SSL VPN
Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software.
Full Tunnel Mode
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.
SSL Access Policy
An SSL access policy allows the Zyxel Device to perform the following tasks:
• limit user access to specific applications or file sharing server on the network.
• allow user access to specific networks.
• assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks.
SSL Access Policy Objects
The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed.
Object Type | Object screen | Description |
|---|---|---|
User Accounts | User Account/ User Group | Configure a user account or user group to which you want to apply this SSL access policy. |
Application | SSL Application | Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. |
IP Pool | Address | Configure an address object that defines a range of private IP addresses to assign to user computers so they can access the internal network through a VPN connection. |
Server Addresses | Address | Configure address objects for the IP addresses of the DNS and WINS servers that the Zyxel Device sends to the VPN connection users. |
VPN Network | Address | Configure an address object to specify which network segment users are allowed to access through a VPN connection. |
You cannot delete an object that is referenced by an SSL access policy. To delete the object, you must first unassociate the object from the SSL access policy.
The SSL Access Privilege Screen
This screen lists the configured SSL access policies.
label | description |
|---|---|
Access Policy Summary | This screen shows a summary of SSL VPN policies created. Click on the VPN icon to go to the Zyxel VPN Client product page at the Zyxel website. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. |
References | Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information on this screen. |
# | This field displays the index number of the entry. |
Status | This icon is lit when the entry is active and dimmed when the entry is inactive. |
Name | This field displays the descriptive name of the SSL access policy for identification purposes. |
User/Group | This field displays the user account or user group name(s) associated to an SSL access policy. This field displays up to three names. |
Access Policy Summary | This field displays details about the SSL application object this policy uses including its name, type, and address. |
Apply | Click Apply to save the settings. |
Reset | Click Reset to discard all changes. |
The SSL Access Privilege Policy Add/Edit Screen
To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen.
label | description |
|---|---|
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
Configuration | |
Enable Policy | Select this option to activate this SSL access policy. |
Name | Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. |
Zone | Select the zone to which to add this SSL access policy. You use zones to apply security settings such as security policy and remote management. |
Description | Enter additional information about this SSL access policy. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). |
User/Group | The Selectable User/Group Objects list displays the name(s) of the user account and/or user group(s) to which you have not applied an SSL access policy yet. To associate a user or user group to this SSL access policy, select a user account or user group and click the right arrow button to add to the Selected User/Group Objects list. You can select more than one name. To remove a user or user group, select the name(s) in the Selected User/Group Objects list and click the left arrow button.  Although you can select admin and limited-admin accounts in this screen, they are reserved for device configuration only. You cannot use them to access the SSL VPN portal. |
Network Extension (Optional) | |
Enable Network Extension | Select this option to create a VPN tunnel between the authenticated users and the internal network. This allows the users to access the resources on the network as if they were on the same local network. This includes access to resources not supported by SSL application objects. For example this lets users Telnet to the internal network even though the Zyxel Device does not have SSL application objects for Telnet. Clear this option to disable this feature. Users can only access the applications as defined by the VPN tunnel’s selected SSL application settings and the remote user computers are not made to be a part of the local network. |
Force all client traffic to SSL VPN tunnel | Select this to send all traffic from the SSL VPN clients through the SSL VPN tunnel. This replaces the default gateway of the SSL VPN clients with the SSL VPN gateway. |
NetBIOS broadcast over SSL VPN Tunnel | Select this to search for a remote computer and access its applications as if it was in a Local Area Network. The user can find a computer not only by its IP address but also by computer name. |
Assign IP Pool | Define a separate pool of IP addresses to assign to the SSL users. Select it here. The SSL VPN IP pool should not overlap with IP addresses on the Zyxel Device's local networks (LAN and DMZ for example), the SSL user's network, or the networks you specify in the SSL VPN Network List. |
DNS/WINS Server 1..2 | Select the name of the DNS or WINS server whose information the Zyxel Device sends to the remote users. This allows them to access devices on the local network using domain names instead of IP addresses. |
Network List | To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list. You can select more than one network. To block access to a network, select the network name in the Selected Address Objects list and click the left arrow button. |
OK | Click OK to save the changes and return to the main Access Privilege screen. |
Cancel | Click Cancel to discard all changes and return to the main Access Privilege screen. |
The SSL Global Setting Screen
Use this screen to set the IP address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access.
label | description |
|---|---|
Global Setting | |
Network Extension Local IP | Specify the IP address of the Zyxel Device (or a gateway device) for full tunnel mode SSL VPN access. Leave this field to the default settings unless it conflicts with another interface. |
Apply | Click Apply to save the changes and/or start the logo file upload process. |
Reset | Click Reset to return the screen to its last-saved settings. |