SSL WEB Application

L2TP/IPSEC would be the best VPN to implement when an application for SSL VPN cannot be installed or if you want to use the native VPN client built-in to the operating system. For instance, I've configured the L2TP over IPSEC VPN so that I can connect to my local network through my android over cellular network through the ZYXEL. Always on VPN works in this config. I am still using a ZYXEL USG60. There are instructions provided by ZYXEL on how to set up L2TP over IPSEC

If you require port 443 open for an SSL web application, and you still must use SSL VPN, then you must configure the SSL port in the ZYXEL's web server to a different port, and then configure SecuExtender to use the other new port. This way port 443 can be forwarded to your actual web server and not the ZYWALL itself. Keep in the mind that you need to adjust your Security Policy for the new port plus the NAT rule.
NOTE:I don't recommend this approach due to the SecuExtender for MAC having a glitch in the address port suffix but it still works. More importantly, the whole point in using VPN over SSL is for compatibility in public places that only permit port 443, such as an airport