Hello
While using a 100E for 50 users of SSL-VPN what is best forticlient setting “preferred DTLS tunnel”, 99% of traffic is RDP,
on or off? some people say “on if highspeed internet, off if low-speed internet” without saying what high-speed is or what low-speed is.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-DTLS-to-improve-SSL-VPN-performance/ta-p/193881 sounds like it is a good idea to have it enabled all the time everywhere?
What do you think?
Bye
DTLS will be a much smoother/faster experience, especially for remote desktop.
Sounds like a much better idea to disable it entirely and use IPsec …
I had to disable it entirely as we had so many users with weird issues when dtls is on.
DTLS encrypts sslvpn traffic like normal tcp, but transports over UDP to not encapsulate TCP over TCP and it will help to avoid retransmission problems that occur on TCP. It can improve stability and performance.
I can’t remember the details, but if you have any MAC clients, this setting does bad things to their VPN experience. I forget if its off or on, but one way is bad news for MAC.
It truly is, but IPSEC keeps getting blocked a lot by ISP’s. For customer I have, their contractors in India have more of an issue than for US based, but even here, particularly if someone is on a Hotspot, a lot of times IPSec is blocked there too. (And sometimes Spectrum is a real PITA…)
Doing the new TCP IPSec on the Fortigate/Forticlient requires both being on current 7.4. For me, as soon as the Forticloud EMS upgrades to 7.4, I’m flipping ASAP to TCP IPSec and killing SSL.
I’ve turned it off on MAC. Sometimes it’d just immediately disconnect after connecting
Tru dat. I don’t understand why IPsec is blocked in so many places tho.
Also - you can’t force NAT-T and stick it all on udo/4500?
It’s not IPsec itself that’s blocked. It’s UDP traffic.