USG functionalities

CB1
CB1 Posts: 3
First Comment
edited April 2021 in Security
I’m reading about USG devices (especially about USG40/60 models) and I need some clarifications:
  1. I understand that appliances do not include software licenses, they need to be purchased separately but does SecuExtender (SSL VPN Client) licenses are for life or for fixed-time?
  2. The manual (v4.35 from 2019) states that device loads SecuExtender client program after successful login to an SSL VPN tunnel with network extension support enabled. So is it means, that if Network Extension Support is not enabled, users can still login with browser and can have access to applications without installing anything?
  3. Is it possible, with Network Extension enabled (but "Force all client traffic to SSL VPN tunnel" disabled), to give access to single IP address or addresses and without adding routes manually on client? (in other words: can split tunneling be set up easily for clients?)
  4. Is Java still required in 2020 when using SSL VPN? Manual from 2019 mentioned about needing Java in order for web application to work, in latest firmware release notes one can read that on Windows Internet Explorer is the only supported browser when comes to Java. I’m interested in giving remote access to internal web application, is it possible only when using IE with Java installed? If so, what about SecuExtender - can internal web application be accessed without Java or IE at any stage?
  5. Somewhere on the internet I read that two-factor authentication for VPN access doesn’t support SSL VPN using web mode - is it still true in 2020? (that information was from few years ago)
  6. When it comes to subscription-based services such as AV, IDP, anti-spam I imagine that, after subscription ends, all other device functions runs smoothly as before, and there is no any kind of annoying popup „buy before we let you to continue” when managing device, correct?

All Replies

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi CB1,
    Since a few years we own an USG110. That's why I'm able to comment for this device only:
    1. When purchasing a new USG, software licences for UTM features are included for the first year after registration. When the first year is done you have to renew (purchase) new licences. Regarding SSL VPN and SecuExtender licences ... The different USG models bring a different number of SSL VPN licences with it. Our USG110 is able to manage 50 simultaneous SSL VPN tunnel. This number is for free for lifetime. Only in case this number is not sufficient, you can purchase additional SSL VPN licences. The SecuExtender software, needed for establishing a SSL VPN tunnel to USG, is for Windows for free. MacOS users have to purchase a licence.
    2. Long time ago we've switched-off the opportunity to connect via browser, since Java has to be kept updated on each client machine. In the meantime we are using SecuExtender only at all client machines. The network extension is enabled, so that all VPN clients obtain an IP from remote company network. When logged-in, they are able to use all recources from company LAN or domain. Works fine with us.
    3. If you enable "force all client traffic to VPN tunnel", the entire internet traffic will be redirected through the tunnel. But with us we don't want it. Only the traffic which is addressed to company LAN IP subnet will be directed through the tunnel while clients "normal" internet queries, like e.g Google Searches, will be directed to client's current internet gateway (ISP)
    4. Not needed when using SecuExtender
    5. At the moment we don't using any two-factor athentication when using SecuExtender. Only user name and password is needed to access. But I read something in this regard that Zyxel is working on it. Maybe someone else has more info.
    6. Of course you could use it without subscription, but in that case you have a simple port based firewall. I would not recommend to purchase a "next-generation-firewall" without using the UTM features of this device. If you would like to save money you should go for a cheap standard firewall.
  • CB1
    CB1 Posts: 3
    First Comment
    Thanks for the reply, my comments below:
    1. Accepted (it's worth noting, that there are also cheaper products "device only" on the market without UTM licenses for the first year).
    2. Partially answered, related to 4, need more info about what can be achieved today without SecuExtender and what are the requirements (especially Java) for that (i have found something about "reverse proxy mode" - maybe it's related to my question?)
    3. Accepted (this is exactly what I called "split tunneling", just to be clear - any subnet can be set, lets say with /32 mask (one single IP) not only /24?).
    4. Partially answered, related to 2.
    5. Awaiting replies.
    6. Accepted (I agree, just was curious how device behaves).
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @CB1,

    Question 2 & 4
    The reverse proxy mode is Java based.
    Since there are some security concerns in Java, many browsers may not support it any more.
    We suggest you use full tunnel mode (SecuExtender Windows software 4.0.3.0) to establish SSL VPN to USG.

    Question 5
    Two-factor authentication for VPN access doesn’t support SSL VPN using web mode.
    The reason is the same as that in question 2 & 4. 
    We suggest you use SecuExtender Windows software 4.0.3.0 with two-factor to establish SSL VPN to USG. 
    In ATP and USG FLEX series, SSL VPN web login is removed.

Security Highlight