How to allow HTTPS Web GUI Access from WAN? (USG/USG FLEX/ATP/VPN)
Zyxel_Kay
Posts: 1,280 
Zyxel Employee
Zyxel Employee
Introduction:
This article provides a step-by-step guide on how to securely access the Management Web GUI of your Zyxel Security Device (USG/USG FLEX/ATP/VPN) over the WAN using HTTPS.
Baseline Setup:
Before we begin, ensure you can connect to your device's Web GUI using its IP address and admin credentials.
- Security Device: USG/USG FLEX/ATP/VPN
- Device IP Address: Default IP is 192.168.1.1 (This may vary for your device)
- Admin Username: Default admin (This may vary for your device)
- Admin Password: Default password is 1234 (This may vary for your device)
Allowing Remote Access via Default Objects:
- Navigate to: Configuration > Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit
- Select HTTPS, click on the marked arrow, and then on "OK".You can now access your Security Device over its WAN interface, e.g., https://5.234.65.17
Best Practices for Secure Access:
To enhance security and prevent unauthorized access, follow the steps below.
- Changing the HTTPS Port:
- Go to: Configuration > System > WWW > Service Control
- Change the HTTPS port to a different value, e.g., 8443.
- Click "Apply" at the bottom of the page.
- Creating a Separate Object for Remote Access:
- Navigate to: Configuration > Object > Service > Service > Add
- Create a new object for the HTTPS service port:
- Name: Enter a service name of your choice
- IP Protocol: TCP
- Starting Port: Enter the HTTPS port from the previous step
- Click "OK"
- Creating a Separate Rule for Remote Access:
- Navigate to: Configuration > Security Policy > Policy Control > Policy > Add
- Create a new rule:
- Name: Enter a descriptive rule name
- From: WAN
- To: ZyWall
- Service: Select the HTTPS object created earlier
- Action: Allow
- Click "OK"
- Limiting Access:To further secure your Web GUI, limit access to specific trusted IP addresses.
- If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
- Name: Enter a descriptive name
- Address Type: HOST
- IP Address: Enter the trusted IP address
- Click "OK"
- If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
- Then, create a Group for the Object to add multiple IPs/FQDNs without creating a new Security Policy for each.
To group multiple IPs/FQDNs navigate to: Configuration > Object > Address/Geo IP > Address Group > Add- Name: Enter a group name
- Address Type: Select "Address" (or "FQDN" if using FQDNs)
- Member List: Add the previously created objects
- Click the "→" arrow and then "OK"
- Apply the group to your security policy at Configuration > Security Policy > Policy Control > Policy > Choose Policy > Edit
- Source: Select the IP/FQDN group created earlier
- Click "OK" and then "Apply" at the bottom of the page.
- If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
Remote Access for Support Purposes
If remote access is needed for support, you can limit access to our official public IPs:
[HQ]
- 61.222.75.14
- 118.163.48.105
- 1.161.154.129
Kay
0
Categories
- All Categories
- 417 Beta Program
- 2.5K Nebula
- 160 Nebula Ideas
- 108 Nebula Status and Incidents
- 5.9K Security
- 331 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 259 Service & License
- 402 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 80 Security Highlight