Use the port-forward command in webvpn mode to enable
WebVPN application access for this user or group policy
. To remove the
port forwarding attribute from the configuration, including a null value
created by issuing the port-forward none command, use the
no form of this command. The no option
allows inheritance of a list from another group policy. To prevent inheriting a
port forwarding list, use the port-forward none command.
The listnamevalue identifies the list of applications WebVPN users can access.
Before the port-forward command can be used in webvpn mode
to enable application access, a list of applications that users are able to use
in a WebVPN connection must be configured. Use the
port-forward command in global configuration mode to define
this list.
Port forwarding provides mapping information that the Adaptive
Security Appliance adds to the Hosts file on the PC of the end user as the
application opens. This mapping information lets the PC connect to the server
at the central site that supports the desired application.
Port
forwarding can work only if the applications on remote servers are uniquely
identified, and therefore reachable, either by hostname or by IP address and
port. Keep the following in mind when configuring Port forwarding:
- Hostnames, correctly defined on the Adaptive Security Appliance, are
constant, and are by definition unique. The use of hostnames is
recommended.
- IP addresses change depending on the location of the end user relative to
the remote server. If the remote server is identified by IP address, users must
reconfigure the application on their PC each time they change location.
Use the port-forward command in global
configuration mode to configure the set of applications that WebVPN users can
access over forwarded TCP ports
. To
configure access to multiple applications, use this command with the same
listname multiple times, once for each application. To remove an entire
configured list, use the no port-forward listname
command. To remove a configured application, use the no
port-forward listname localport command. The
remoteserver and remoteport parameters
do not need to be included in the command.
To allow access to particular
TCP port forwarding applications for a specific user or group policy, use the
listnamethat is created here with the
port-forward command in webvpn mode.
The example in
Figure
contrasts
configuring port forwarding using DNS names verses IP addresses.
Keep the
following in mind:
- If IP addresses are used, users need to have client applications point to a
127.0.0.1 address and local port that can vary from location to location when
connecting over WebVPN. They must reconfigure applications to a real IP address
and port when they connect locally.
- If hostnames are used, users can set their client applications to connect
to the real hostname and TCP port for both remote WebVPN and directly connected
sessions.