ZyXEL Communications ZyWALL SSL 10 Manual
ZyWALL SSL10 Support Notes
1
All contents copyright (c) 2006 ZyXEL Communications Corporation.
ZyWALL SSL 10
Integrated SSL-VPN Appliance
Support Notes
Revision 2.01
April. 2007
ZyWALL SSL10 Support Notes
2
All contents copyright (c) 2006 ZyXEL Communications Corporation.
INDEX
1. Deployment............................................................................................................................4
1.1 DMZ Zone....................................................................................................................4
1.1.1 Deploy ZYWALL SSL 10 in DMZ zone........................................................4
1.2 NAT Mode..................................................................................................................20
1.2.1 Deploy ZYWALL SSL 10 at the gateway....................................................20
2. Integrated Application..........................................................................................................29
2.1 External Authentication..............................................................................................30
2.1.1 External Authentication configuration............................................................30
2.1.2 User/Group configuration ............................................................................31
2.2 Objects Configuration................................................................................................33
2.2.1 SSLApplication Object................................................................................33
2.2.2 VPN Network Object...................................................................................37
2.2.3 Endpoint Security Object.............................................................................38
2.2.4 Private IP Pool Object..................................................................................42
2.3 SSL Policy Configuration ..........................................................................................43
3. SSL VPN Solution................................................................................................................47
3.1 UTM Integration: ZyWALL UTM+ZyWALL SSL10 ...............................................47
3.2 Seamless Integrate SSL VPN into your existing IPSec VPN.....................................56
3.3 Integration: SonicWALL+ZyWALL SSL10 ..............................................................67
3.4 Integration: Netscreen+ZyWALL SSL10...................................................................71
3.5 Integration with NSA-2400 for file sharing...............................................................75
4. Best Practice: Stronger Password Security ..........................................................................86
4.1 Using Two-factor authentication solution to provide stronger (FIPS 140 compliant)
security: SSL10+Authenex ..............................................................................................86
5. FAQ ......................................................................................................................................94
A. ZyWALL General FAQ...............................................................................................94
A01. How to access ZyWALL SSL10 web GUI?....................................................94
A02. What do I need to use the ZyWALL?..............................................................94
A03. What is PPPoE?...............................................................................................94
A05. Does the ZyWALL support PPPoE?................................................................95
A06. How do I know I am using PPPoE?................................................................95
A07. Why does my Internet Service Provider use PPPoE? .....................................95
A08. How can I configure the ZyWALL?................................................................95
A09. What can we do with ZyWALL?.....................................................................96
ZyWALL SSL10 Support Notes
3
All contents copyright (c) 2006 ZyXEL Communications Corporation.
A10. Does ZyWALL support dynamic IP addressing? ............................................96
A11. What is the difference between the internal IP and the real IP from my ISP?.96
A12. How does e-mail work through the ZyWALL?...............................................96
A13. What DHCP capability does the ZyWALL support?.......................................97
A14. How do I used the reset button, more over what field of parameter will be
reset by reset button?................................................................................................97
A15. My ZyWALL can not get an IP address from the ISP to connect to the
Internet, what can I do?............................................................................................97
A16. What is BOOTP/DHCP?.................................................................................98
B. Firmware Upgrade FAQ ..............................................................................................99
B01. How to perform the firmware upgrade on ZyWALL SSL10?.........................99
C. Registration for Service Activation FAQ.....................................................................99
C01. Why do I have to register?...............................................................................99
C02. In addition to registration, what can I do with myZyXEL.com?.....................99
C03. How to activate the SSL-VPN license?.........................................................100
D. SSL VPN FAQ...........................................................................................................100
D01. Matrix table for the SSL VPN terms.............................................................100
D02. Why cannot some web pages displayed correctly?.......................................100
D03. SSL VPN vs. PPTP VPN?.............................................................................101
D04. What is the order of user authentication?......................................................101
E. EPC(End Point Check) FAQ......................................................................................101
E1. What is EPC on ZyWALL SSL10?..................................................................101
E2. What are the checking items of EPC on ZyWALL SSL 10? ...........................102
ZyWALL SSL10 Support Notes
4
All contents copyright (c) 2006 ZyXEL Communications Corporation.
1. Deployment
SSL topology encapsulates the sensitive data in SSL protocol to secure the communication
between SSL client and SSL server via several encryption, authentication, and secret
exchange method. ZyWALL SSL 10 which acts as a SSL server and easily to integrate with
the existed firewall (ex. ZyWALL or 3rd party firewall) to provide SSL VPN solution.
Depending on your current network topology, we have two suggestions for the deployment
of ZYWALL SSL 10.
1.1 DMZ Zone
1.1.1 Deploy ZYWALL SSL 10 in DMZ zone
To deploy the ZYWALL SSL 10 to a network environment, people may ask where is the
suggestion to put the device in the existing network. If the environment matches the
following two criteria, put the SSL10 in DMZ zone is recommended.
yCustomers who already installed a ZyWALL or a third party’s firewall, like
SonicWALL TZ170 or Juniper 5GT
yZyWALL UTM or the third party’s firewall provides security inspection such as
Anti-Virus/IDP/firewall.
See following figure to show you the topology for example.
ZyWALL SSL10 Support Notes
5
All contents copyright (c) 2006 ZyXEL Communications Corporation.
The network topology above is used to illustrate this application. We used one ZyWALL
as main office’s gateway which is connected to the branch office’s ZyWALL. The ZyWALL
SSL 10 is put behind main office’s gateway at DMZ zone. Remote users could either access
the main office’s LAN resource or access the remote office’s LAN resource via IPSec VPN
tunnel after user pass the SSL authentication.
Since the SSL VPN traffic will be decrypted by ZyWALL SSL 10, the traffic could be
further inspected by ZyWALL UTM or third party firewall which has security checking
features like firewall, Anti-Virus, IDP and etc. In this way, MIS administrator will take it
easy to eliminate the worry that remote “trust” PC may distribute virus or attacks to internal
network.
ZyWALL SSL10 Support Notes
6
All contents copyright (c) 2006 ZyXEL Communications Corporation.
Configuration information in this example:
ZyWALL UTM ZyWALL SSL 10
WAN Address: 172.120.1.10
DMZ Address: 192.168.3.1
LAN Address: 192.168.1.1
WAN Address: 192.168.3.2
VPN Network: 192.168.1.0/24
Remote Users IPAddress Pool:
192.168.10.200 ~ 192.168.10.250
To achieve this, we have to complete the following tasks:
zCheck ZyWALL UTM or 3rd party Firewall’s setting
1. Configure the proper IP address for WAN, LAN, DMZ interfaces.
2. Configure port 443 forwarding to ZyWALL SSL10 for SSL traffic.
3. Change the system management port for HTTPS from 443 to others to avoid
conflict with SSL VPN port forwarding.
zOn ZyWALL SSL 10, using Wizard to setup the initial SSLVPN access network.
See the following step-by-step configuration.
Configuration on ZyWALL UTM
Step1. Check if the WAN, LAN, DMZ IP address has been proper configured.
1) Go to the GUI > Network > DMZ, configure the DMZ IP address as 192.168.3.1.
ZyWALL SSL10 Support Notes
7
All contents copyright (c) 2006 ZyXEL Communications Corporation.
2) Go to the GUI > Network > DMZ > Port Roles, define the port 4 belongs to DMZ zone.
3) Go to the GUI > Network > WAN > WAN1, configure the WAN IP address as a proper
one(ex. 172.120.1.10 in this example).
ZyWALL SSL10 Support Notes
8
All contents copyright (c) 2006 ZyXEL Communications Corporation.
4) Go to the GUI > Network > LAN, configure the LAN IP address as 192.168.1.1.
Step2. Check if the Internet access is available on both LAN and DMZ network by ping
from a LAN host and a DMZ host.
ZyWALL SSL10 Support Notes
9
All contents copyright (c) 2006 ZyXEL Communications Corporation.
Step3. Check if UTM functions (ex. Firewall,Anti-Virus, and IDP) are enabled and without
blocking the SSL traffic from WAN to DMZ.
Step4. Setup the port forwarding for SSL traffic.
1) Go to the GUI > ADVANCED > NAT > Port Forwarding, add one rule to forward port
443 traffic to the ZyWALL SSL 10 (192.168.3.2)
Step5. Go to the GUI > ADVANCED > REMOTE MGMT > WWW, change the ZyWALL
UTM’s HTTPS management port number from port 443 to another port number(ex. 10443).
This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10.
But if IT staff needs to access the ZyWALL UTM by HTTPS, they can use
https://IP_address:10443 (which the IP_address could be the ZyWALL’s LAN or DMZ or
WAN IP address depending on your remote management setting).
