What can a VPN do that a reverse proxy can’t ?
The exact implementation depends on the vendor. Not every one uses proxy based architecture. That being said, even if you simplify it down to the level you did (which ignores the key points of where authentication and authorization occur, who has to host and manage the publicly accessible components, etc) nothing I said is incorrect. The simple “proxy” you mentioned is the brokering appliance I mentioned and it’s not a proxy for many vendors as it’s not terminating and reopening connections. Proxy performance would be terrible for protocols like SMB that are widely used in ZTNA.
Yes. Every ZTNA solution I am aware of uses vendor hosted data planes for the initial connection request. This gateway or broker is where the identification, authorization and access decision is made based on the device, user and other criteria. It’s only forwarded down to the customer hosted connector if it’s an allowed connection.
TLS tunnel…
TLS tunnel…
Gives access to specific things upon authentication.
Gives access to specific things upon authentication.
Firewalls have portals built in that do it.
Only difference is who’s doing it… But it’s the same thing.
No, you not need FSSO if users identify to VPN with AD, fortigate sync user groups. And works fine
We use FSSO for local network identification. I can’t say work fine, is not very reliable without fortiauthenticator. Sometimes not catch the log in.
For Wifi (Aruba) we use Radius Accounting and group mapping work fine but it’s a bit tedious if you need mapping many groups.
we also have mixed results with FSSO for local identification. Also needed to do something different as we are moving devices over to intune
We’re also using aruba wlan with radius, but no group mapping setup