Will H-series support 2FA via email for SSL VPN?

p4_greg
p4_greg Posts: 22  Freshman Member
Network Detective-New Adventure Badge First Comment Friend Collector Third Anniversary
edited 2:36AM in USG FLEX H Series

With previous ZLD-based firewalls, we were able to use 2FA via email method for SSL VPN. It was very simple for the end-users and fulfilled the 2FA requirement of most business cyber insurance policies.

On H-series with the free OpenVPN client, the end-user needs to manually open a web browser and navigate to the Authentication URL to input the TOTP code from an authenticator app. This is very confusing for non-technical end users and causes frustration…it is inconvenient.

Previously on ZLD-based firewall with 2FA via email, the user could simply click the link in the email to complete the authentication.

Are there any plans to add this capability back to the H-series?

All Replies

  • PeterUK
    PeterUK Posts: 3,753  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
  • p4_greg
    p4_greg Posts: 22  Freshman Member
    Network Detective-New Adventure Badge First Comment Friend Collector Third Anniversary

    Thanks, I did not see this. I have put in my up-vote!

  • romen564
    romen564 Posts: 1  Freshman Member
    First Comment
    edited 4:05AM

    Hello,

    As of now, Zyxel's H-Series firewalls using Nebula Control Center (NCC) or their newer architecture do not support 2FA via email for SSL VPN authentication in the same seamless way ZLD-based firewalls did. The H-Series currently prioritizes TOTP (Time-based One-Time Password) via authenticator apps like Google Authenticator or Microsoft Authenticator, which, as you've noted, can be less user-friendly for non-technical users. tollsbymailny com

    Best Regards

  • p4_greg
    p4_greg Posts: 22  Freshman Member
    Network Detective-New Adventure Badge First Comment Friend Collector Third Anniversary

    I found a way to make the current 2FA process with OpenVPN a bit easier, I want to share it here so hopefully someone can benefit from it.

    You can place a batch file in the same directory that holds the .ovpn connection profile, which will run after the VPN connection is established. This can be used to launch a web browser to the Authentication URL to make it easier for the end users. **It works with the 'OpenVPN GUI' client, but it does *NOT* seem to work with the newer 'OpenVPN Connect' client.

    -Under Windows OS, the connection profile is stored in directory: %USERPROFILE%\OpenVPN\config

    -The batch file needs to have the same name as the .ovpn profile. For example, if your profile file is named 'MyVpnConnect.ovpn', you would name your batch file 'MyVpnConnect_up.bat'

    -Example 'MyVpnConnect_up.bat' file:

    timeout /t 5
    start https://ZYWALL_LAN_IP:8008
    exit
    

    -Now when user connects the VPN, the web browser will launch(after 5sec delay) and load the Authentication page on the router where they can enter the TOTP code

    I hope this is helpful to somebody!