Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tino_p
Staff
Staff

Created on ‎07-30-2023 08:31 AM Edited on ‎04-23-2025 09:02 AM By Moderator

Article Id 266328

Technical Tip: Migrate from SSL VPN web-mode

Description This article describes key reasons to migrate from SSL VPN web-mode.
Scope FortiGate version 7.0 or above.

Solution

 

Since the SSL VPN web-mode feature has been implemented, its mechanism is to modify the URL link(s) inside HTTP payloads (HTML, scripts,...) in HTTP responses from the internal web server. This enables the client's web browser to send HTTP(s) connections back to FortiGate. This method was most effective during a time period where most web pages were static HTML pages.


However, modern webpages present a fundamental problem due to the fact that they are dynamic. For example, many URL link; in dynamic pages are dynamically constructed by JavaScript. This makes it very complicates to locate the URL link(s) in HTTP payload(s), sometimes making it impossible to locate the URL(s) to modify. As a result, customers may experience difficulties when using SSL VPN web-mode to access internal (dynamic) websites.

 

Note:

See Agentless VPN (formerly SSL VPN web mode) not supported on FortiGate 40F, 60F, and 90G series models....

 

To fix the problem, implement one of the following solutions:

 

1: ZTNA access proxy (available from Forti OS version 7.0 and above): Both SSL VPN web-mode and ZTNA access proxy are kinds of reverse proxy. The only difference is that, currently, SSL VPN web-mode takes the URL-rewrite approach to force clients' browsers to send back HTTP(s) connections, whereas the ZTNA proxy works more like a standard reverse proxy: it does not modify the HTTP payload in a server's response at all.

The requirement is the public FQDN domain name(s) for the internal web server(s) and FortiClient EMS license/server.

 

Important notes: 

Starting from FortiOS 7.6.0; SSL VPN feature will not be available on FortiGate models with 2 GB RAM - FortiOS 7.6.0 release notes.

Starting from FortiOS 7.6.3; SSL VPN tunnel mode is no longer supported - FortiOS 7.6.3 release notes.

All existing configurations related to SSL VPN tunnel mode, including associated firewall policies, are not upgraded from previous versions to FortiOS 7.6.3.

To get a list of CLI commands that are not supported, see Appendix A: FortiOS CLI - FortiGate 7.6.0 new features.

To ensure uninterrupted remote access, migrate the SSL VPN tunnel mode configuration to IPsec VPN before upgrading to FortiOS 7.6.3.

 

Related articles:
4631
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.