FLEX700H and IPSEC VPN with MFA via e-mail code

NetworkResolve
NetworkResolve Posts: 4  Freshman Member
First Comment Fourth Anniversary
in USG FLEX H Series

I have a Flex700H and i have setup IPSEC VPN for remote users to connect.

When i turn on MFA for each user the only option that is available is Google Auth APP.

I prefer MFA with a authorize e-mail sent to that users e-mail to click auth

I do not user secure extender client due to cost and want to use the native IPSEC VPN with Windows and MAC

does someone know to turn on e-mail MFA for a user on the flex700H versus Google Auth

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,747  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @NetworkResolve

    USG FLEX H series doesn't support e-mail MFA, therefore, it is no way to turn this on.

    The reason e-mail MFA is not supported is that receiving the MFA email requires an Internet connection. If you are using IPSec remote access VPN with full tunnel, you won't have Internet access before you pass MFA. Since the Google Auth is an MFA auth tool without Internet, it ensures the user can pass the MFA no matter which remote access VPN type they connect.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,023  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 8

    In other words to pass e-mail MFA you would have a PC or laptop for the VPN and a phone to get the Email and link to FLEX to authorize the VPN.

    But one way to to allow VPN to pass authorization is to allow DNS and known EMail ports to get the Email as you authorize the VPN fully.

  • NetworkResolve
    NetworkResolve Posts: 4  Freshman Member
    First Comment Fourth Anniversary

    Zyxel Melen

    MFA if turned on for the IPSEC VPN user with Google Auth setup for that user

    The user connects to VPN via native Apple VPN not secure extender application

    Once the VPN user is connected via IPSEC how does that user apply the Google code to get authorized?

    The VPN shows connected … then what is next step to get authorized with Google Auth?

  • PeterUK
    PeterUK Posts: 4,023  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 8

    You enter in the browser your Authorize Link URL Address after you connect to the VPN

    Screenshot 2025-09-08 191944.png

    My LAN DNS point to 192.168.255.235 my LAN interface but externally point to my WAN IP

    https://zyxel-router7.ddns.net:8008

    This open up a page you enter the code

    on another note it by nice if it could use the Certificate to not see click to view unsafe site

  • NetworkResolve
    NetworkResolve Posts: 4  Freshman Member
    First Comment Fourth Anniversary

    PeterUK

    so after you make a successful IPSEC VPN connecting it then opens up the Authorize website on that persons computer were then can then enter the Google Auth code?

    or does the user have to go to the authorize url themselves and type in domain or IP with :8008

  • PeterUK
    PeterUK Posts: 4,023  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    With built in VPN client you have to go to the authorize url but I think with SecuExtender VPN Client you can make it run the url after connection.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)