USG / USG FLEX / ATP / VPN - How to allow HTTPS Web GUI Access from WAN?

Created - Updated
Serhii Boiarynov
Idea generator
Great answers
Master (Platinum)
Print Friendly and PDF
Have more questions? Submit a request

This article provides a concise overview of enabling HTTPS secure access to the Management Web GUI of your security device over the WAN. To proceed, connect to the Web GUI using the device's IP address and log in with the Administrator account and corresponding password.

Allowing Remote Access over the Default Objects:

Configuration > Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit

Please choose HTTPS, click on the marked Arrow and then on "OK".

mceclip0.png

You can now access your security device through its WAN Interface.

E.g. https://5.234.65.17

Best Practice for a secure Access:

It is general good Advice to secure the remote Access over WAN even further to prevent foul Play by bad Actors. We'll take a look at how to do that.

Changing the HTTPS Port:

Configuration > System > WWW > Service Control

Please change the HTTPS port to something else.

E.g. 8443

Afterwards, please click "Apply" at the bottom of the Page.

mceclip1.png

Creating a separate Object for the Remote Access

Configuration > Object > Service > Service > Add

Now, we need to create a new and separate Object for the HTTPS Service Port.

  1. Name: "Your Service Name"
  2. IP Protocol: TCP
  3. Starting Port: "HTTPS Port from the previous Step"
  4. Click on "OK"

mceclip2.png

Creating a separate Rule for the Remote Access

Configuration > Security Policy > Policy Control > Policy > Add

Now, we need to create a new/separate Rule:

  1. Name: "Your Rule Name" (Advice: Use "Speaking Names")
  2. From: WAN
  3. To: ZyWall
  4. Service: "Your HTTPS Object"
  5. Action: allow
  6. Click on "OK"

mceclip3.png

Limiting the Access

We can and should now limit Access to the Web interface. One way to achieve this is by only allowing certain trusted IP Addresses.

Configuration > Object > Address/Geo IP > Address > Add

First, we need to create an object with a trusted IP.

If Your Trusted Peer does not have a static Public IP, You can use FQDN Objects with a DDNS.

(Same Procedure, choose FQDN instead of Host)

  1. Name: "Name of the Object" (Advice: Use "Speaking Names")
  2. Address Type: HOST
  3. IP Address: Trusted IP
  4. Click on "OK"

mceclip4.png

Configuration > Object > Address/Geo IP > Address Group > Add

Now we need to create a Group for the Object to add multiple IPs/FQDNs without creating a new Security Policy for each.

  1. Name: "Your Group Name" (Advice: Use "Speaking Names")
  2. Address Type: Choose "Address" (If You use FQDN -> "FQDN")
  3. Member List: Choose the Object(s) You created previously
  4. Click the "->" Arrow
  5. Click "OK"

mceclip6.png

Configuration > Security Policy > Policy Control > Policy > Choose Policy > Edit

Now, we need to add our Group as a Source for the Security Policy we created earlier.

  1. Source: Choose the IP Group/FQDN Group
  2. Click on "OK"
  3. Click on "Apply" at the Bottom of the Page.

mceclip7.png

Other Types

You can also Block a complete Country or Region using our GeoIP feature:

How to use the Geo-IP feature

Remote Access for Support Purposes

In case one of our Agents asks for Remote Access, You can limit the access to our official public IP's:

(HQ)
118.163.48.105
1.161.171.96
61.222.75.14
1.161.154.129
(Support Campus DE)
93.159.250.200

Articles in this section

See more
Was this article helpful?
5 out of 6 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.