67-23
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 67 Clientless SSL VPN
Configuring Port Forwarding
When configuring port forwarding on the adaptive security appliance, you specify the port the
application uses. When configuring smart tunnel access, you specify the name of the executable file or
its path.
Port Forwarding Requirements and Restrictions
In addition to the requirements in the “Understanding Clientless SSL VPN System Requirements”
section on page 67-3, the following requirements and limitations apply to smart tunnel access on
Windows:
• The remote host must be running a 32-bit version of one of the following:
–
Microsoft Windows Vista and Windows XP SP2 or SP3.
–
Apple Mac OS X 10.5 with Safari 2.0.4(419.3).
–
Fedora Core 4
• Browser-based users of Safari on Mac OS X 10.5.3 must identify a client certificate for use with the
URL of the adaptive security appliance, once with the trailing slash and once without it, because of
the way Safari interprets URLs. For example,
–
https://example.com/
–
https://example.com
For details, go to the Safari, Mac OS X 10.5.3: Changes in client certificate authentication.
• Users of Microsoft Windows Vista who use port forwarding or smart tunnels must add the URL of
the ASA to the Trusted Site zone. To access the Trusted Site zone, they must start Internet Explorer
and choose the Tools > Internet Options > Security tab. Vista users can also disable Protected
Mode to facilitate smart tunnel access; however, we recommend against this method because it
increases the computer’s vulnerability to attack.
• Port forwarding supports only TCP applications that use static TCP ports. Applications that use
dynamic ports or multiple TCP ports are not supported. For example, SecureFTP, which uses port
22, works over clientless SSL VPN port forwarding, but standard FTP, which uses ports 20 and 21,
does not.
• Port forwarding does not support protocols that use UDP.
• The security appliance does not support the Microsoft Outlook Exchange (MAPI) proxy. For
Microsoft Outlook Exchange communication using the MAPI protocol, remote users must use
AnyConnect.
• A stateful failover does not retain sessions established using Application Access (either port
forwarding or smart tunnel access). Users must reconnect following a failover.
• Port forwarding does not support connections to personal digital assistants.
• Port forwarding requires Sun JRE 5, Update 1.4 or later (JRE 6 or later recommended) to be enabled
on the browser.
Caution If JRE 1.4.x is running and the user authenticates with a digital certificate, the application fails to start
because JRE cannot access the web browser certificate store.
• Because port forwarding requires downloading the Java applet and configuring the local client, and
because doing so requires administrator permissions on the local system, it is unlikely that users will
be able to use applications when they connect from public remote systems.
To Next Page
Loading...
Need help?
General
