Hello All -
Looking to replace our current FortiClient SSL VPN immediately, but also for something that can accomplish a ZTNA solution at some point later down the road.
Most options I am seeing seem to handle on-prem, but cater more to cloud hosted environments.
We have two locations, with data-centers in both, that we need interconnectivity
We have employees in the both buildings everyday
We have hybrid, and remote users needing connectivity to both data-centers
We must have low latency, for SQL back-end applications
Our only cloud hosted applications are, M365/Entra
I have looked into, zScaler, Cato, Twingate. FortiSASE too, but as a current Fortinet customer, not sure I trust their products outside of the Fortigates
Can I ask why you are replacing Forti SSL VPN?
I ask because I’m implementing it next week, so wonder what your rush to get off the platform is.
It’s not Tailgate: Tailscale and Twingate. Both are good, and I’m a fan of tailscale. Good people work there.
ZScaler decrypts and scans traffic in the cloud, as far as I know, at least in some of their products.
You will like Pomerium reverse proxy. You want low latency, so you want something deployed at edge to avoid the extra hops.
The other tools you looked at are generally layer 4 tools. The architecture is basically combine a tunneling solution with SD-WAN/SDP, throw in a house-blend of FWaaS and CASB, and hope you don’t realize you’re still logging into a client that’s tunneling through their servers to reach your apps.
The latency comes from that extra hop.
Our firm just moved from Zscaler to Netskope. Maybe check that out.
We went through this process last summer and eventually ended up with Cato.
Couldn’t be happier with that decision, and we have plans on bringing in more of their SASE components later this year as well.
Hi! full disclosure, I’m a mod on r/twingate. Twingate should be a perfect fit based on the description of your environment but if you have more specific questions or need some help with implementation, etc. feel free to solicit us on our subreddit, a number of employees from our technical teams are there to help!
I am using Zscaler and can highly recommend it.
You can deploy private service edges, which guarantees very low latency. Really satisfied with the product. My company is one of the three biggest customers of Zscaler in Europe
I just started using “Entra Private Access” -it is in preview.
We switched to Knocknoc. It’s a simpler approach, but it works for us. Depends on your userbase, but zero client config is amazing.
You have fortigates… Upgrade your firewalls to 7.2.7 and deploy forticlient 7.2.4 then configure IPsec remote access VPN with entra id SSO as a way to get off SSL as quickly as possible
Not sure about using database applications over VPN, I would always leverage a citrix/vdi environment for that. But when it comes to ease of use and deployment, you can’t go wrong with Cato. It just works.
Forticlient has been giving us headaches since we started using it. Probably switching to zScaler, it is much faster and easier to use in limited testing so far.
You’re asking for two different solutions though? A client VPN and site to site? Contact your ISP and ask them what they offer in terms of MPLS solutions to connect all of your locations without the need of a site to site solution.
Cato Networks. You’ll love it.
I like Tailscale but didn’t like how the UI is visible on servers, so people using RDP machines can see it. Or that you could see all the machines via command prompt. It worked quite well otherwise.
We’re currently looking at Cato Networks and Zscaler though.
I am a big fan of Twingate. Best mix of ease of use and sophistication IMO
Probably becasue in the last 2-3 years there has been major vulnerabilities in SSL VPN.
I’ve seen people say in r/fortinet in version 7.4 there is a banner advising you to migrate from SSL VPN to IPSec and (possible) speculations that Fortinet is going to be dropping SSL VPN functionality in 7.6.
u/Gods-Of-Calleva How are you implementing this with out being public facing?