How to allow HTTPS Web GUI Access from WAN? (USG/USG FLEX/ATP/VPN)

Zyxel_Kay
Zyxel_Kay Posts: 1,199  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

Introduction:

This article provides a step-by-step guide on how to securely access the Management Web GUI of your Zyxel Security Device (USG/USG FLEX/ATP/VPN) over the WAN using HTTPS.

Baseline Setup:

Before we begin, ensure you can connect to your device's Web GUI using its IP address and admin credentials.

  • Security Device: USG/USG FLEX/ATP/VPN
  • Device IP Address: Default IP is 192.168.1.1 (This may vary for your device)
  • Admin Username: Default admin (This may vary for your device)
  • Admin Password: Default password is 1234 (This may vary for your device)

Allowing Remote Access via Default Objects:

  1. Navigate to: Configuration > Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit
  2. Select HTTPS, click on the marked arrow, and then on "OK". You can now access your Security Device over its WAN interface, e.g., https://5.234.65.17

Best Practices for Secure Access:

To enhance security and prevent unauthorized access, follow the steps below.

  1. Changing the HTTPS Port:
    1. Go to: Configuration > System > WWW > Service Control
    2. Change the HTTPS port to a different value, e.g., 8443.
    3. Click "Apply" at the bottom of the page.
  2. Creating a Separate Object for Remote Access:
    1. Navigate to: Configuration > Object > Service > Service > Add
    2. Create a new object for the HTTPS service port:
      • Name: Enter a service name of your choice
      • IP Protocol: TCP
      • Starting Port: Enter the HTTPS port from the previous step
      • Click "OK"
  3. Creating a Separate Rule for Remote Access:
    1. Navigate to: Configuration > Security Policy > Policy Control > Policy > Add
    2. Create a new rule:
      • Name: Enter a descriptive rule name
      • From: WAN
      • To: ZyWall
      • Service: Select the HTTPS object created earlier
      • Action: Allow
      • Click "OK"
  4. Limiting Access:To further secure your Web GUI, limit access to specific trusted IP addresses.
    1. If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
      • Name: Enter a descriptive name
      • Address Type: HOST
      • IP Address: Enter the trusted IP address
      • Click "OK"
      • If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
    2. Then, create a Group for the Object to add multiple IPs/FQDNs without creating a new Security Policy for each.
      To group multiple IPs/FQDNs navigate to: Configuration > Object > Address/Geo IP > Address Group > Add
      • Name: Enter a group name
      • Address Type: Select "Address" (or "FQDN" if using FQDNs)
      • Member List: Add the previously created objects
      • Click the "→" arrow and then "OK"
    3. Apply the group to your security policy at Configuration > Security Policy > Policy Control > Policy > Choose Policy > Edit
      • Source: Select the IP/FQDN group created earlier
      • Click "OK" and then "Apply" at the bottom of the page.

Remote Access for Support Purposes

If remote access is needed for support, you can limit access to our official public IPs:

[HQ]

  • 118.163.48.105
  • 61.222.75.141
  • 1.161.154.129

Kay

See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community