Configure WebVPN Port Forwarding

This topic covers how to configure WebVPN port forwarding.

Enable Port Forwarding for WebVPN Users

Remote Client Security

10.0.1.10/24

firewall(config-group-webvpn)#

functions {file-access | file-browsing | file-entry | filter | url-entry | mapi | port-forward | none}

• Enables port forwarding for the group

| fw1(config-group-webvpn)# functions port-forward

1 firewall(config-group-webvpn)#

port-forward {value listname | none}

• Enters predefined port forwarding list configured by using the port-forward command

fw1(config-group-webvpn)# port-forward value Applications

SNPA v4.0—1

3-24

Use the port-forward command in webvpn mode to enable WebVPN application access for this user or group policy. To remove the port forwarding attribute from the configuration, including a null value created by issuing the port-forward none command, use the no form of this command. The no option allows inheritance of a list from another group policy. To prevent inheriting a port forwarding list, use the port-forward none command.

The listname value identifies the list of applications that WebVPN users can access. Before you can use the port-forward command in webvpn mode to enable application access, you must define a list of applications that you want users to be able to use in a WebVPN connection. Use the port-forward command in global configuration mode to define this list.

port-forward Command

port-forward {listname localport remoteserver remoteport description}

• Defines the name of the port fowarding list

• Defines the port for WebVPN user

• Defines the actual server that the link accesses

• Defines the actual port that the link accesses fw1(config)# port-forward Applications 23 10.0.1.10 23

© 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—13-25

With port forwarding, you provide mapping information that the security appliance adds to the host's file on a user's PC as the application opens. This mapping information lets the PC connect to the server at the central site that supports the desired application.

Port forwarding can work only if the applications on remote servers are uniquely identified, and therefore reachable, either by hostname or by IP address and port. Keep the following in mind when configuring port forwarding:

■ Hostnames, correctly defined on the security appliance, are constant and are by definition unique.

Note The use of hostnames is recommended.

■ IP addresses change depending on the end user's location relative to the remote server. If you identify the remote server by IP address, users must reconfigure the application on their PC each time they change location.

Use the port-forward command in global configuration mode to configure the set of applications that WebVPN users can access over forwarded TCP ports. To configure access to multiple applications, use this command with the same listname multiple times, once for each application. To remove an entire configured list, use the no port-forward listname command. To remove a configured application, use the no port-forward listname localport command (you need not include the remoteserver and remoteport parameters).

To allow access to particular TCP port forwarding applications for a specific user or group policy, use the listname you create here with the port-forward command in webvpn mode.

port-forward {listname localport remoteserver remoteport description}

listname

Groups the set of applications (forwarded TCP ports) that WebVPN users can access. Maximum 64 characters.

localport

Specifies the local port that listens for TCP traffic for an application. You can use a local port number only once for a listname. To avoid conflicts with local TCP services, use port numbers in the range of 1024 to 65535.

remoteserver

Provides the Domain Name System (DNS) name or IP address of the remote server for an application. We recommend using DNS names.

remoteport

Specifies the port on the remote server to which this application will connect.

description

Provides the application name or short description that displays on the end user's port forwarding Java applet screen. Maximum 64 characters.

Was this article helpful?

0 0

Post a comment