Zyxel Firewall - Windows Server 2025 Active Directory and Zyxel Firewall (ZLD 5.40 / uOS 1.32)

Windows Server 2025 introduces stronger security policies, including enforced use of secure channels for LDAP queries. This affects the standard integration of Zyxel Firewalls with Active Directory—especially when using user authentication for services like IKEv2 VPN or Policy Control.

Supported products:

• Zyxel Firewalls (ZLD 5.40 and above, uOS 1.32 and above)
• Windows Server 2025 (Forest level 2025)

Zyxel Firewall can be properly integrated with Windows Server 2025 via a secure LDAPS channel (port 636), which complies with Microsoft’s security requirements and ensures stable authentication. Starting with this version of Windows Server, all LDAP requests must be performed over LDAPS. The following guide explains how to securely connect Zyxel Firewalls to Active Directory using SSL certificates.

This article focuses on the configuration of LDAPS integration between Zyxel Firewall and Windows Server 2025 Active Directory.
For details on authentication compatibility issues, please refer to the related article linked at the bottom.
For information about authentication protocol compatibility issues with Windows Server 2025 (such as MS-CHAPv2 and NTLM challenges) when using Zyxel Firewalls, please see:
👉 Zyxel Firewall – Authentication Compatibility with Windows Server 2025

Install the Active Directory Certificate Services

• Open Server Manager → Add roles and features.
• Install the Active Directory Certificate Services role.
• For detailed instructions on installing and configuring the Certification Authority on Windows Server 2022/2025, please refer to the official Microsoft documentation. Microsoft Guide
• Proceed with default options and complete the setup.
• Reboot the server after installation.

Configure the Certification Authority

• Select the role services to configure:

  ✅ Certification Authority

• Choose Enterprise CA.
• Select Root CA.

• Create a new private key (default option).
• Accept the default cryptographic settings (RSA 2048 or higher).

• Specify a common name (e.g., Zyxel-InternalCA).
• Accept the default validity period or customise as needed.
• Confirm and complete the configuration.
• Restart server.

Verify SSL Certificate Issuance

• Open Certification Authority from the Start menu.
• Expand the tree and go to Issued Certificates.
• Ensure a certificate for the domain controller has been automatically issued.

Optional: To verify via PowerShell:

Get-ChildItem -Path Cert:\LocalMachine\My

Configure Zyxel Firewall to Use LDAPS (Port 636)

Access the Zyxel Firewall web interface. Navigate to Object > AAA Server or Authentication > LDAP. Create a new LDAP entry: Server Address: IP or FQDN of the AD server Port: 636 Encryption: SSL Base DN: DC=example,DC=local Bind DN: CN=ldapbind,OU=Users,DC=example,DC=local Password: for the bind user Import the root CA certificate into the firewall’s trusted certificates list (Object > Certificate > Trusted CA).

Test the Authentication

• Use the Test Authentication tool in the firewall’s GUI.
• Confirm successful communication over LDAPS (636).

Optional: IKEv2 VPN Integration

If you're using IKEv2 VPN:

• Go to VPN > IKEv2 Gateway/Auth Settings
• Select the new LDAP/SSL authentication object as the user source.
• Test authentication from a VPN client.