How to allow HTTPS Web GUI Access from WAN? (USG FLEX H)

Zyxel_Kay

Introduction:

This article provides a step-by-step guide on how to securely access the Management Web GUI of your Zyxel Security Device (USG FLEX H) over the WAN using HTTPS.

Baseline Setup:

Before we begin, ensure you can connect to your device's Web GUI using its IP address and admin credentials.

• Security Device: USG FLEX H
• Device IP Address: Default IP is 192.168.1.1 (This may vary for your device)
• Admin Username: Default admin (This may vary for your device)
• Admin Password: Default password is 1234 (This may vary for your device)

Allowing Remote Access via Default Objects:

1. Navigate to: Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit
   
2. Select HTTPS, click on the ">" arrow, to move it to Allowed.
   
3. Press the "Apply" button after making changes to the device settings.
4. You can then access Your Security Device over its WAN Interface. But we strongly recommend that you change the port and restrict access to your device only from certain trusted IP addresses.

Best Practices for Secure Access:

To enhance security and prevent unauthorized access, follow the steps below.

1. Changing the HTTPS Port:
   1. Go to: System > Settings > Administration Settings
   2. Change the HTTPS port to a different value, e.g., 8443.
   3. Click "Apply" at the bottom of the page.
      
2. Creating a Separate Object for Remote Access:
   1. Navigate to: Object > Service > Service
   2. Click +Add to create a new object for the HTTPS service port:
      • Name: Enter a service name of your choice
      • IP Protocol: TCP
      • Starting Port: Enter the HTTPS port from the previous step
        
        
      • Click "Apply"
3. Creating a Separate Rule for Remote Access:
   1. Navigate to: Security Policy > Policy Control > Configuration
      
   2. Click +Add to create a new rule:
      • Name: Enter a descriptive rule name
      • From: WAN
      • To: ZyWall
      • Service: Select the HTTPS object created earlier
      • Action: Allow
      • Click "Apply"
        
4. Limiting Access:To further secure your Web GUI, limit access to specific trusted IP addresses.
   1. Go to: Object > Address
   2. If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
      • Name: Enter a descriptive name
      • Address Type: HOST
      • IP Address: Enter the trusted IP address
        
        
      • Click "Apply"
      • If your trusted peer does not have a static public IP, you can use FQDN objects with DDNS. Follow the same procedure, choosing "FQDN" instead of "Host.”
   3. Then, create a Group for the Object to add multiple IPs/FQDNs without creating a new Security Policy for each.
      To group multiple IPs/FQDNs navigate to: Object > Address > Address Group > Add
      • Name: Enter a group name
      • Address Type: Select "Address" (or "FQDN" if using FQDNs)
      • Member List: Add the previously created objects
      • Click the ">" arrow and then "Apply"
        
        
   4. Apply the group to your security policy at Security Policy > Policy Control > Policy > Choose Policy > Edit
      
      • Source: Select the IP/FQDN group created earlier
      • Click "Apply" at the bottom of the page.
        

Other Types:

You can also Block a complete Country or Region using our GeoIP feature:

Remote Access for Support Purposes

If remote access is needed for support, you can limit access to our official public IPs:

[HQ]

• 118.163.48.105
• 61.222.75.14
• 1.161.154.129