Fortinet black logo

Handbook

Port forwarding mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:579014
Download PDF

While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.

SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.

The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.

On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.

note icon

The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the application documentation.

This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.

Application support

With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.

For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform

Model

FortiGate

80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C

FortiGate-Rugged

90D

FortiWiFi

92D

Antivirus and firewall host compatibility

The following tables list the antivirus and firewall client software packages that are supported in FortiOS.

Supported Windows XP antivirus and firewall software

Product supported

Antivirus

Firewall

Symantec Endpoint Protection V11

Kaspersky Antivirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Supported Windows 7 32-bit and 64-bit antivirus and firewall software

Product supported

Antivirus

Firewall

CA Internet Security 2011

AVG Internet Security 2011

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360TM Version 4.0

NortonTM Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small Business Edition 12.0

While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.

SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.

The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.

On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.

note icon

The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the application documentation.

This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.

Application support

With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.

For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.

Note that the RDP/VNC web portals are not supported for the following platforms:

Platform

Model

FortiGate

80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C, 3240C, 3600C, and 5001C

FortiGate-Rugged

90D

FortiWiFi

92D

Antivirus and firewall host compatibility

The following tables list the antivirus and firewall client software packages that are supported in FortiOS.

Supported Windows XP antivirus and firewall software

Product supported

Antivirus

Firewall

Symantec Endpoint Protection V11

Kaspersky Antivirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Supported Windows 7 32-bit and 64-bit antivirus and firewall software

Product supported

Antivirus

Firewall

CA Internet Security 2011

AVG Internet Security 2011

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360TM Version 4.0

NortonTM Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small Business Edition 12.0