USG60 - SSL VPN conect but "this connection is untrusted"

Options
Papa
Papa Posts: 2
Hi, I need some advice. I set up a USG60 SSL VPN, everything works, but every time I connect I get this message "This connection is untrusted. How to solve it ?

I have it for the occasional house connection.

Thanks

All Replies

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    The default SSL certificate of the device is signed by the device, so it's "untrustable" as default.
    The message says something like "hey, i cannot recognize this certificate". As your browser do if you don't put up an exception.
  • Papa
    Papa Posts: 2
    Options
    Where and how can an exception be set?
    Does the current status affect the security of the connection or not?

    I tried to download the device certificate and upload it to the PC, but no change.


    Thanks
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    Options
    A way might be install a public validated certificate to the device. Another (never tried) way is tell to  Windows correctly (is often utterly user unfriendly) to consider trustworthy the certificate (and maybe also the certification authority).

    Does the current status affect the security of the connection or not?
    Tough question... As encryption between your computer and the firewall the security level is equal.
    If you can remember the data presented to you by SSL VPN application and compare it time to time if it's the same, the security of the connection won't change compared to a validated certificate or defining the certificate (and maybe the CA) trustworthy from your computer.
    However... if you don't take care on what it's proposed to you and someday change... and you don't get it. Well... Something "non that nice" might be happening and you will not be aware of.
    Last but not least: the "guru" thing is due only to the number of posts. I'm not considering myself a guru and what you read are my personal opinions.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,076  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Papa said:
    Where and how can an exception be set?
    Does the current status affect the security of the connection or not?

    I tried to download the device certificate and upload it to the PC, but no change.


    Thanks

    Welcome to Zyxel’s community. Just as mMontana mentioned, the default certificate is signed by the Zyxel device itself rather than the organization that is trusted by the browser, so it would appear “this connection is untrusted” message.

    Please refer to the below description from Google Chrome Help.


    But if, you would like to establish a secure connection while login the device Web-GUI from lan1 interface 192.168.1.1, you could refer to the below steps:

     



    2.Configuration > System >WWW> Server Certificate change to “zyxel.local”.


    3. Configuration > System > DNS > to add an address record FQDN “a.zyxel.local” with IP address 192.168.1.1.


    4.To import the certificate “zyxel.local” to PC.


    To check the managed certificates via Chrome browser.



    5. To clean browser cache and close Chrome browser.

    6. To Open Chrome browser.

    7. The PC connects to LAN1 and enter the URL https://a.zyxel.local on Chrome browser and you would see the connection is secure, as below: 


    If you view the certificate, you will find its DNS name is a.zyxel.local, as below:





Security Highlight