Why Port Forwarding; Port Forwarding Restrictions - Cisco PIX 500 Series Configuration Manual

Chapter 37 Configuring Clientless SSL VPN
•
•
•
Other TCP-based applications may also work, but we have not tested them. Protocols that use UDP do
not work.

Why Port Forwarding?

Port forwarding is the legacy technology for supporting Winsock 2, TCP-based applications over a
clientless SSL VPN connection. With port forwarding, remote users may need administrator privileges
to connect the local application to the local port.
With Release 8.0(2), Cisco introduced two alternative technologies for supporting Winsock 2,
TCP-based applications: plug-ins and smart tunnels. Plug-ins offer better performance and do not
require the client application to be installed on the remote computer, however, a plug-in may not be
available for the application you want to support. Smart tunnel access simplifies the user experience by
not requiring the user connection of the local application to the local port. Therefore, smart tunnels do
not require users to have administrator privileges.
As an administrator configuring port forwarding on the security appliance, you must specify the port the
application uses; as an administrator configuring smart tunnel access, you must specify the name of the
executable file.
You may choose to configure port forwarding because you have built earlier configurations that support
this technology.

Port Forwarding Restrictions

The following restrictions apply to port forwarding:
•
•
•
•
•
Make sure Sun Microsystems Java™ Runtime Environment (JRE) 1.5.x or higher is installed on the
Caution
remote computers to support port forwarding and digital certificates.
OL-12172-03
TELNET
Windows Terminal Service
XDDTS
Port forwarding supports only TCP applications that use static TCP ports. Applications that use
dynamic ports or multiple TCP ports are not supported. For example, SecureFTP, which uses port
22, works over clientless SSL VPN port forwarding, but standard FTP, which uses ports 20 and 21,
does not.
The security appliance does not support the Microsoft Outlook Exchange (MAPI) proxy. Neither
port forwarding nor the smart tunnel feature that provides application access through a clientless
SSL VPN session supports MAPI. For Microsoft Outlook Exchange communication using the MAPI
protocol, remote users must use AnyConnect.
A stateful failover does not retain sessions established using Application Access (either port
forwarding or smart tunnel access). Users must reconnect following a failover.
Port forwarding does not support connections to personal digital assistants.
Because port forwarding requires downloading the Java applet and configuring the local client, and
because doing so requires administrator privileges on the local system, it is unlikely that users will
be able to use applications when they connect from public remote systems.
Cisco Security Appliance Command Line Configuration Guide
Configuring Application Access
37-31