Skip to main content
kushh8
kushh8
New Member
March 31, 2026
Question

Replacing SSLVPN

  • March 31, 2026
  • 2 replies
  • 432 views

Hi Everybody,

As we (hopefully) all know, SSLVPN tunnel mode will be discontinued in FortiOS 7.6.3. This is definitely a step in the right direction and I don't challenge that decision at all.

Now, there's a lot of guides to move to DialUp IPSec and ZTNA. The thing is however, it all is so cumbersome compared to SSLVPN. For instance:

- With IPSec, you need to deploy either a PSK (which is not very wise) or certificates, but if you have some external user you'd need to give him a certificate and it's already hard enough if you just have a user/password combo.

- With IPSec you can do SAML, sure, but you still need a PSK or a certificate.

- ZTNA is nice and all, but you can't have a tunnel which is essential for many of the use cases that revolve around managing devices that are attached to the network (think of: building automation, things like that)

...and the list goes on. There's just no easy solution from Forti which I am aware of.

So, right now, we're evaluating another approach, basically setting a remote access solution behind our Firewall. We're right now looking at OpenVPN Access Server and solutions like it. Do you have any other recommendations, which solution I should have a look at? Basically dead simple as SSLVPN.

Cheers!

2 replies

nevan
Staff
nevan
Staff
March 31, 2026

Dear Kushh8,

The first two enquiries are Yes, and there is a reference below here:
https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/951346/saml-based-authentication-for-forticlient-remote-access-vpns

So, you can go with certificate and also with SAML while using a certificate. 

Lastly, even if you have ZTNA, you can use IPSec tunnel along with ZTNA. 
Admin Guide Reference: https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/735065/augmenting-vpn-security-with-ztna-tags

Regards.

// Kindness is the Key //
OktaRianzani
OktaRianzani
Visitor III
April 1, 2026

Just wanted to throw in a few thoughts — not a definitive answer, but hopefully useful.

 

Honestly, right now there's no single SSL VPN replacement that checks all the boxes at once: simple setup, full tunnel, and easy deployment. Every option out there comes with its own trade-offs, so it really depends on what you're willing to compromise on.

 

If you're staying within the Fortinet ecosystem:

  • IPSec + SAML is probably the closest you'll get — full tunnel, SSO support — but fair warning, it's noticeably more complex to set up and maintain.
  • ZTNA is solid for application-level access, but it's not a like-for-like replacement for a full tunnel, so don't expect a 1:1 swap.

As for alternatives like OpenVPN — yeah, the setup is simpler on the surface, but in the long run it tends to fall short, mainly because of the lack of native integration and limited visibility into what's actually happening on your network.

 

Bottom line: The most realistic path forward right now is probably a combination approach — IPSec for full network access, ZTNA for application-level access. It's not as clean or simple as SSL VPN was, but honestly, this is the direction the industry is moving toward from a security standpoint.

 

Hope that helps, even if it's not the clean single-solution answer we'd all prefer!

 

Regards

Terms & ConditionsAccessibility statement