How can the SecuExtender configuration be remotely updated?

Zyxel_USG_User

Hi all

Given the occasional CVEs affecting SSL connections to the firewalls in many device brands, it is probably not recommendable to permanently maintain SSL services up and running on the firewalls.

I have the current issue- clients forget to synchronise their notebooks when in local LAN with the latest configurations for their SecuExtender IPSec VPN connections.

They try to connect, and obviously their IPSec VPN connections do not work if a configuration or a device certificate etc have been updated.

When everybody is abroad, how can the current SecuExtender configuration file(s) be downloaded in a safe manner?

To complicate things- how can the SecuExtender configurations be downloaded for MacOS, Win11, using for example an Android smartphone which is the only device updated and being capable to build an IPSec VPN to the firewall when already abroad?

Zyxel_Barry

Hi @Zyxel_USG_User,

I understand your concern about keeping SSL services continuously active on firewalls due to potential CVEs and the challenge of updating SecuExtender configurations for remote users. Zyxel offers several ways to manage and distribute SecuExtender configurations, even when users are abroad.

Here's how you can manage and remotely update SecuExtender configurations:

• Downloading Configuration Scripts:

  • From Local Firewall Web GUI: You can access the firewall's web interface (VPN > IPSec VPN > Remote Access VPN or VPN > SSL VPN) and download the VPN configuration scripts.
  • From Nebula Control Center (if applicable): If your firewall is managed by Nebula, you can navigate to Configure > Firewall > Remote Access VPN and download the configuration there.
  • Multi-Platform ZIP File: Zyxel has enhanced the provision template system, offering a single ZIP file that contains configuration scripts for Android, Apple (iOS/macOS), and Windows devices for IPSec VPN, and for Zyxel Secure Extender SSL VPN. This simplifies the process as users can download one file for their respective platforms.
  • "Get from Server" Feature: The SecuExtender client itself has a "Get from Server" option where users can directly download the provisioning file from the gateway by entering the gateway's IP and their credentials.

• SecuExtender and OS-Native Clients for Different Platforms:

  • Windows and macOS: SecuExtender is available for both Windows and macOS. The firewall can generate configuration scripts for these. The "Get from Server" function works for both Windows and macOS SecuExtender clients.
  • Android: For Android, Zyxel recommends using the StrongSwan client. The firewall can generate scripts for StrongSwan, which can then be imported into the StrongSwan application.
  • iOS/macOS Native Clients: The firewall can also generate .mobileconfig files for iOS/macOS native VPN clients.

• Important Considerations:

  • Firmware Updates: Ensure your firewall has the latest firmware, as Zyxel continuously enhances its provision template system, allowing Nebula to manage and push updated templates directly to the firewall. This helps with compatibility for client OS updates.
  • SecuExtender Version: Be aware of the lifecycle status of SecuExtender versions. Zyxel has advised users to move to the latest supported versions due to vulnerabilities in older perpetual versions.
  • 2FA and Client Compatibility: If 2FA is enabled, SecuExtender generally supports it, but native OS VPN clients or StrongSwan might not work with 2FA enabled simultaneously.

To help me provide more specific guidance, please provide the following information:

• Device Model: (e.g., USG FLEX 100, ATP200)
• Firmware Version:
• Network Topology Map: A simple diagram showing how the firewall is connected to the internet and your internal network.
• Screenshots of any error messages: If users are encountering specific errors when trying to connect or update.
• Are your firewalls managed by Zyxel Nebula Control Center?

Once I have this information, I can offer more tailored instructions.

Zyxel_USG_User

Thank you but that is not helping at all :)

Here is the scenario

USG20W-VPN, the latest recommended SecuExtender clients on MacOS and Win11, .sswan on Android, native IPSec VPN tools on iPhones.

In case I was not explicite enough- I know the synchronisation from inside SecuExtender for MacOS and Win11. That does not work if I do not have SSL-from-any enabled on the firewall.

I look for workarounds when the SecuExtender users have NOT synchronised their SecuExtender client configurations BEFORE leaving.

Sometimes, they updated their phone configurations- so, which chances are there that they can get their actual SecuExtender configurations on their notebooks by using the still working IPSec VPN connection on their phones? They cannot and shall not enter the firewall configuration by using SSL to extract configuration files.

Zyxel_Tina

Hi @Zyxel_USG_User,

We understand your concern about keeping SSL services disabled for security reasons while needing a way for remote users to update their SecuExtender configurations.

Here's an approach that may solve your problem. Please refer to this FAQ on how to "Get from Server." This feature allows users to retrieve the latest VPN configuration directly from the gateway via IPSec, enabling remote updates.

How it works (briefly):

1. User opens SecuExtender client
2. Click Configuration → "Get from Server"
3. Enter the gateway IP address and their VPN credentials
4. SecuExtender downloads the latest configuration via IPSec

Zyxel_USG_User

Thank you for the reply- unfortunately nothing there helps or is even related to what I was writing.

I assume it is a misunderstanding, so I will try to explain again.

Employee has notebook with SecuExtender which worked fine.

Firewall is standalone USG20W-VPN, no https connections from the internet are allowed.

Only the IPSec VPN protocols and ports suite are allowed.

IPSec VPN connections are built to the standalone firewall, no cloud no nebula no other stuff.

Employee does not synchronise the latest SecuExtender configuration from the firewall whilst inside the company- the standard procedure, works fine.

Now employee is abroad, and notices that the IPSec VPN connection does not work anymore.

Employee calls the company and asks if something has changed. Yes, something has changed and employee remembers that the SecuExtender VPN configuration has not been updated before leaving abroad.

Question to you specialists now:

How is the SecuExtender configuration updated for the traveling employee?

PeterUK

well it can't you would need to use the "Get from Server." to update SecuExtender.

Zyxel_Tina

Hi @Zyxel_USG_User,

As we mentioned, "Get from Server" is the solution for your traveling employee. This meets your requirements if you can temporarily allow HTTPS:

1. It gets config from server uses HTTPS, you can enable https port when the user needs to update the VPN configuration.
2. It can retrieve the new configuration even when the old one is expired

When the employee reports VPN doesn't work:

1. Instruct them to open SecuExtender on PC
2. Go to Configuration → "Get from Server"
3. Enter:
   1. Gateway IP: [Your USG20W-VPN public IP]
   2. VPN username and password
4. SecuExtender will connect via IPSec to retrieve the latest configuration
5. Once downloaded, the employee can connect with the updated config

Alternative (No Inbound HTTPS Needed):

As admin, email the employee a VPN script file generated from the wizard. They can manually import it to update the config in SecuExtender.