address to the interface (for example, vpn.zyxel.com). |
Interface | Select an interface from the drop-down list box for incoming traffic to your Zyxel Device. |
DNS Name | Enter the domain name (for example, vpn.zyxel.com) if you’re using DDNS to assign the interface a dynamic IP address. |
Server Port | Specify the server port of the Zyxel Device for full tunnel mode SSL VPN access. Leave this field to default settings unless it conflicts with another interface. |
Zone | Select the security zone into which to add this VPN connection policy. Any security rules or settings configured for the selected zone apply to this VPN connection, so do not select a zone that a security policy may block. |
Clients will use VPN to access | |
Internet and Local Networks (Full Tunnel) | Select this to encrypt all traffic through the VPN. Enable Auto SNAT to allow the Zyxel Device to rewrite the source address of packets being sent to the interface's IP address. |
Auto-SNAT | Auto-SNAT changes the (private) source IP addresses of VPN clients to the Zyxel Device WAN interface’s public IP address for traffic going to the Internet. The Internet cannot route privately-assigned IP addresses, so the Zyxel Device must perform Source NAT (SNAT) to convert them to the public IP address on its WAN interface. For example, if the SSL VPN client has a privately-assigned IP address such as 192.168.1.88, then that IP address is automatically translated to the Zyxel Device’s WAN interface IP address, such as 1.1.1.1 when going to the Internet. If you disable Auto-SNAT, then SSL VPN clients can reach internal LAN subnets, but not the Internet, unless you create an outbound NAT rule for the SSL VPN pool in Network > NAT. |
Local Networks Only (Split Tunnel) | Select this to only encrypt traffic going to networks behind the Zyxel Device. Enter an IPv4 address in CIDR notation, for example, type 192.168.1.1/24. Traffic going to the Internet from this IP address is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device is not encrypted. |
Client Network | |
IP Address Pool | Enter an IPv4 address in CIDR notation, for example, type 192.168.1.1/24. The IP address pool is used to assign IP addresses to the VPN clients. The SSL VPN IP pool should not overlap with IP addresses on the Zyxel Device's local networks and the SSL user's network. |
First DNS Server | Specify the IP address of the DNS server whose information the Zyxel Device sends to the remote users. This allows them to access devices on the local network using domain names instead of IP addresses. ZyWALL- the VPN clients use the IP address of the interface you specified in the SSL VPN rule and the Zyxel Device works as a DNS relay. Custom Defined- enter a static IPv4 address |
Second DNS Server | Enter a secondary DNS server IP address that is checked if the first one is unavailable. |
Authentication | You must first create a server in User & Authentication > AAA Server for it to display in the following fields. • If you have one authentication server, it can be on the Zyxel Device (local) or an external AAA server. • If you have two authentication servers, one of them must be on the Zyxel Device (local). You cannot use two external AAA servers. |
Primary/Secondary Server | Select local or a specified AAA server from the drop-down list box for the Zyxel Device to use for authentication. These are listed in the following order and then sorted alphabetically: Local (1), Nebula Cloud Authentication (2), AD Server (3), LDAP Server (4), OIDC Server (5), RADIUS Server (6). |
User | Select or create a user or user group that can connect to this SSL access policy.  • This is a required field. • The User Type must be: User, External User, or External Group User. • It cannot be an admin or viewer account type. • SecuExtender VPN clients must log in with a User account in Menu > Configuration > Get from Server screen. See What You Need To Know for more information on user accounts. ncas-users are users authenticated by Nebula. oidc-users are users authenticated by OpenID Connect (OIDC). See Add an OIDC Server for more information on OIDC. |
Advanced Settings | |
Minimum TLS Version | Select the minimum TLS version required for this SSL access policy. TLS connections using a version lower than the selected one will be blocked. The Zyxel Device requires a TLS 1.2 minimum to block insecure protocols (like TLS 1.0/1.1) that have known vulnerabilities. TLS 1.3 provides stronger cipher suites and more secure key exchange methods than earlier versions. |
Generate Certificate | Click this to have the Zyxel Device generate a self-signed certificate for the Zyxel Device to identify itself when setting up the SSL VPN tunnel. Note the expiry date in Certificate Expires on. Click Generate Certificate to generate a new certificate when the certificate expires and notify all SSL VPN and OpenVPN clients to import the SSL VPN file again as all SSL VPN and OpenVPN clients have to update their SSL VPN settings to match the Zyxel Device SSL VPN settings. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |