Configure the Adaptive Security Appliance to Support WebVPN
Configure WebVPN port forwarding

Use the port-forward command in webvpn mode to enable WebVPN application access for this user or group policy . To remove the port forwarding attribute from the configuration, including a null value created by issuing the port-forward none command, use the no form of this command. The no option allows inheritance of a list from another group policy. To prevent inheriting a port forwarding list, use the port-forward none command.

The listnamevalue identifies the list of applications WebVPN users can access. Before the port-forward command can be used in webvpn mode to enable application access, a list of applications that users are able to use in a WebVPN connection must be configured. Use the port-forward command in global configuration mode to define this list.

Port forwarding provides mapping information that the Adaptive Security Appliance adds to the Hosts file on the PC of the end user as the application opens. This mapping information lets the PC connect to the server at the central site that supports the desired application.

Port forwarding can work only if the applications on remote servers are uniquely identified, and therefore reachable, either by hostname or by IP address and port. Keep the following in mind when configuring Port forwarding:

  • Hostnames, correctly defined on the Adaptive Security Appliance, are constant, and are by definition unique. The use of hostnames is recommended.
  • IP addresses change depending on the location of the end user relative to the remote server. If the remote server is identified by IP address, users must reconfigure the application on their PC each time they change location.

Use the port-forward command in global configuration mode to configure the set of applications that WebVPN users can access over forwarded TCP ports . To configure access to multiple applications, use this command with the same listname multiple times, once for each application. To remove an entire configured list, use the no port-forward listname command. To remove a configured application, use the no port-forward listname localport command. The remoteserver and remoteport parameters do not need to be included in the command.

To allow access to particular TCP port forwarding applications for a specific user or group policy, use the listnamethat is created here with the port-forward command in webvpn mode.

The example in Figure contrasts configuring port forwarding using DNS names verses IP addresses.

Keep the following in mind:

  • If IP addresses are used, users need to have client applications point to a 127.0.0.1 address and local port that can vary from location to location when connecting over WebVPN. They must reconfigure applications to a real IP address and port when they connect locally.
  • If hostnames are used, users can set their client applications to connect to the real hostname and TCP port for both remote WebVPN and directly connected sessions.