This article provides a concise overview of enabling HTTPS secure access to the Management Web GUI of your security device over the WAN. To proceed, connect to the Web GUI using the device's IP address and log in with the Administrator account and corresponding password.
Allowing Remote Access over the Default Objects:
Configuration > Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL > Edit
Please choose HTTPS, click on the marked Arrow and then on "OK".
You can now access your security device through its WAN Interface.
E.g. https://5.234.65.17
Best Practice for a secure Access:
It is general good Advice to secure the remote Access over WAN even further to prevent foul Play by bad Actors. We'll take a look at how to do that.
Changing the HTTPS Port:
Configuration > System > WWW > Service Control
Please change the HTTPS port to something else.
E.g. 8443
Afterwards, please click "Apply" at the bottom of the Page.
Creating a separate Object for the Remote Access
Configuration > Object > Service > Service > Add
Now, we need to create a new and separate Object for the HTTPS Service Port.
- Name: "Your Service Name"
- IP Protocol: TCP
- Starting Port: "HTTPS Port from the previous Step"
- Click on "OK"
Creating a separate Rule for the Remote Access
Configuration > Security Policy > Policy Control > Policy > Add
Now, we need to create a new/separate Rule:
- Name: "Your Rule Name" (Advice: Use "Speaking Names")
- From: WAN
- To: ZyWall
- Service: "Your HTTPS Object"
- Action: allow
- Click on "OK"
Limiting the Access
We can and should now limit Access to the Web interface. One way to achieve this is by only allowing certain trusted IP Addresses.
Configuration > Object > Address/Geo IP > Address > Add
First, we need to create an object with a trusted IP.
If Your Trusted Peer does not have a static Public IP, You can use FQDN Objects with a DDNS.
(Same Procedure, choose FQDN instead of Host)
- Name: "Name of the Object" (Advice: Use "Speaking Names")
- Address Type: HOST
- IP Address: Trusted IP
- Click on "OK"
Configuration > Object > Address/Geo IP > Address Group > Add
Now we need to create a Group for the Object to add multiple IPs/FQDNs without creating a new Security Policy for each.
- Name: "Your Group Name" (Advice: Use "Speaking Names")
- Address Type: Choose "Address" (If You use FQDN -> "FQDN")
- Member List: Choose the Object(s) You created previously
- Click the "->" Arrow
- Click "OK"
Configuration > Security Policy > Policy Control > Policy > Choose Policy > Edit
Now, we need to add our Group as a Source for the Security Policy we created earlier.
- Source: Choose the IP Group/FQDN Group
- Click on "OK"
- Click on "Apply" at the Bottom of the Page.
Other Types
You can also Block a complete Country or Region using our GeoIP feature:
Remote Access for Support Purposes
In case one of our Agents asks for Remote Access, You can limit the access to our official public IP's:
(HQ)
118.163.48.105
1.161.171.96
61.222.75.14
1.161.154.129
(Support Campus DE)
93.159.250.200
Comments
0 comments
Please sign in to leave a comment.