|Description||This article describes key reasons to migrate from SSL VPN web-mode to either SSL VPN tunnel-mode or ZTNA access proxy.|
|Scope||FortiGate version 7.0 or above.|
Since the SSL VPN web-mode feature has been implemented, its mechanism is to modify the URL link(s) inside HTTP payloads (HTML, scripts,...) in HTTP responses from the internal web server. This enables the client's web browser to send HTTP(s) connections back to FortiGate. This method was most effective during a time period where most web pages were static HTML pages.
To fix the problem, implement one of the following solutions:
1: SSL VPN tunnel mode: SSL VPN in tunnel mode offers much better performance when compared to web-mode and easily supports UTM features such as AV, WF, DLP, IPS and thorough policy lookup. Web mode has many limitations in this regard. The only requirement to use this setup is that the customer must install FortiClient in each user's computer.
2: ZTNA access proxy (available from Forti OS version 7.0 and above): Both SSL VPN web-mode and ZTNA access proxy are kinds of reverse proxy. They both do not require any installation on users' computers. The only difference is that, currently, SSL VPN web-mode takes the URL-rewrite approach to force clients' browsers to send back HTTP(s) connections, whereas the ZTNA proxy works more like a standard reverse proxy: it does not modify the HTTP payload in a server's response at all.
The requirement is the public FQDN domain name(s) for internal web server(s) and FortiClient EMS license/server.