Hey, everyone! I'm in the middle of transitioning from a file server to Microsoft Teams, aiming to streamline our communication and data management. The whole project should wrap up by the year's end, and we're working with an E5 license for about 200 users. Alongside this, we're planning to replace our firewall this year, which brings me to my question. Should I ditch our traditional VPN for Global Secure Access (GSA)? I've noticed that the costs of using VPN with MFA on our new Forti firewall are quite steep per user. However, we still need to access some internal resources and applications from home. What do you think about using GSA? Is it secure, and does it offer solid logging features? Thanks!
5 Answers
Migrating to Teams can definitely feel like quite the adventure! As for your question about GSA, if you're referring to the Entra ID GSA, you might consider using IPsec combined with SAML on the Fortigate. This way, you could essentially get MFA with VPN without any additional costs. You might not even need P1 for it!
A major downside with GSA is its limitations for remote support. It doesn't really facilitate server-initiated connections, which can be a big issue if your setup depends on that. If most of your workloads are cloud-based and you've got remote support figured out, GSA could work great, but if not, sticking with the traditional VPN might be the safer bet.
Exactly! If your devices are domain or hybrid joined, GSA could complicate things. If you’re purely using Intune, it won't be too bad since remote management is agent-based.
Honestly, going with GSA might not be the best move for your setup. It tends to lack strong support and many features are still in beta. You're likely better off with traditional VPN solutions that are proven and reliable.
What type of VPN clients are you using? Are they mainly domain-joined Windows PCs? I've looked into using device-level AOVPN for Windows machines before and found it workable, even for a large number of PCs. It's definitely something to consider for reducing licensing costs.
Think of GSA like this: it's an upgraded VPN that costs more and requires Azure licensing. If you're already embedded in the Microsoft ecosystem, the logging is definitely superior. But if you have on-prem resources needing VPN access, it might be a hassle to switch everything over.
That's a good point! But do you still get updates for the free version of FortiClient?