FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 266328
Description This article describes key reasons to migrate from SSL VPN web-mode to either SSL VPN tunnel-mode or ZTNA access proxy.
Scope FortiGate version 7.0 or above.

Since the SSL VPN web-mode feature has been implemented, its mechanism is to modify the URL link(s) inside HTTP payloads (HTML, scripts,...) in HTTP responses from the internal web server. This enables the client's web browser to send HTTP(s) connections back to FortiGate. This method was most effective during a time period where most web pages were static HTML pages.

However, modern webpages present a fundamental problem due to the fact that they are dynamic. For example, many URL link; in dynamic pages are dynamically constructed by JavaScript. This makes it very complicates to locate the URL link(s) in HTTP payload(s), sometimes making it impossible to locate the URL(s) to modify. As a result, customers may experience difficulties when using SSL VPN web-mode to access internal (dynamic) websites.

To fix the problem, implement one of the following solutions:


1: SSL VPN tunnel mode: SSL VPN in tunnel mode offers much better performance when compared to web-mode and easily supports UTM features such as AV, WF, DLP, IPS and thorough policy lookup. Web mode has many limitations in this regard. The only requirement to use this setup is that the customer must install FortiClient in each user's computer.




2: ZTNA access proxy (available from Forti OS version 7.0 and above): Both SSL VPN web-mode and ZTNA access proxy are kinds of reverse proxy. They both do not require any installation on users' computers. The only difference is that, currently, SSL VPN web-mode takes the URL-rewrite approach to force clients' browsers to send back HTTP(s) connections, whereas the ZTNA proxy works more like a standard reverse proxy: it does not modify the HTTP payload in a server's response at all.


The requirement is the public FQDN domain name(s) for internal web server(s) and FortiClient EMS license/server.

Related articles: