Stuck on getting SSLVPN authentication with Microsoft Entra ID to work

Options
OWB
OWB Posts: 33 image  Freshman Member
First Comment Friend Collector Sixth Anniversary
in USG FLEX H Series

Hi,

I did follow this guide, trying to achieve SSLVPN authentication with Microsoft Entra ID

SSLVPN authentication with Microsoft Entra ID — Zyxel Community

Everything goes well as the guide explains, until step "6 - Click Test on the Firewall" in the section "Create OIDC AAA Server" where I got this error.

image-8e02b1328aa988-5a59.png

I'm unsure which direction it's pointing in.

In the beginning of the guide, it mentions 4 things to be aware of in advance. The last one is "Network connectivity between your device and Microsoft Entra ID". I wonder if that means we need to have a VPN connection between the USG and the Azure environment?

Anyone getting it to work, or have faced similar issues?

Best regards Ole.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,494 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @OWB

    No, this doesn't require to have VPN connection between the firewall and Azure. But please note that the firewall should be able to access "login.microsoftonline.com". Please check if this domain is allowed. If still has problem, please help to enable Zyxel support access so we can have further checks.

    https://community.zyxel.com/en/discussion/14234/nebula-how-to-turn-on-zyxel-support-access
    Zyxel Melen


  • MCFH
    MCFH Posts: 19 image  Freshman Member
    First Comment Friend Collector Eighth Anniversary

    I can't see it but have you got the correct URL as the issuer URL? Mine is something like this

    https://login.microsoftonline.com/xxxx/v2.0

    In the screenshot I can see a lower case s for server and can't map that to my screens.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,494 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @MCFH

    The URL always different in the TenantID part. https://login.microsoftonline.com/{Tenant ID}/v2.0

    But, the domain are the same since all need to find Microsoft Azure first. The related domain is "login.microsoftonline.com". Please help to ensure your firewall can reach this domain first. You may use the firewall's network tool (Maintenance > diagnostics > Network Tool) to test.

    If the firewall is reachable to the Microsoft Azure, please help to enable Zyxel support access and share the info for the OIDC Server page and we will help to check. Additionally, please share the info with me by sending a private message. Just click my name and you will see a message button.

    Zyxel Melen


  • OWB
    OWB Posts: 33 image  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi @Zyxel_Melen

    The USG is going to take over for our VPN firewall. We do only have one WAN IP, so due to our production site is running 24/7 on the 5 workdays, I must use the weekends for testing.

    I will certainly try out what you suggest next weekend.

    Thank you.

    Best regards Ole.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)