SMS Service for Two Factor Authentication is down (admin login and SSL VPN)

Rolly
Rolly Posts: 7
First Anniversary Nebula Gratitude First Comment
edited April 2021 in Security

Good morning

The Zyxel SMS service for two factor authentication (2FA) for the USG series Firewall is now down for 24 hours. We use it on all our customers firewall for SSL VPN and the admin login on the firewalls. So, now it is impossible to remotely login the firewall or set up a VPN.

What is happening? Zyxel seems not doing anything, no announcement or any idea when it will be fixed.

Due to COVID-19 (Corona Virus) people should stay home and use home office by connecting with VPN, but this is not possible as 2FA is not working and nobody can login to the firewall or connect a VPN.

Seems Zyxel just adds the cheapest service - probably some guys even  got money from ViaNett - and then let the users alone. Unbelievable!

Cheers,

Rolly

All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Rolly

    We apologize for certain inconvenience you had met about the ViaNett server down event in the weekend. In addition to ViaNett, we had also deployed a new SMS feature which allow users to send the SMS message from other more reliable SMS service providers just by using email.

    Here it is the example about how to configure :Email to SMS"

    1.    Setup SMTP function on your device

     Go to CONFIGURATION > System > Notification > Mail Server Field your SMTP serve configuration.

    a.    Mail server

    b.    Mail server ports

    c.     Mail From

    d.    SMTP Authentication

    Note: Be sure that the SMTP Server configuration is correct otherwise message will not be sent to SMS provider successfully. 

    2.    Setup Email to SMS Provider configuration

    Go to Configuration > system > Notification > SMS Select “SMS Provider” as Email to SMS Provider

    Enter SMS Provider Email server domain name. Configure the sender mail address in “Mail From”

    Note: Your SMS provider need to allow the email address which configured in “Mail From” to prevent the email is denied by SMS provider’s mailbox.


    Moreover, the VPN 2FA via Google Auth. will be be launched in the near future. With VPN 2FA via Google Auth., the service down risk will be much lower than current one.

  • zdenek
    zdenek Posts: 8
    First Comment

    Does mean "Google Auth" google Authenticator? We are waiting for this. SSL VPN with OTP is perfect solution.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @zdenek

    Yes, it is already in a plan.

  • CDS
    CDS Posts: 16  Freshman Member
    First Anniversary First Comment
    So - nearly one year later - how is the plan going?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @CDS
    Google Auth already supported in VPN scenario. You can refer to Handbook p.599.
  • My Customer use the light client VPN SSL Secuextender. It is too simple to add OTP directly in client app or directly open URL after connect ?


    Like Sophos (I don't like Sophos), but customers want the simplest method
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @supportIconSA
    Google Authentication already support for VPN scenario.(ZLD5.20 or above version)
    You may suggest customer use Google Authentication.
    If clients connected VPN tunnel by IPSec VPN Client, it will pop-out authentication page on browser  directly.
    The others VPN (SSL VPN/ L2TP....etc.) types, user still could open Authentication page by enter device IP address manually. 

    You can refer to handbook page 599 

  • Hello, I know this function. But could you confirm that "YourDeviceIP" are the public IP or Internal IP address ?
    If it's the public IP address I think this is a security risk/sometimes Authorized port was bloqued by Internet provider/Hotel/Public Wifi. In this case I suggest that we can pop up authentication page with inside IP.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @supportIconSA
    The authorize port could be Public or Private IP address. The reason is because the authorize URL could deliver by SMS or Email. User may click the URL by 2nd device which without VPN connection. Of course you can access authorize page by Internal IP address and block authorize port from WAN side.
    IPSec VPN Client will auto deliver Internal IP address after connecting VPN tunnel. You can follow handbook to finish it.

Security Highlight