USG Flex H - Home Office User should authenticate to USG Flex H via Login to access RDP

Options
mjr
mjr Posts: 39 image  Freshman Member
First Comment Friend Collector Seventh Anniversary
in Nebula

Hello!

When a user in the home office (no zyxel firewall) tries to login to a company USG Flex H the "login denied" appears.
When an adminitrative user tries to log in - ok

Situation:

User in Home Office (no zyxel firewall) should authenticate via WAN to a USG Flex H via webinterface, to access a RDP-Connection on the LAN (via NAT)

What changed in comparison to a USG Flex (pre H)?

Best regards,

MJR

Accepted Solution

  • Zyxel_Tina
    Zyxel_Tina Posts: 471 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers First Comment
    edited November 26 Answer ✓

    Hi @mjr,

    On the USG FLEX H series, this behavior is expected.

    The USG FLEX H series follows the same principle as ZLD-based firewalls, where WAN access to the Web GUI requires an explicit security policy. However, unlike ZLD, starting from uOS firmware v1.32, only administrator accounts are allowed to log in from the WAN interface on the H series, which is an additional security restriction introduced in uOS.

    USG FLEX H Series - V1.32Patch 0 Firmware Release — Zyxel Community

    image.png

    Therefore, using the WAN Web GUI for user authentication and then accessing internal RDP services via NAT is not supported on the H series. For remote users who need access to internal resources, please use a Remote Access VPN instead.

    Zyxel Tina

All Replies

  • Peppino
    Peppino Posts: 182 image  Master Member
    First Comment Friend Collector Seventh Anniversary

    Set up a VPN, easiest way of accessing anything on the corporate network after just clicking "connect" on the VPN policy. Any OS can do that.

  • mjr
    mjr Posts: 39 image  Freshman Member
    First Comment Friend Collector Seventh Anniversary

    Sometimes you need a solution that doesn't conflict with any other requirement.

    For example: a different VPN client, missing admin rights and so on.

    Best regards,
    MJR

  • Peppino
    Peppino Posts: 182 image  Master Member
    First Comment Friend Collector Seventh Anniversary

    Yeah, but it's 2025, and VPN clients are embedded in every OS. No need to install a client.

  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    So dose the setup work if you do it by admin?

  • Zyxel_Tina
    Zyxel_Tina Posts: 471 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers First Comment
    edited November 26 Answer ✓

    Hi @mjr,

    On the USG FLEX H series, this behavior is expected.

    The USG FLEX H series follows the same principle as ZLD-based firewalls, where WAN access to the Web GUI requires an explicit security policy. However, unlike ZLD, starting from uOS firmware v1.32, only administrator accounts are allowed to log in from the WAN interface on the H series, which is an additional security restriction introduced in uOS.

    USG FLEX H Series - V1.32Patch 0 Firmware Release — Zyxel Community

    image.png

    Therefore, using the WAN Web GUI for user authentication and then accessing internal RDP services via NAT is not supported on the H series. For remote users who need access to internal resources, please use a Remote Access VPN instead.

    Zyxel Tina

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)