Flex 500 Full Tunel SSLVPN with 2FA Authorization Problem

Hello,

We have set up SSLVPN + Windows AD + Two-FA (Email) on Flex500. The setup has been completed and tested successfully. However, the client has another requirement, which is to use SSLVPN Full Tunnel. But this creates a contradictory situation:

When the user authenticates with the Windows AD username and password and obtains the IP distributed by SSLVPN, Flex500 sends an AUTHORIZE email to the user. But because SSL Full Tunnel Mode is enabled, all traffic is directed to Flex 500. However, this traffic has not yet been authorized, which prevents the user from connecting to the Internet and the company’s Mail Server to receive emails, resulting in SSLVPN being unable to connect.

How should this issue be solve ?

Best Answers

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023 Answer ✓

    Hi @Peter_EO,
    Yes, it's a Chicken or the egg situation.

    You need another client device (ex: mobile phone) to get the token in the email.

    Impossible with the VPN client device only.

    Or you need to use Google Authenticator or SMS to get token instead of email.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Helllo @Peter_EO

    You could refer to this FAQ : How to Use Two Factor with Google Authenticator for VPN Access? If you build VPN tunnel by SSL VPN or L2TP VPN, you have to enter the correct URL to enter the verification code. Thanks.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Peter_EO

    "We have set up SSLVPN + Windows AD + Two-FA (Email) on Flex500. The setup has been completed and tested successfully." When establishing an SSL VPN connection, did you enable Full Tunnel mode? Could you share screenshots of both successful and failed SSL VPN settings with us? We would like to know your settings. Thanks.

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023 Answer ✓

    Hi @Peter_EO,
    Yes, it's a Chicken or the egg situation.

    You need another client device (ex: mobile phone) to get the token in the email.

    Impossible with the VPN client device only.

    Or you need to use Google Authenticator or SMS to get token instead of email.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Helllo @Peter_EO

    You could refer to this FAQ : How to Use Two Factor with Google Authenticator for VPN Access? If you build VPN tunnel by SSL VPN or L2TP VPN, you have to enter the correct URL to enter the verification code. Thanks.

Security Highlight