SSL VPN
Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software.
Full Tunnel Mode
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.
SSL Access Policy
An SSL access policy allows the Zyxel Device to perform the following tasks:
• limit user access to specific applications or file sharing server on the network.
• allow user access to specific networks.
• assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks.
SSL Access Policy Objects
The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed.
Objects
Object Type | Object screen | Description |
User Accounts | User Account/ User Group | Configure a user account or user group to which you want to apply this SSL access policy. |
Application | SSL Application | Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. |
IP Pool | Address | Configure an address object that defines a range of private IP addresses to assign to user computers so they can access the internal network through a VPN connection. |
Server Addresses | Address | Configure address objects for the IP addresses of the DNS and WINS servers that the Zyxel Device sends to the VPN connection users. |
VPN Network | Address | Configure an address object to specify which network segment users are allowed to access through a VPN connection. |
You cannot delete an object that is referenced by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy.
The SSL Access Privilege Screen
This screen lists the configured SSL access policies.
VPN > SSL VPN > Access Privilege
label | description |
Access Policy Summary | This screen shows a summary of SSL VPN policies created. Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. |
References | Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information on this screen. |
# | This field displays the index number of the entry. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This field displays the descriptive name of the SSL access policy for identification purposes. |
User/Group | This field displays the user account or user group name(s) associated to an SSL access policy. This field displays up to three names. |
Access Policy Summary | This field displays details about the SSL application object this policy uses including its name, type, and address. |
Apply | Click Apply to save the settings. |
Reset | Click Reset to discard all changes. |
The SSL Access Privilege Policy Add/Edit Screen
To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen.
VPN > SSL VPN > Access Privilege > Add/Edit
label | description |
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
Configuration |
Enable Policy | Select this option to activate this SSL access policy. |
Name | Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. |
Zone | Select the zone to which to add this SSL access policy. You use zones to apply security settings such as security policy and remote management. |
Description | Enter additional information about this SSL access policy. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). |
User/Group | The Selectable User/Group Objects list displays the name(s) of the user account and/or user group(s) to which you have not applied an SSL access policy yet. To associate a user or user group to this SSL access policy, select a user account or user group and click the right arrow button to add to the Selected User/Group Objects list. You can select more than one name. To remove a user or user group, select the name(s) in the Selected User/Group Objects list and click the left arrow button.  Although you can select admin and limited-admin accounts in this screen, they are reserved for device configuration only. You cannot use them to access the SSL VPN portal. |
SSL Application List (Optional) | The Selectable Application Objects list displays the name(s) of the SSL application(s) you can select for this SSL access policy. To associate an SSL application to this SSL access policy, select a name and click the right arrow button to add to the Selected Application Objects list. You can select more than one application. To remove an SSL application, select the name(s) in the Selected Application Objects list and click the left arrow button. To allow access to shared files on a Windows 7 computer, within Windows 7 you must enable sharing on the folder and also go to the Network and Sharing Center’s Advanced sharing settings and turn on the current network profile’s file and printer sharing. |
Network Extension (Optional) |
Enable Network Extension | Select this option to create a VPN tunnel between the authenticated users and the internal network. This allows the users to access the resources on the network as if they were on the same local network. This includes access to resources not supported by SSL application objects. For example this lets users Telnet to the internal network even though the Zyxel Device does not have SSL application objects for Telnet. Clear this option to disable this feature. Users can only access the applications as defined by the VPN tunnel’s selected SSL application settings and the remote user computers are not made to be a part of the local network. |
Force all client traffic to SSL VPN tunnel | Select this to send all traffic from the SSL VPN clients through the SSL VPN tunnel. This replaces the default gateway of the SSL VPN clients with the SSL VPN gateway. |
NetBIOS broadcast over SSL VPN Tunnel | Select this to search for a remote computer and access its applications as if it was in a Local Area Network. The user can find a computer not only by its IP address but also by computer name. |
Assign IP Pool | Define a separate pool of IP addresses to assign to the SSL users. Select it here. The SSL VPN IP pool should not overlap with IP addresses on the Zyxel Device's local networks (LAN and DMZ for example), the SSL user's network, or the networks you specify in the SSL VPN Network List. |
DNS/WINS Server 1..2 | Select the name of the DNS or WINS server whose information the Zyxel Device sends to the remote users. This allows them to access devices on the local network using domain names instead of IP addresses. |
Network List | To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list. You can select more than one network. To block access to a network, select the network name in the Selected Address Objects list and click the left arrow button. |
OK | Click OK to save the changes and return to the main Access Privilege screen. |
Cancel | Click Cancel to discard all changes and return to the main Access Privilege screen. |
The SSL Global Setting Screen
Use this screen to set the IP address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen.
