How to allow HTTPS Web GUI Access from WAN? (USG/USG FLEX/ATP/VPN)

Zyxel_Kay
Zyxel_Kay Posts: 1,280  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
edited March 13 in Other Topics

Introduction:

This article provides a step-by-step guide on how to securely access the Management Web GUI of your Zyxel Security Device (USG/USG FLEX/ATP/VPN) over the WAN using HTTPS.

Baseline Setup:

Before we begin, ensure you can connect to your device's Web GUI using its IP address and admin credentials.

  • Security Device: USG/USG FLEX/ATP/VPN
  • Device IP Address: Default IP is 192.168.1.1 (This may vary for your device)
  • Admin Username: Default admin (This may vary for your device)
  • Admin Password: Default password is 1234 (This may vary for your device)

Allowing Remote Access via Default Objects:

  1. Navigate to: Configuration > Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit
  2. Select HTTPS, click on the marked arrow, and then on "OK". 1_Service_group.png You can now access your Security Device over its WAN interface, e.g., https://5.234.65.17

Best Practices for Secure Access:

To enhance security and prevent unauthorized access, follow the steps below.

  1. Changing the HTTPS Port:
    1. Go to: Configuration > System > WWW > Service Control
    2. Change the HTTPS port to a different value, e.g., 8443.
    3. Click "Apply" at the bottom of the page. 2_https_port.png
  2. Creating a Separate Object for Remote Access:
    1. Navigate to: Configuration > Object > Service > Service > Add
    2. Create a new object for the HTTPS service port:
      • Name: Enter a service name of your choice
      • IP Protocol: TCP
      • Starting Port: Enter the HTTPS port from the previous step
      • Click "OK" 3_Object.png
  3. Creating a Separate Rule for Remote Access:
    1. Navigate to: Configuration > Security Policy > Policy Control > Policy > Add
    2. Create a new rule:
      • Name: Enter a descriptive rule name
      • From: WAN
      • To: ZyWall
      • Service: Select the HTTPS object created earlier
      • Action: Allow
      • Click "OK" 4_remote_access_rule.png
  4. Limiting Access:To further secure your Web GUI, limit access to specific trusted IP addresses.
    1. If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
      • Name: Enter a descriptive name
      • Address Type: HOST
      • IP Address: Enter the trusted IP address
      • Click "OK" 5_address.png
      • If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
    2. Then, create a Group for the Object to add multiple IPs/FQDNs without creating a new Security Policy for each.
      To group multiple IPs/FQDNs navigate to: Configuration > Object > Address/Geo IP > Address Group > Add
      • Name: Enter a group name
      • Address Type: Select "Address" (or "FQDN" if using FQDNs)
      • Member List: Add the previously created objects 6_address_rule.png
      • Click the "→" arrow and then "OK"
    3. Apply the group to your security policy at Configuration > Security Policy > Policy Control > Policy > Choose Policy > Edit
      • Source: Select the IP/FQDN group created earlier
      • Click "OK" and then "Apply" at the bottom of the page. 7_security_policy.png

Remote Access for Support Purposes

If remote access is needed for support, you can limit access to our official public IPs:

[HQ]

  • 61.222.75.14
  • 118.163.48.105
  • 1.161.154.129

Kay