How to establish SSL VPN tunnel from Windows PC

Zyxel_Charlie

Step 1 – User Account Setup

Login to the Zyxel router and go to menu, Configuration → Object → User/Group.  Click the Add button to insert user accounts for SSL VPN access.  SSL VPN users CANNOT be administrator account "User Type".

Step 2 – User Group Setup

If you have created multiple user accounts you may want to group them all together to keep all settings as simple as possible.  You may skip this step if you only have about three user accounts.  To create a user group, click the "User Group" tab in the Configuration → Object → User/Group menu.  Add all the users which will have SSL VPN privilege to the group.

Step 3 – SSL VPN Address Pool

Create an address object for a pool of IP addresses which will be used by the connected SSL VPN user.  Go to Configuration → Object → Address and click the Add button to insert the SSL VPN IP address pool.  By default 192.168.200.x IP scheme is reserved for SSL VPN connections.

Step 4 – SSL VPN Policy

Now that the VPN users and IP pool have been created we can begin creating the SSL VPN policy.  Go to menu Configuration → VPN → SSL VPN and click the Add button to insert an SSL VPN policy to allow the specified users access to the network.

·         Make sure the "Enable Policy" checkbox is checked

·         Provide a name for the SSL VPN policy

·         The rule must be part of the SSL_VPN zone

·         From the "Selectable User/Group Objects" find the user account or user group and move it over to the "Selected User/Group Objects"

·         Scroll down to the "Network Extension" option and check the box to "Enable Network Extension (Full Tunnel Mode)"

·         Check the box to "Force all client traffic to enter SSL VPN tunnel"

·         For the "Assign IP Pool" dropdown select the object you have created for the SSL VPN IP Pool

·         Provide DNS server entries, "User Defined" can be selected to manually enter the DNS server the SSL VPN users will use for their DNS queries, "ZyWALL" can be selected to have the SSL VPN users point all DNS queries to the Zyxel router

·         Click the OK button to apply the settings

Installing SecuExtender

Please download the latest SecuExtender client version for Windows OS or macOS and install on a compatible platform.

Windows SecuExtender Client

Launch the SecuExtender client to establish an SSL VPN connection to a compatible Zyxel appliance.  Provide the following info to initiate the connection.

·         SERVER – Provide the domain name, ddns hostname or public IP address of the Zyxel appliance you wish to establish a connection with.  (if the management port has been changed from TCP:443, please specify the new SSL port by adding a ":" <colon> and the port number.  Ex: <Public_IP>:8443)

·         USERNAME – Provide an allowed user account

·         PASSWORD – Provide the password for the allowed user account

·         Remember username – Check the box to store connection server and credentials on client memory

·         Disconnect – Press the Disconnect button to end the SSL VPN session

·         Connect – Press the Connect button to initiate an SSL VPN session

The pop-up below appears when establishing a connection.  Verify the certificate being used to encrypt the SSL VPN connection is correct and click YES to trust the connection.

The clients Status tab shows information regarding the connection such as amount of time connected, IP address provided by the Zyxel appliance to the client and traffic statistics.

Right-Click on any of the SecuExtender tab windows for options to disconnect, suspend, resume and quit the client.

·         Disconnect – Ends the SSL VPN session

·         Suspend – Stops routing traffic through the SSL VPN, session is still active

·         Resume – Resume sending traffic through SSL VPN from suspend mode

·         Quit SecuExtender – Disconnects the SSL VPN session and stops all client components