Port forwarding mode
While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.
SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.
The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.
On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.
|The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the application documentation.
This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.
For information on configuring a port forward tunnel, see Basic configuration.
With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.
For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.
|RDP Native, in some instances, may not be supported. If this is the case, use Internet Explorer and disable ActiveX Filtering.|
Antivirus and firewall host compatibility
The following tables list the antivirus and firewall client software packages that are supported in FortiOS.
Supported Windows XP antivirus and firewall software
|Symantec Endpoint Protection V11||•||•|
|Kaspersky Antivirus 2009||•|
|McAfee Security Center v8.1||•||•|
|Trend Micro Internet Security Pro||•||•|
|F-Secure Internet Security 2009||•||•|
Supported Windows 7 32-bit and 64-bit antivirus and firewall software
|CA Internet Security 2011||•||•|
|AVG Internet Security 2011|
|F-Secure Internet Security 2011||•||•|
|Kaspersky Internet Security 2011||•||•|
|McAfee Internet Security 2011||•||•|
|Norton 360TM Version 4.0||•||•|
|NortonTM Internet Security 2011||•||•|
|Panda Internet Security 2011||•||•|
|Sophos Security Suite||•||•|
|Trend Micro Titanium Internet Security||•||•|
|ZoneAlarm Security Suite||•||•|
|Symantec Endpoint Protection Small Business Edition 12.0||•||•|