How can the SecuExtender configuration be remotely updated?

Options
Zyxel_USG_User
Zyxel_USG_User Posts: 111 image  Ally Member
First Answer First Comment Friend Collector First Anniversary
in Security

Hi all

Given the occasional CVEs affecting SSL connections to the firewalls in many device brands, it is probably not recommendable to permanently maintain SSL services up and running on the firewalls.

I have the current issue- clients forget to synchronise their notebooks when in local LAN with the latest configurations for their SecuExtender IPSec VPN connections.

They try to connect, and obviously their IPSec VPN connections do not work if a configuration or a device certificate etc have been updated.

When everybody is abroad, how can the current SecuExtender configuration file(s) be downloaded in a safe manner?

To complicate things- how can the SecuExtender configurations be downloaded for MacOS, Win11, using for example an Android smartphone which is the only device updated and being capable to build an IPSec VPN to the firewall when already abroad?

All Replies

  • Zyxel_Barry
    Zyxel_Barry Posts: 38 image  Zyxel Community Virtual Assistant
    First Answer First Comment Friend Collector

    Hi @Zyxel_USG_User,

    I understand your concern about keeping SSL services continuously active on firewalls due to potential CVEs and the challenge of updating SecuExtender configurations for remote users. Zyxel offers several ways to manage and distribute SecuExtender configurations, even when users are abroad.

    Here's how you can manage and remotely update SecuExtender configurations:

    • Downloading Configuration Scripts:

      • From Local Firewall Web GUI: You can access the firewall's web interface (VPN > IPSec VPN > Remote Access VPN or VPN > SSL VPN) and download the VPN configuration scripts.
      • From Nebula Control Center (if applicable): If your firewall is managed by Nebula, you can navigate to Configure > Firewall > Remote Access VPN and download the configuration there.
      • Multi-Platform ZIP File: Zyxel has enhanced the provision template system, offering a single ZIP file that contains configuration scripts for Android, Apple (iOS/macOS), and Windows devices for IPSec VPN, and for Zyxel Secure Extender SSL VPN. This simplifies the process as users can download one file for their respective platforms.
      • "Get from Server" Feature: The SecuExtender client itself has a "Get from Server" option where users can directly download the provisioning file from the gateway by entering the gateway's IP and their credentials.

    • SecuExtender and OS-Native Clients for Different Platforms:

      • Windows and macOS: SecuExtender is available for both Windows and macOS. The firewall can generate configuration scripts for these. The "Get from Server" function works for both Windows and macOS SecuExtender clients.
      • Android: For Android, Zyxel recommends using the StrongSwan client. The firewall can generate scripts for StrongSwan, which can then be imported into the StrongSwan application.
      • iOS/macOS Native Clients: The firewall can also generate .mobileconfig files for iOS/macOS native VPN clients.

    • Important Considerations:

      • Firmware Updates: Ensure your firewall has the latest firmware, as Zyxel continuously enhances its provision template system, allowing Nebula to manage and push updated templates directly to the firewall. This helps with compatibility for client OS updates.
      • SecuExtender Version: Be aware of the lifecycle status of SecuExtender versions. Zyxel has advised users to move to the latest supported versions due to vulnerabilities in older perpetual versions.
      • 2FA and Client Compatibility: If 2FA is enabled, SecuExtender generally supports it, but native OS VPN clients or StrongSwan might not work with 2FA enabled simultaneously.

    To help me provide more specific guidance, please provide the following information:

    • Device Model: (e.g., USG FLEX 100, ATP200)
    • Firmware Version:
    • Network Topology Map: A simple diagram showing how the firewall is connected to the internet and your internal network.
    • Screenshots of any error messages: If users are encountering specific errors when trying to connect or update.
    • Are your firewalls managed by Zyxel Nebula Control Center?

    Once I have this information, I can offer more tailored instructions.

    This AI response aims to provide initial troubleshooting steps and identify information needed for further diagnosis. Feel free to share additional details based on the suggestions above — this will help community members offer more targeted assistance.
    If you have feedback or idea about this AI assistant, share them in Community Feedback.

  • Zyxel_USG_User
    Zyxel_USG_User Posts: 111 image  Ally Member
    First Answer First Comment Friend Collector First Anniversary

    Thank you but that is not helping at all :)

    Here is the scenario

    USG20W-VPN, the latest recommended SecuExtender clients on MacOS and Win11, .sswan on Android, native IPSec VPN tools on iPhones.

    In case I was not explicite enough- I know the synchronisation from inside SecuExtender for MacOS and Win11. That does not work if I do not have SSL-from-any enabled on the firewall.

    I look for workarounds when the SecuExtender users have NOT synchronised their SecuExtender client configurations BEFORE leaving.

    Sometimes, they updated their phone configurations- so, which chances are there that they can get their actual SecuExtender configurations on their notebooks by using the still working IPSec VPN connection on their phones? They cannot and shall not enter the firewall configuration by using SSL to extract configuration files.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)