|
Some years ago most of the web pages were using static HTML. It is relatively straightforward to locate the URL link in static HTML pages and replace/modify it with a pre-defined domain name and URL prefix.
However, nowadays, most web pages are dynamic, as in some examples they use JavaScript to build a dynamic URL link.
That makes it more difficult to locate the URL in the returned page from HTTPS servers.
The complexity of such URL rewrite logic is getting worse, because every time a user enhances/modifies the web application or adds some modules, it also changes the logic of URL rewrite. This results in a non-working SSLVPN bookmark.
The way to get out of this situation and avoid any future problems:
- Whenever possible, use SSLVPN in tunnel mode. The tunnel mode surely has better performance and supports UTM features. For example, UTMs like Antivirus/WebFilter/DLP/IPS features and others, while web mode has limited or no support for that. Also regarding firewall policy lookup, where tunnel mode fully supports that feature and web mode supports only limited lookup.
- The only necessary attribute to use tunnel mode is that FortiClient needs to be installed on the host. As an alternative option Fortinet now offers a ZTNA access proxy.
ZTNA access proxy allows users to securely access resources through an SSL-encrypted proxy. This makes remote access much easier by eliminating the use of any sort of VPN tunnel.
In addition to that, the ZTNA rules add a level of security and posture checking.
Note:
From v7.6.0, the SSL VPN function has been removed from models with 2GB of RAM: SSL VPN removed from 2GB RAM models for tunnel and web mode
Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported for all FortiGate models, and SSL VPN web mode will be called 'Agentless VPN'. Agentless VPN (formerly SSL VPN web mode) not supported on FortiGate 40F, 60F, and 90G series models
Related article:
Technical Tip: SSL VPN personal bookmarks
|
