How to Set up Remote AP and Configure Secure Wi-Fi to Secure the Wireless Environment on Nebula?
Zyxel Employee
To make teleworkers working remotely from home Wi-Fi networks more secure, remote AP feature allows teleworkers to install APs that automatically connect to the private network of central office. Remote AP acts as a VPN Client and establishes the IPsec tunnel to the Gateway and the traffic of tunnel mode SSID can be protected by IPsec VPN. This approach provides data encryption for teleworker’s traffic (GRE over IPsec VPN) without any settings on users’ end devices. The example instructs how to set up Secure Wi-Fi on Nebula to encrypt the traffic from the station in a remote site to the enterprise network.
The capability of Remote AP and remote status can be checked at: Devices > Access points.
Set up Secure Wi-Fi on Nebula
There’re three stages when deploying the Secure Wi-Fi on Nebula.
1. Device Registration: USG FLEX and AP must be in the same Nebula Site. Remote AP requires Secure Wi-Fi license assigned to the USG FLEX. The license status can be checked at: License & inventory. To buy Secure Wi-Fi license, you can go to the Zyxel Marketplace for purchasing the license. Then follow the steps to activate: How to Activate Secure WiFi License
2. Device setup on Nebula: Set gateway interfaces, AP Roles and Secure Tunnel on SSIDs.
Configure AP role as Remote AP and SSID setting
Remote AP setting at: Devices > Access points. Select AP and click AP Role to configure SSID. Wireless clients connected to this SSID can access the central site through NVGRE tunnel. Wireless security follows settings applied in SSID settings page. Only set up to 4 secure tunnel SSIDs.
Configure Local SSID setting of each remote AP
Remote AP setting at: Devices > Access points > [Specific AP]. Wireless clients connected to this SSID are forwarded normally to the local network of remote site. Local SSIDs settings are simplified and independent from the SSID settings and only set up to 2 local SSIDs. Network administrators must provide an SSID name and may only apply Wi-Fi passwords with WPA2 or WPA3 Personal.
3. Device Deployment: Deploy APs to teleworkers’ homes, plug-and-play installation by teleworkers.
On remote AP, Storm Control is automatically activated in order to avoid huge broadcast traffic flooding from wireless part to the Gateway and to other Remote APs. Both Wireless and Ethernet Storm Control will be auto-enabled on Remote AP.
Test the Result
After Remote AP boots up in the remote site, AP will automatically establish the IPSec VPN connection with HQ. AP and tunnel information displays on the Nebula at: Monitor > Security gateway > VPN Connection
What can go wrong?
1. Configure all the corresponding settings on the interface before you connect the link.
2. Maximum Remote AP number is limited by Device’s capability:
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 78 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight