I need to make my sslvpn client to bi-directional communicate with internal servers.
I found that I can allow all ports to the servers for bi-directional communication.
But I don't want the clients to be allowed for all ports to ther servers.
So, how can I restrict the clients to be allowed for specific bi-directional communication with servers.
this is not possible, as you found.
the ACL is for both inbound & outbound traffic; you would need to allow all ports on the SA & then filter outbound ports on the internal firewall. this will allow the client access to the required ports but block all others to the allowed destinations; it will also allow the inbound connections (which will use any port)
You can do this. I looked into this a few years back so that a user could RDP into a Network Connected computer. You just have to specify in your Network Connect ACL the Network Connect DHCP Pool. Instead of allowing access to internal servers, you're allowing access to remotely connected computers. It makes sense!