Firewall USG/USGFLEX/VPN/ATP - Certificate Page or HSTS Issue for Hotspot Solution

Created - Updated
Serhii Boiarynov
Idea generator
Great answers
Master (Platinum)
Print Friendly and PDF
Have more questions? Submit a request

By default, the USG / ZyWALL / ATP Series has an untrusted certificate, and the Hotspot User (Guest) needs to click to continue/skip the certificate message to maybe see the Login Page Information. This article describes the best-known scenario of how to cover that.

Solution

You need to purchase a certificate with an FQDN Name i.e. "hotspot.hotelname.de" (Usually a cheap Domain verified type certificate is enough) 

Import the certificate including the private key within the firewall device under

Configuration -> Object -> Certificate and upload it to "My Certificates"

mceclip0.png

  • Change under System -> WWW the certificate to upload one

mceclip1.png

You can decide if you want to keep "Redirect HTTP to HTTPS" active or not. Both can work in the end.

Add an A-Record in the DNS setting to match your preferred: WAN IP to your FQDN Name
Only use WAN IP, if this IP is not used in NAT for HTTP / HTTPS Port and if it´s a static IP, otherwise use LAN IP, but WAN is recommended.

mceclip2.png

Login by SSH to USG and enter the following commands:
configure terminal
web-auth redirect-fqdn <FQDNNAME>
write
exit
  • Make sure your LAN Subnet (for Hotspot Users) have ZyWALL as first DNS Server to catch FQDN

mceclip3.png

With these Best Practice configurations, we can support up to 80% of all clients / mobile phones that can avoid the HTTPS issue or HSTS issue, but also this solution has some limitations.

Limitations and Tips&Tricks

Limitations if the client i.e. Android Phone, iPhone, Mac, Windows 10 .. .. can´t! support Hotspot Detection Feature (older versions, blocked by software...)

  • If the Website not support HSTS certificate warning still pop-up but can skip
  • If the Website support HSTS (google, facebook..) it shows certificate warning and blocks it (no way to continue from here), in that case, a customer must visit 6.6.6.6 IP configured here to access it.

mceclip4.png

  • You can try to disable "Redirect HTTP to HTTPS" and see if that works better

 mceclip5.png

  • A walled Garden list for some known HSTS pages can help to exclude some from Web-Auth first (no authentication) and let customers authenticate when visiting a page without HSTS (Hotspot license required)

mceclip6.png

For example:

  • *.google.com
  • *.facebook.com
  • The * acts like a wildcard

Note: As soon as there is a new RFC Standard in place, we´ll monitor the situation and update our software versions, to deliver the best solution, which is available in the market, you can monitor it from here:  http://www.rfc-editor.org/info/rfc7710

Here is an article that describes a way how to use Let's Encrypt certificates on a USG

 

 

 

 

Articles in this section

See more
Was this article helpful?
2 out of 5 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.