Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff & Editor
Staff & Editor

Created on ‎05-31-2023 02:16 AM Edited on ‎09-15-2025 06:25 AM By Moderator

Article Id 258665

Technical Tip: Alternatives to SSL VPN web mode (Agentless VPN)

Description

 

This article describes alternatives to Agentless VPN (formerly known as SSL VPN web mode), where dynamic web pages are a compatibility challenge with this feature.

 

Modern web applications use JavaScript to create dynamic URLs, which makes URL rewriting difficult, resource-intensive, and often unreliable.

 

Starting in FortiOS 7.6.3, Agentless VPN is no longer supported on several FortiGate desktop models. For details, refer to the FortiOS release notes.

Additionally, from FortiOS 7.6.3 onwards, SSL VPN tunnel mode has been replaced with IPsec VPN as the default remote access method. See this announcement for more details.

 

All alternatives covered in this article offer support for inspection security features (Antivirus, Web Filtering, DLP, and IPS).

 

Reminder: Always use secure authentication methods such as SAML, certificates, or strong passwords combined with 2FA/MFA.

 

Scope

 

FortiGate v7.2, v7.4. v7.6.

 

Solution
 
Desktop models options:
  • IPsec VPN remote access.
  • VIP + firewall policy authentication.

 

For every other model options:
 

A. Application-level remote access.

 

  1. ZTNA access proxy (EMS-managed, FortiClient) - Most Secure.
Related documents:
ZTNA: Zero Trust Network Access
FortiGateZTNA configuration examples

 

  1. ZTNA agentless web portal - Available from starting FortiOS 7.6.1.
  • No client install, but no client checks and no content inspection, app compatibility may vary.
  • Similar method of SSL VPN web mode (Agentless VPN).
  • Use only when agents are not allowed and the published app is known to work.

Related document: FortiGate/FortiOS New Features - ZTNA agentless web-based application access.

 
  1. VIP + firewall policy authentication.
  • No client install, simple to publish a specific service. Leverages firewall auth and supports inspection.
  • No device posture. Limited expansion, not scalable for multiple websites.

Related document: Technical Tip: How to configure SAML authentication for firewall policy with Virtual IP (VIP).

 

B. Network-level remote access.

 
  1. IPsec VPN remote access
  • High performance (NPU offload), broad client support.
  • Starting in FortiOS 7.6.3, it’s the default remote-access method replacing SSL VPN tunnel mode.

Related document: Remote access in the admin guide.

 
Notes:
FortiSASE (Secure Access Service Edge) also includes ZTNA and agentless ZTNA functionality:
10414
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.