Will H-series support 2FA via email for SSL VPN?






With previous ZLD-based firewalls, we were able to use 2FA via email method for SSL VPN. It was very simple for the end-users and fulfilled the 2FA requirement of most business cyber insurance policies.
On H-series with the free OpenVPN client, the end-user needs to manually open a web browser and navigate to the Authentication URL to input the TOTP code from an authenticator app. This is very confusing for non-technical end users and causes frustration…it is inconvenient.
Previously on ZLD-based firewall with 2FA via email, the user could simply click the link in the email to complete the authentication.
Are there any plans to add this capability back to the H-series?
All Replies
-
-
Thanks, I did not see this. I have put in my up-vote!
0 -
Hello,
As of now, Zyxel's H-Series firewalls using Nebula Control Center (NCC) or their newer architecture do not support 2FA via email for SSL VPN authentication in the same seamless way ZLD-based firewalls did. The H-Series currently prioritizes TOTP (Time-based One-Time Password) via authenticator apps like Google Authenticator or Microsoft Authenticator, which, as you've noted, can be less user-friendly for non-technical users. tollsbymailny com
Best Regards-1 -
I found a way to make the current 2FA process with OpenVPN a bit easier, I want to share it here so hopefully someone can benefit from it.
You can place a batch file in the same directory that holds the .ovpn connection profile, which will run after the VPN connection is established. This can be used to launch a web browser to the Authentication URL to make it easier for the end users. **It works with the 'OpenVPN GUI' client, but it does *NOT* seem to work with the newer 'OpenVPN Connect' client.
-Under Windows OS, the connection profile is stored in directory: %USERPROFILE%\OpenVPN\config
-The batch file needs to have the same name as the .ovpn profile. For example, if your profile file is named 'MyVpnConnect.ovpn', you would name your batch file 'MyVpnConnect_up.bat'
-Example 'MyVpnConnect_up.bat' file:
timeout /t 5 start https://ZYWALL_LAN_IP:8008 exit
-Now when user connects the VPN, the web browser will launch(after 5sec delay) and load the Authentication page on the router where they can enter the TOTP code
I hope this is helpful to somebody!
0
Categories
- All Categories
- 430 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 353 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 261 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 82 Security Highlight