Hi folks! We're migrating from a file server to Microsoft Teams to streamline our communication and data management, with a target completion by year-end. We're also planning to replace our firewall this year, which has raised a question for us: should we ditch our traditional VPN and switch to Global Secure Access (GSA) instead? The cost of implementing a VPN with multi-factor authentication on our new Fortinet firewall is quite high per user. We still need to access some internal resources and applications from home, though. I'm curious about recommendations for GSA—how does it stack up in terms of security, logging, and visibility?
4 Answers
GSA seems like it's just taking the VPN concept and making it pricier with Azure licensing. The logging features could be better if you're already using Microsoft tools. It really depends if you need to access on-prem resources via VPN or if you can use Teams or SharePoint for everything. Just a heads up: Fortinet's per-user VPN licensing can be annoying, but it works just fine for most scenarios. GSA may be addressing issues that many companies actually don’t face.
Honestly, GSA might not be the best choice for your connectivity needs. It has limited support, many features are still in preview mode, and it lacks some necessary functionalities. You might want to stick to your traditional VPN for now.
What kind of VPN clients are you currently using? If they're predominantly Windows PCs that are domain-joined, I looked into implementing AOVPN for our setup before I retired. We even tested with a third-party solution to minimize costs. In the end, my idea was viable, and we successfully managed up to 1,000 PCs through a single server—so it’s definitely doable!
If you're referring to Entra ID GSA, you could just use IPsec with SAML on your Fortigate firewall. This setup gives you MFA alongside VPN access at no extra cost! Plus, I don’t think you even need a P1 license for that. That might save some money!
That's good to know! Just to clarify, do you still get updates for the free version of FortiClient?
Exactly! If your workloads are mostly in the cloud, then GSA can be pretty nifty once you sort out your remote support. But if you still rely on a traditional setup with a lot of hybrid connections, you might end up better off sticking with a classic VPN for now.