In some occasions, building up a VPN via L2TP or IPSec client might be unsuitable. In those cases, you still can use SSL to establish a VPN Tunnel.
This handbook describes how to set up a SSL VPN tunnel on our business firewall series with the help of the SecuExtender software with an example setup on a Windows device and providing direct link to more advanced setup such as 2FA, authentication with Active Directory, MAC OS and troubleshooting information.
The following video provides the needed steps to setup the Firewall device and client station. Please check this article content below for more detailed information.
Table of Content
1. Firewall setup guide
2. Guide for SecuExtender setup on Windows
3. MAC OS setup
4. SSL VPN with 2FA authentication
5. SSL VPN with AD authentication
6. SSL VPN - Virtual Lab
7. Troubleshooting
1. Firewall setup guide
a. Log in to the unit by entering its IP address and the credentials for an admin account (by default, username is “admin”, password is “1234”)
b. Navigate to
Configuration > VPN > SSL VPN
c. Click “Add” and enter a name for the tunnel, leave the zone as “SSL_VPN” and move the needed users to the “Selected User/Group Objects” on the right side. Click on create new object > user/group to add user if desired.
Scroll down to “Network Extension (Full Tunnel Mode)” and tick “Force all client traffic to enter SSL VPN tunnel” in order to have access to all Firewall's network while connected to the SSL VPN. Otherwise, select the specific subnets to which you need access on the "Network List".
Create a new address-object of the type “RANGE” and configure a range that will be assigned to the clients while connected to the SSL VPN. Choose that range later for the "Assign IP Pool".
Note: Make sure to define a range that is not conflicting with any existing or known subnet on your USG!
Last, assign a DNS server that will be used by the VPN clients when connected to the SSL VPN tunnel.
The VPN setup should look similar to:
d. SSL VPN uses Port 443 by default for establishing a connection. There is also the option to change the SSL VPN Server Port manually under the "Global Setting" tab.
More detailed information for customized ports in this link:
How to use SSL VPN on an different port than the Web GUI
e. Make sure the SSL VPN Port is added to your WAN-to-Zywall firewall rule.
If you use an adjusted port for SSL VPN, make sure to create a new service object under
Configuration > Object > Service
Click on "Add" to create a new object and add it to the Default-WAN-to-Zywall group.
2. Guide for SecuExtender setup on Windows
If you have not installed the SecuExtender client software already, click here. SecuExtender for Windows is free of use.
a. Start the setup and run the .exe after installation.
b. The SecuExtender will appear as a small red icon in the right bottom corner on your taskbar, click on the icon to open the Login-Screen.
c. If SecuExtender says that the connection is untrusted click on YES.
Now you should have established a SSL VPN connection successfully.
For more information about “Full Tunnel Mode” please visit:
What is full-tunnel mode SSL VPN?
d. Testing the result:
Open CMD and ping a device which is located in the remote network.
3. MAC OS setup
There's also a version of SecuExtender for MAC OS, which setup is similar to the one shown in section 2 for Windows devices. To get the latest version for MAC OS, please check our article:
SecuExtender for macOS 12 / Monterey
Note: that due to Apple policies, the use of SecuExtender for MAC requires a license payment.
+++ You can buy licenses for your Zyxel VPN clients (SSL VPN, IPsec) with immediate delivery by 1-click: Zyxel Webstore +++
4. SSL VPN with 2FA authentication
2FA with SecuExtender is possible to configure via SMS / Email and Google Authentication.
For two-factor authentication via email, please check this article:
Two-Factor Authentication (per Mail) on Zywall/USG
4.1 Configure Google Authentication with SSL VPN - Step-to-step guide
Navigate to Configuration -> Object -> Auth. Method -> Two-Factor Authentication -> VPN Access:
Step 1: Enable the Two-Factor Authentication for VPN Access
Step 2: Tick the tickbox for the chosen VPN types (in this case: SSL VPN Access)
Step 3: Choose the users / user objects needed to have the 2FA on SSL VPN
Step 4: Tick "Google Authenticator" under "Deliver Authorize Link Method"
Step 5: Authorize Link URL Address on your WAN IP (In this example, we're using a double-NAT and therefore, choose an internal IP as our WAN IP).
Step 6: Choose the Authorized Port that needs to be allowed from WAN to Zywall.
Step 7: Enable Google Authentication on the user by navigating to Configuration -> Object -> User/Group and double-click on the user that you want to enable 2FA on.
Step 8: Navigate to Two-Factor Authentication and enable Two-Factor Authentication for VPN Access.
Step 9: Click on "Set up Google Authenticator" in the middle of the screen
Step 10: Scan the QR code with your Google Authenticator App and enter your verification code
Step 11: Open SecuExtender on your client and enter the WAN IP address and port of the SSL VPN client, username and password:
Step 12: Navigate to your WAN IP and Authization port (e.g. 192.168.1.108:8008)
Step 13: Enter your Google Authentication Code
5. SSL VPN with AD authentication
In advanced implementations, the user authentication with Active Directory (AD) servers can be implemented on the SSL VPN authentication. Please check the following article that describes the steps:
USG Series - Authenticate SSL VPN clients with Microsoft Active Directory
6. SSL VPN - Virtual Lab
Feel free to take a look to our Virtual lab for SSL VPN setup on our Firewall devices. With this virtual lab you can take a look to the correct configuration on the SSL VPN:
Virtual Lab - End-to-Site VPN (SSL)
7. Troubleshooting
The following links provide information on how to troubleshoot common issues that we have identified while setting up the SSL VPN with SecuExtender.
- If you have problems with setting up SSL VPN, please have a look at these articles:
- If you have setup SSL VPN, but encountering issues, take a look at these articles:
Comments
2 comments
There is lack of next informations, because if you don't add additional rules to ZyWALL - you will not receive return comunication from ZyWALL router and your IP in Windows will be "unrecognized" type (169.xxx.xxx.xxx) :(
Hi, have done all! BUT Cannot access https login page.
I can see the tip "If you want to use SSL VPN, please make sure user can access HTTPS service.", but where is the solution?
in System->WWW Https is enabled.... where could be the problem?
something is missing in this tutorial, thanks
Please sign in to leave a comment.