VPN > SSL VPN > Global Setting
label | description |
Global Setting |
Network Extension Local IP | Specify the IP address of the Zyxel Device (or a gateway device) for full tunnel mode SSL VPN access. Leave this field to the default settings unless it conflicts with another interface. |
SSL VPN Login Domain Name |
SSL VPN Login Domain Name 1/2 | Specify a full domain name for users to use for SSL VPN login. The domain name must be registered to one of the Zyxel Device’s IP addresses or be one of the Zyxel Device’s DDNS entries. You can specify up to two domain names so you could use one domain name for each of two WAN ports. For example, www.zyxel.com is a fully qualified domain name where “www” is the host. The Zyxel Device displays the normal login screen without the button for logging into the Web Configurator. |
Message |
Login Message | Specify a message to display on the screen when a user logs in and an SSL VPN connection is established successfully. You can enter up to 60 characters (0-9, a-z, A-Z, '()+,/:=?;!*#@$_%-") with spaces allowed. |
Logout Message | Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully. You can enter up to 60 characters (0-9, a-z, A-Z, '()+,/:=?;!*#@$_%-") with spaces allowed. |
Update Client Virtual Desktop Logo | You can upload a graphic logo to be displayed on the web browser on the remote user computer. The Zyxel company logo is the default logo. Specify the location and file name of the logo graphic or click Browse to locate it. The logo graphic must be GIF, JPG, or PNG format. The graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed. The Zyxel Device automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file size must be 100 kilobytes or less. Transparent background is recommended. |
Browse | Click Browse to locate the graphic file on your computer. |
Upload | Click Upload to transfer the specified graphic file from your computer to the Zyxel Device. |
Reset Logo to Default | Click Reset Logo to Default to display the Zyxel company logo on the remote user’s web browser. |
Apply | Click Apply to save the changes and/or start the logo file upload process. |
Reset | Click Reset to return the screen to its last-saved settings. |
How to Upload a Custom Logo
Follow the steps below to upload a custom logo to display on the remote user SSL VPN screens.
1 Click VPN > SSL VPN and click the Global Setting tab to display the configuration screen.
2 Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format.
3 Click Apply to start the file transfer process.
4 Log in as a user to verify that the new logo displays properly.
Zyxel Device SecuExtender
The Zyxel Device automatically loads the Zyxel Device SecuExtender client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The Zyxel Device SecuExtender lets you:
• Access servers, remote desktops and manage files as if you were on the local network.
• Use applications like e-mail, file transfer, and remote desktop programs directly without using a browser. For example, you can use Outlook for e-mail instead of the Zyxel Device’s web-based e-mail.
• Use applications, even proprietary applications, for which the Zyxel Device does not offer SSL application objects.
The applications must be installed on your computer. For example, to use the VNC remote desktop program, you must have the VNC client installed on your computer.
label | description |
Latest Version | This displays the latest version of the Zyxel Device Security SecuExtender that is available. |
Current Version | This displays the current version of SecuExtender that is installed in the Zyxel Device. |
Note: | You need to register first at portal.myZyxel.com to download the latest version of SecuExtender. |
Update Now | The Zyxel Device periodically checks if there’s a later version of SecuExtender at the portal. The Update Now button is enabled when there is.Click Update Now to get the latest version of SecuExtender. |