ZyWALL SSL10 Support Notes
10
All contents copyright (c) 2006 ZyXEL Communications Corporation.
Note: However, if you have configured a port-forwarding-rule 443 to a web server. We
would suggest to utilize another WAN IP address of ZyWALLUTM device for
ZyWALL SSL10’s access.
For example, if you have configured WAN1 IP forward port 443 to another web server,
(ex. 192.168.3.10). We could use WAN2 interface (ex. IP address is 10.59.1.30) to
forward 443 to ZyWALL SSL10 as following figure.
ZyWALL SSL10 Support Notes
11
All contents copyright (c) 2006 ZyXEL Communications Corporation.
Configuration on ZyWALL SSL 10
1) Access ZyWALL SSL10 via https://192.168.1.1 by default, login by entering username
and password (default is admin/1234). Press Login button.
Note1: Depending on if you want to clean the HTTP cache after perform the tasks. If you
are using your PC to configure ZyWALL SSL 10 without any security concern, leave it
just as default ‘I am connecting via my own computer’. Otherwise, choose ‘I am
connecting via Public computer’ instead.
Note2: Please ensure you turn on JavaScript and ActiveX control setting on your browser.
2) Then press Yes button to accept the system alert.
3) If you are the first time to configure ZyWALL SSL 10, the following page will be shown.
Choose Setup Wizard button to enter wizard.
ZyWALL SSL10 Support Notes
12
All contents copyright (c) 2006 ZyXEL Communications Corporation.
But if it’s not your first time to configure ZyWALL SSL 10, the system will login to
Advanced Setup page. Click the Wizard icon on the right top of page after
successfully login.
4) Choose the default "Install on Gateway’s DMZ Port" and press Next button.
ZyWALL SSL10 Support Notes
13
All contents copyright (c) 2006 ZyXEL Communications Corporation.
ZyWALL SSL10 Support Notes
14
All contents copyright (c) 2006 ZyXEL Communications Corporation.
5) Then choose "Static" for the device’s WAN IP assignment for this example. Configure
the IP address setting as shown below. Press Next button.
6) We create one SSL VPN user for this example. Enter the username and password. Press
Next button.
ZyWALL SSL10 Support Notes
15
All contents copyright (c) 2006 ZyXEL Communications Corporation.
7) Then configure the VPN network and the remote users IP address pool as below.
Note1:
In this example, we have the IParrangement as shown in the picture below. The
right mark in blue color, the “VPN network” is as the destination you plan to
allow SSLVPN users to access to(as the “LAN zone”). The “Remote users IP
address pool” means the IPaddress will be assigned to the remote SSLVPN users
from the device in full tunnel mode.
Note2:
The remote users IPaddress pool should be different than VPN network. Like in
this example, we use 192.168.1.0/24 for VPN network and remote users IPpool
ranging from 192.168.10.200 to 192.168.10.250.
ZyWALL SSL10 Support Notes
16
All contents copyright (c) 2006 ZyXEL Communications Corporation.
8) Then the system will remind you to remember configure the firmwall and UTM setting
on the ZyWALL UTM or 3rd party’s UTM firewall. Press Next button then.
9) It will give you a summery for the ZyWALL SSL 10’s WAN IP setting. Press Activate
SSL-VPN License button to register the device’s information to myZyXEL.com. However,
if you want to activate SSL-VPN license later, press Finish button.
Note: Please make sure the Internet access is available before pressing activate SSL-VPN
license since the system will send the registration information to
http://www.myZyXEL.com.
ZyWALL SSL10 Support Notes
17
All contents copyright (c) 2006 ZyXEL Communications Corporation.
10) Enter the necessary information to register your user account, the device, and get ten
SSL-VPN node licenses after registering successfully. Press Finished button to submit the
information.
Then you will complete the registration and initial setup.
Simulate a Internet host to access ZyWALL SSL 10 via the ZyWALL
ZyWALL SSL10 Support Notes
18
All contents copyright (c) 2006 ZyXEL Communications Corporation.
Step1:Assume the PC_A is an Internet host which is at ZyWALL’s WAN site. Open the IE
browser to access ZyWALL’s WAN IP address by HTTPS(ex. https://172.120.1.10). The
ZyWALL SSL10 login page will be shown. Enter the username/password we just created
(ex. sharno/1234 in this example.)
It allows the PC_A to access internal resource. But after it successfully login, the remote
user will see empty in the Application and File Sharing list as below.
Besides, the user will find his PC got a PPP IP address (ex. 192.168.1.200) in the PC’s
network connections after successfully login.
ZyWALL SSL10 Support Notes
19
All contents copyright (c) 2006 ZyXEL Communications Corporation.
The user can open the application tool to access the internal application server if he knows
how to access. For example, a FTP server IP is 192.168.1.240. He can open the FTP tool(ex.
CuteFTP) to access the server.
If IT stuff would like to pre-configure some access links for remote user’s quick view, he
needs further configuration. Please refer to chapter 2 for the detail.
ZyWALL SSL10 Support Notes
20
All contents copyright (c) 2006 ZyXEL Communications Corporation.
1.2 NAT Mode
1.2.1 Deploy ZYWALL SSL 10 at the gateway
If your company’s environment hasn’t had ZyWALL or other firewall to provide security
checking mechanism yet, it’s suggested that you put ZYWALL SSL 10 at the network
gateway and also perform the NAT feature to translate the private IP address to public.
See following figure to show you the topology for example.
The network topology is used to illustrate this application. We used one ZyWALL as
main office’s gateway which is connected to the branch office’s ZyWALL. The ZyWALL
SSL 10 is put at behind the main office’s gateway. Remote users could either access the
main office’s LAN resource or access the remote office’s LAN resource via IPSec VPN
Other manuals for ZyWALL SSL 10
4
Table of contents
Other ZyXEL Communications Firewall manuals
ZyXEL Communications
ZyXEL Communications ZyXEL ZyWALL 35 User manual
ZyXEL Communications
ZyXEL Communications ZyWALL 110 Series User manual
ZyXEL Communications
ZyXEL Communications ZyWALL 1050 User manual
ZyXEL Communications
ZyXEL Communications ZyXEL ZyWALL 35 Manual
ZyXEL Communications
ZyXEL Communications ZyWALL 1050 Instruction Manual
ZyXEL Communications
ZyXEL Communications ZyWall ATP series User manual
ZyXEL Communications
ZyXEL Communications ZyWall User manual
ZyXEL Communications
ZyXEL Communications ZyWALL 1050 Reference guide
ZyXEL Communications
ZyXEL Communications ZyWALL 110 Series User manual
ZyXEL Communications
ZyXEL Communications ZyWALL 1050 Manual
ZyXEL Communications
ZyXEL Communications ZyXEL ZyWALL 5 Manual
ZyXEL Communications
ZyXEL Communications ENTERPRISE NETWORK CENTER User manual
ZyXEL Communications
ZyXEL Communications ZyWALL 1100 Series User manual
ZyXEL Communications
ZyXEL Communications ZyWALL 110 Series User manual
ZyXEL Communications
ZyXEL Communications ZyWALL VPN2S User manual
ZyXEL Communications
ZyXEL Communications ZYWALL OTPV2 - Manual
ZyXEL Communications
ZyXEL Communications ZyWALL 110 Series User manual
ZyXEL Communications
ZyXEL Communications ZyWall Operating instructions
ZyXEL Communications
ZyXEL Communications USG Series User manual
ZyXEL Communications
ZyXEL Communications ZyXEL ZyWALL IDP 10 Manual
Popular Firewall manuals by other brands
Cisco
Cisco Firepower 1100 Series Hardware installation guide
Stormshield
Stormshield SN900 installation instructions
Symantec
Symantec ASG-S400-20 Product installation guide
PaloAlto Networks
PaloAlto Networks Prisma SD-WAN ION 9000 Hardware reference
Global Technology Associates
Global Technology Associates Firewall GB-2000 Product specifications
H3C
H3C SecPath T9000 IPS Series Installation, quick start
D-Link
D-Link NetDefend DFL-260E manual
NetScreen Technologies
NetScreen Technologies 10 Installer's guide
ShareTech
ShareTech HiGuard W Quick installation guide
Trusted Systems
Trusted Systems SafeGuard quick start guide
H3C
H3C SecPath F1000-E installation manual
Lanner electronics
Lanner electronics FW-7650 Series user manual
PaloAlto Networks
PaloAlto Networks PA-5410 quick start guide
Fortinet
Fortinet FortiGate FortiGate-800 Administration guide
EBLOCKER
EBLOCKER PRO user manual
Cisco
Cisco 5505 - ASA Firewall Edition Bundle Hardware installation guide
D-Link
D-Link NetDefend DFL-260E reference guide
Lanner
Lanner FW-7541 user manual