Description
This article describes that most web pages are dynamic. For example, javascript is used to construct dynamic URL links.
This makes it much more difficult to locate the URL in the returned page from HTTP(s) servers (sometimes it is simply impossible to do it properly).
The complexity of such URL rewrite is getting worse and it is becoming a recommendation to use alternatives as presented in this article.
All the alternatives presented in this article support AV/WF/DLP/IPS features, different from the SSL VPN web mode which has very limited support for those features.
Recommendation reminder: VPN or not it is always a good practice long passwords together with 2FA/MFA.
Scope
FortiGate v7.0, v7.2, v7.4.
Solution
Those options are listed per the most recommended levels.
1) Use SSL-VPN Tunnel mode.
With this method, the user installs a FortiClient to access the internal network and authenticate with his credentials.
It can be configured to use Full Tunnel or Split Tunnel modes
Related documents for this alternative:
2) ZTNA access proxy feature.
This requires additional configuration with EMS, it is considered the most secure option.
Related documents for this alternative:
3) A VIP, PAT, or 'Virtual Server' together with 'firewall policy authentication'.
This is very useful for those who already have an authentication process in place.
With this method, the user does not need to install anything on the client side.
The server would be exposed but with authentication (VPN or not it is always a good practice long passwords together with 2FA/MFA).
Related documents for this alternative:
