Filter
Top Products
38-20
Cisco ASDM User Guide
OL-16647-01
Chapter 38 Clientless SSL VPN
Port Forwarding
Requirements and Restrictions
The following restrictions apply to port forwarding:
• The remote host must be running a 32-bit version of one of the following:
–
Microsoft Windows Vista, Windows XP SP2 or SP3; or Windows 2000 SP4.
–
Apple Mac OS X 10.4 or 10.5 with Safari 2.0.4(419.3).
–
Fedora Core 4
• The remote host must also be running Sun JRE 1.5 or later.
• Browser-based users of Safari on Mac OS X 10.5.3 must identify a client certificate for use with the
URL of the security appliance, once with the trailing slash and once without it, because of the way
Safari interprets URLs. For example,
–
https://example.com/
–
https://example.com
For details, go to the Safari, Mac OS X 10.5.3: Changes in client certificate authentication.
• Users of Microsoft Windows Vista who use port forwarding or smart tunnels must add the URL of
the ASA to the Trusted Site zone. To access the Trusted Site zone, they must start Internet Explorer
and choose the Tools > Internet Options > Security tab. Vista users can also disable Protected
Mode to facilitate smart tunnel access; however, we recommend against this method because it
increases the computer’s vulnerability to attack.
• Port forwarding supports only TCP applications that use static TCP ports. Applications that use
dynamic ports or multiple TCP ports are not supported. For example, SecureFTP, which uses port
22, works over clientless SSL VPN port forwarding, but standard FTP, which uses ports 20 and 21,
does not.
• Port forwarding does not support protocols that use UDP.
• The security appliance does not support the Microsoft Outlook Exchange (MAPI) proxy. For
Microsoft Outlook Exchange communication using the MAPI protocol, remote users must use
AnyConnect.
• A stateful failover does not retain sessions established using Application Access (either port
forwarding or smart tunnel access). Users must reconnect following a failover.
• Port forwarding does not support connections to personal digital assistants.
• Because port forwarding requires downloading the Java applet and configuring the local client, and
because doing so requires administrator permissions on the local system, it is unlikely that users will
be able to use applications when they connect from public remote systems.
Caution Make sure Sun Microsystems Java Runtime Environment (JRE) 1.5.x or later is installed on the remote
computers to support port forwarding (application access) and digital certificates. If JRE 1.4.x is running
and the user authenticates with a digital certificate, the application fails to start because JRE cannot
access the web browser certificate store.
The Java applet displays in its own window on the end user HTML interface. It shows the contents
of the list of forwarded ports available to the user, as well as which ports are active, and amount of
traffic in bytes sent and received.