Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS website

Hello everyone,

We are going to publish a HTTPS website through Cyberoam UTM. As you know, we always create a new Virtual Host for publishing a new service for internet users. But in this scenario, we have encryption considerations. In such scenarios, we need to generate a CSR and install issued certificate. The question is that, where to generate CSR and install certificate? Cyberoam or Server? 

For the clarification: I've read if we are going to use WAF, we are supposed to generate CSR and install certificate on Cyberoam (Everything would be done on UTM). But if we use Virtual Host (Port Forwarding), everything (CSR and installation) must be done on Server. 

 

Am I right? or...



This thread was automatically locked due to age.
  • Hi  

    To generate CSR - Please refer to the article - https://community.sophos.com/kb/en-us/130669

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    Yes for virtual host suggestion is to do everything on server ( in place of firewall) and once VH is created on Cyberoam do not enable HTTP/s scanning on WAN to respected zone rule for that particular VH. So end user which is browsing website will get your server certificate ( not the firewall one).

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Hello  ,

    Thanks for replying. 

    Could you please describe the operation of AV scanning including HTTP/HTTPS scanning ? I thought this feature will scan HTTP and HTTPS , IM Scanning and ... packets for treats and malware. Which features do you suggest to be activated on Virtual Host rules? (Imaging we want to publish web services, RDP and .... ). 

  • Dear  , 

    I know how to generate CSR and Import certificates. The question is: When we must generate CSR and install certificates on firewalls?

  • Hi  

    When SSL content inspection for HTTPS traffic is enabled on Cyberoam, the web browsers prompt a warning message if the Certificate Authority (CA) for the certificate used by the Cyberoam SSL inspection is not known by the browser.  For this, you need to import the Cyberoam SSL Proxy certificate in Internet Explorer and Firefox Mozilla for decryption on SSL Inspection. 

    All Cyberoam appliances are shipped with a unique SSL CA Certificate which is used in HTTPS Deep Scan Inspection. This article describes how you can download Cyberoam's SSL CA Certificate and install it in your local browser and machine.

    https://community.sophos.com/kb/en-us/130801

    In public key infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority (CA) in order to apply for a digital identity certificate.

    If you are using a third-party CA, Cyberoam allows you to generate a CSR to obtain a signed certificate. The CA verifies the details and issues a signed certificate to the applicant which can then be used for authentication.

    https://community.sophos.com/kb/en-us/130669

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi  

    Yes you are correct, the scanning option will scan HTTP and HTTPS content for published website. But when you will enable scanning on virtual host, CR firewall use the certificate selected under HTTPS scanning CA and that would be "Cyberoam SSL CA" as a default certificate. 

    So external users will get this CA rather then your purchased generated CA but you want your own CA to encrypt and decrypt traffic and this why we suggested you to off HTTP/s scanning of on specific virtual host rule.

    You may use your CA as well by importing on firewall  but again that will be getting used by all DNAT rules and other traffic where HTTPS scanning on and traffic passing via firewall.

    https://community.sophos.com/kb/en-us/131475

    So based on your setup and requirement, the last suggestion is best to achieve your requirement ( to not enable HTTP and HTTPS scanning and import CA on server) and apart from this you may apply IPS on DNAT rule to prevent match or know signature attack to secure your server via IPS policy.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Hello again  ,

    I got it. Could you please describe the WAF scenario as well ?

  • Hello  ,

    Imagine we're going to publish a HTTPS website:

    - In case of using Virtual Host, what is the procedure to not get SSL error on client side? (We are going to use a valid certificate generated by a valid CA like Cetrum)

    - In case of using WAF, what is the procedure to not get SSL error on client side? (We are going to use a valid certificate generated by a valid CA like Cetrum)

     

    As Vishal_R described, I need to know the effect of using HTTPS scanning on the above scenarios. 

  • Hi  

    As you are aware WAF will help you to prevent Layer 7 attack as well which would be more advantageous in comparison to DNAT.

    For WAF hosted on HTTPS you have option to choose specific certificate for that WAF rule as well. So you may upload 3rd party cert on firewall as well to use it for publishing server via WAF on Cyberoam.

    Reference snapshot:


    More information (Page 33): http://docs.sophos.com/nsg/Cyberoam/Version%2010.x/10.6.3/Guides/Cyberoam%20WAF%20User%20Guide.pdf 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.