Business & Technology

Client vs. Clientless Zero Trust Network Access

By Peter Newton | November 03, 2021

Zero-trust network access (ZTNA) is the next evolution of VPN remote access. It simplifies secure connectivity, providing seamless access to applications no matter where the user or the application may be located.

Although ZTNA is commonly thought of as a cloud-only feature or part of a SASE solution, that perception is incorrect. Vendors actually have adopted two primary approaches to implementing ZTNA in their products and services: client-initiated and service-initiated. Sometimes called endpoint-initiated ZTNA, the client-initiated ZTNA model uses an agent on a device to create a secure tunnel. 

The service-initiated or "clientless" ZTNA model uses a reverse-proxy architecture. The biggest difference from client-initiated ZTNA is that it doesn't require an endpoint agent. Clientless ZTNA uses a browser plug-in to create a secure tunnel and perform the device assessment and posture check.

The Disadvantages of Clientless ZTNA

This biggest limitation of clientless ZTNA is that it only supports cloud-based applications. Because the application’s protocols must be based on HTTP/HTTPS, it limits the approach to web applications and protocols, such as Secure Shell (SSH) or Remote Desktop Protocol (RDP) over HTTP. Although a few newer vendors are offering additional protocol support, the model is not suited to companies that have a combination of hybrid cloud and on-premises applications.

Because users don't have an agent, they must download a browser plug in before they connect to ZTNA. Rather than residing locally, the software has to download every time they connect, which slows down and degrades the user experience. From an IT perspective, clientless ZTNA also doesn't offer the same level of control or visibility as an agent that's loaded on the device. Visibility is even more important when you consider that part of ZTNA admission is evaluating the posture of the device and its vulnerability state. With clientless ZTNA, you can only see what's happening on the Internet, so you have no visibility into what the laptop is doing. If there's a security event or problem, you can't tell.

The Advantages of Client Based ZTNA

The biggest advantage of client based ZTNA is the converse of the clientless approach. With a client-based solution, ZTNA works whether you're accessing cloud-based or on-premises resources. For a variety of reasons, many organizations don't just have cloud-only deployments or a traditional data center network. Hybrid networks that include both on-premises and cloud environments are the new norm because cloud is good for flexible, non-predictable workloads, and on-premises works well for stable workloads and offers better total cost of ownership. 

With a ZTNA agent, a piece of software is loaded on a device, such as FortiClient loaded on your laptop. Using an agent like FortiClient makes the ZTNA user experience seamless. They launch the app they want to access and the client-based agent works in the background to connect securely.

From an IT standpoint, client based ZTNA offers better visibility and control of devices. And, you can perform application firewalling within the agent. So, if a security issue is detected, a file can be sent to the sandbox or quarantine can be requested.

Turning on ZTNA

For existing Fortinet customers already using the FortiClient agent, migration is easy. Assuming your FortiClient is running FortiOS 7.0, you just need to turn on ZTNA. There is no cost or extra license required to migrate to ZTNA. And it's easy to move to ZTNA from VPN in a controlled manner by simply changing a few settings. For example, you can migrate only a small segment of your employees at a time if you need to roll-out slowly. Because ZTNA is built into the operating system, you can move to ZTNA when you're ready at the pace that you want. 

Another advantage is that because ZTNA is built into FortiOS 7.0, you can turn it on in your FortiGate firewalls as well. The addition of ZTNA to firewalls is a great step forward for remote access and on-premises security. Because networks have many edges, people often need to access resources outside of a traditional network. Because of this, trust can’t be granted based on location anymore as it is with a VPN. Including ZTNA in firewalls offers a flexible implementation of ZTNA that's ideal for today’s hybrid environments because it offers consistent policy for on-premises, private cloud, and public cloud.

Setting up a comprehensive agent and firewall-based ZTNA implementation offers better control and a far better user experience than cloud-only options. Over time, ZTNA will be expected to be part of any complete security offering, both on-premises and in the cloud. Now is a good time to begin.

Discover how Fortinet’s Zero-Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network.