FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff & Editor
Staff & Editor
Article Id 258665
Description

 

This article describes alternatives to Agentless VPN (formerly known as SSL VPN web mode), where dynamic web pages are a compatibility challenge with this feature.

 

Modern web applications use JavaScript to create dynamic URLs, which makes URL rewriting difficult, resource-intensive, and often unreliable.

 

Starting in FortiOS 7.6.3, Agentless VPN is no longer supported on several FortiGate desktop models. For details, refer to the FortiOS release notes.

Additionally, from FortiOS 7.6.3 onwards, SSL VPN tunnel mode has been replaced with IPsec VPN as the default remote access method. See this announcement for more details.

 

All alternatives covered in this article offer support for inspection security features (Antivirus, Web Filtering, DLP, and IPS).

 

Reminder: Always use secure authentication methods such as SAML, certificates, or strong passwords combined with 2FA/MFA.

 

Scope

 

FortiGate v7.2, v7.4. v7.6.

 

Solution
 
Desktop models options:
  • IPsec VPN remote access.
  • VIP + firewall policy authentication.

 

For every other model options:
 

A. Application-level remote access.

 

  1. ZTNA access proxy (EMS-managed, FortiClient) - Most Secure.
Related documents:

 

  1. ZTNA agentless web portal - Available from starting FortiOS 7.6.1.
  • No client install, but no client checks and no content inspection, app compatibility may vary.
  • Similar method of SSL VPN web mode (Agentless VPN).
  • Use only when agents are not allowed and the published app is known to work.

Related document: FortiGate/FortiOS New Features - ZTNA agentless web-based application access.

 
  1. VIP + firewall policy authentication.
  • No client install, simple to publish a specific service. Leverages firewall auth and supports inspection.
  • No device posture. Limited expansion, not scalable for multiple websites.

Related document: Technical Tip: How to configure SAML authentication for firewall policy with Virtual IP (VIP).

 

B. Network-level remote access.

 
  1. IPsec VPN remote access
  • High performance (NPU offload), broad client support.
  • Starting in FortiOS 7.6.3, it’s the default remote-access method replacing SSL VPN tunnel mode.

Related document: Remote access in the admin guide.

 
Notes:
FortiSASE (Secure Access Service Edge) also includes ZTNA and agentless ZTNA functionality: