Access to the GUI is disabled by default for security reasons, and should be left that way or restricted to specific authorized remote management IP addresses.
If HTTPS (tcp/443) is already being forwarded on the WAN IP address to an internal system, it may be necessary to change the port for the GUI in order to reach it from the WAN using HTTPS.
To allow access from the WAN, navigate to Firewall > Rules on the WAN tab add a firewall rule to pass the appropriate source(s) to a destination of the WAN IP and port the webGUI is using. Passing from a source of "any" is highly discouraged for security reasons.
This is documented in detail in [the book].