SSL VPN

Overview

Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software.

What You Can Do in this Chapter

Use the VPN > SSL VPN screen (see The SSL VPN Screen) to configure a SSL access policy.

Full Tunnel Mode

In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.

Split Tunnel Mode

In split tunnel mode, only the traffic going to the networks behind the Zyxel Device is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device and is not encrypted.

SSL VPN Policy

An SSL VPN policy allows the Zyxel Device to perform the following tasks:

• limit user access to specific applications or file sharing server on the network.

• allow user access to specific networks.

• assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks.

SSL Access Policy Objects

The SSL access policies reference the following objects. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed.

Objects
Object Type	Object screen	Description
User Accounts	User Account/ User Group	Configure a user account or user group to which you want to apply this SSL access policy.
Application	SSL Application	Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access.
IP Pool	Address	Configure an address object that defines a range of private IP addresses to assign to user computers so they can access the internal network through a VPN connection.
Server Addresses	Address	Configure address objects for the IP addresses of the DNS and WINS servers that the Zyxel Device sends to the VPN connection users.
VPN Network	Address	Configure an address object to specify which network segment users are allowed to access through a VPN connection.

Please note that you cannot delete an object that is referenced by other settings.

The SSL VPN Screen

Configure the settings in this screen to create a new or edit an existing SSL access policy.

SecuExtender is a Zyxel subscription-based VPN client. A remote access VPN client must have SecuExtender VPN client installed on his device and uses a supported computer operating system. The supported computer operating systems are:

• Window 10 (64-bit) and later versions.

• macOS 10.15 and later versions.

Make sure the settings configured on the SSL VPN client matches the settings you configured on the Zyxel Device.

The following table describes the labels in this screen.

VPN > SSL VPN
label	description
Enable	Click the switch to enable the SSL access policy.
Download	Click to download a VPN configuration script to send to clients using SecuExtender VPN client or OpenVPN Connect VPN client. The supported operating systems for SecuExtender are: • Windows 10 (64-bit) and later versions. • macOS 10.15 and later versions.
Incoming Interface
Interface	Select an interface from the drop-down list box for incoming traffic to your Zyxel Device.
DNS Name	Enter the domain name (for example, vpn.zyxel.com) if you’re using DDNS to assign the interface a dynamic IP address.
Server Port	Specify the server port of the Zyxel Device for full tunnel mode SSL VPN access. Leave this field to default settings unless it conflicts with another interface.
Local Network
Full Tunnel	Select Full Tunnel to encrypt all traffic through the VPN. Select Allow Client VPN Traffic Through WAN to allow only traffic encrypted by the Zyxel Device from the remote client to the Internet.
Split Tunnel	Select Split Tunnel to only encrypt traffic going to networks behind the Zyxel Device. Enter an IPv4 address in CIDR notation, for example, type 192.168.1.1/24. Traffic going to the Internet from this IP address is encrypted. Traffic going to the Internet from the remote client does not go through the Zyxel Device is not encrypted.
Client Network
IP Address Pool	Enter an IPv4 address in CIDR notation, for example, type 192.168.1.1/24. The IP address pool is used to assign IP addresses to the VPN clients. The SSL VPN IP pool should not overlap with IP addresses on the Zyxel Device's local networks and the SSL user's network.
First DNS Server	Specify the IP address of the DNS server whose information the Zyxel Device sends to the remote users. This allows them to access devices on the local network using domain names instead of IP addresses. ZyWALL- the VPN clients use the IP address of the interface you specified in the SSL VPN rule and the Zyxel Device works as a DNS relay. Custom Defined- enter a static IPv4 address
Second DNS Server	Enter a secondary DNS server IP address that is checked if the first one is unavailable.
Authentication	You must first create a server in User & Authentication > AAA Server for it to display in the following fields. • If you have one authentication server, it can be on the Zyxel Device (local) or an external AAA server. • If you have two authentication servers, one of them must be on the Zyxel Device (local). You cannot use two external AAA servers.
Primary/Secondary Server	Select local or a specified AAA server from the drop-down list box for the Zyxel Device to use for authentication.
User	Select a user or user group to associate with this SSL access policy.
Advanced Settings
Generate Certificate	Click the button to have the Zyxel Device generate a certificate from the current SSL VPN settings. This is the certificate the Zyxel Device uses to identify itself when setting up the SSL VPN tunnel. If you change the SSL VPN settings, the Generate Certificate button displays. Click Generate Certificate to generate a new certificate from the new SSL VPN settings. Please note that VPN clients cannot connect to the SSL VPN tunnel while the Zyxel Device is generating certificate. If you change the SSL VPN settings and generate a new certificate from the new SSL VPN settings, all connected SSL VPN clients have to update their SSL VPN settings so their SSL VPN settings match the Zyxel Device SSL VPN settings.
Apply	Click Apply to save your changes back to the Zyxel Device.
Cancel	Click Cancel to exit this screen without saving.