Please can you document the IP addresses we should whitelist for this feature

MCFH

Specifically the authentication proxy port.

SSLVPN authentication with Microsoft Entra ID — Zyxel Community

Thank you

Zyxel_Barry

Hi @MCFH,

For SSLVPN authentication with Microsoft Entra ID, there isn't a specific list of IP addresses from Microsoft that need to be whitelisted on your Zyxel device. However, you will need to ensure that the authentication proxy port is open.

Here's the relevant information:

• Authentication Proxy Port: The default authentication proxy port is TCP 1003. You must allow this port on your WAN to the ZyWALL secure-policy.
• Certificate Requirements: To prevent certificate warnings during the VPN client dial-up, use a commercial CA-signed certificate or distribute your internal CA's certificate to all client devices. The Common Name (CN) or Subject Alternative Name (SAN) of the certificate should be a Fully Qualified Domain Name (FQDN) that resolves to the WAN IP of your firewall.

To help me further investigate and provide more specific guidance, please provide the following information:

• Device Model: (e.g., USG FLEX 100, ATP200)
• Firmware Version:
• Network Topology: A brief description or diagram of your network setup.
• Screenshots: If you encounter any error messages during the configuration or authentication process, please provide screenshots.

If your device is managed by Zyxel Nebula, please also:

• Enable Zyxel Support Access via Help > Support Request in your Nebula console.
• Provide your Organization Name and Site Name.

Enabling support access will allow our team to directly view your cloud environment configuration, which can significantly expedite the troubleshooting process.

MCFH

Yes - from a security perspective it would much better to have a list of IP addresses we can whitelist this with please. At the very least a geographic restriction would help

PeterUK

If you packet capture port 1003 on USG as the VPN connects this should show the IP that attempts to authenticate with the USG.

Then maybe do a PTR of that IP to get a FQDN to whitelist or a subnet when put into whois.

MCFH

Peter - am assuming it's in a cloud and load balanced and multi-zoned and should have BCP provision! So it should be documented properly!!! Tracing would only show one live right now!

PeterUK

I'm wondering how this works

If you allow from WAN to Zywall for port 1003 does a port scan show it open?

I'm think if the SSL VPN make the connection that the port is open for authenticate then after its no longer listed as open?

MCFH

Peter. I assume it's a mini webserver hosted on the Zyxel device that supports the OIDC workflow. I am currently getting a connection time out error when I get redirected to the hosted page inside the LAN so can't get past the first test but am still investigating the root cause of that

PeterUK

Been trying to get a free try for a test run but the sign up is giving me errors…

MCFH

Figured out part of my problem - can get to the webserver on the gateway now but need a proper certificate on it and the one I need to use I can't import as the H series only let you create a CSR on the device and get that approved - sigh… Something else they need to enhance

PeterUK

You should be able to use like DDNS and get a certificate from like:

Affordable SSL Certificates from $7.66/yr - SSL Dragon

Import that you have a proper certificate same as when you log in to the USG by HTTPS

MCFH

ok have it authenticating - still think they need to document the IP addresses for that authentication port. Will report back once I have the VPN connecting