HTTPS website

Question

Hello everyone, 
 We are going to publish a HTTPS website through Cyberoam UTM. As you know, we always create a new Virtual Host for publishing a new service for internet users. But in this scenario, we have encryption considerations. In such scenarios, we need to generate a CSR and install issued certificate. The question is that, where to generate CSR and install certificate? Cyberoam or Server? 
 For the clarification: I've read if we are going to use WAF, we are supposed to generate CSR and install certificate on Cyberoam (Everything would be done on UTM). But if we use Virtual Host (Port Forwarding), everything (CSR and installation) must be done on Server. 
 
 Am I right? or...

Vishal_R · Answer

Hi Memorycard Yes for virtual host suggestion is to do everything on server ( in place of firewall) and once VH is created on Cyberoam do not enable HTTP/s scanning on WAN to respected zone rule for that particular VH. So end user which is browsing website will get your server certificate ( not the firewall one).

Vishal_R · Answer

Hi Memorycard Yes you are correct, the scanning option will scan HTTP and HTTPS content for published website. But when you will enable scanning on virtual host, CR firewall use the certificate selected under HTTPS scanning CA and that would be "Cyberoam SSL CA" as a default certificate. So external users will get this CA rather then your purchased generated CA but you want your own CA to encrypt and decrypt traffic and this why we suggested you to off HTTP/s scanning of on specific virtual host rule. 
 You may use your CA as well by importing on firewall but again that will be getting used by all DNAT rules and other traffic where HTTPS scanning on and traffic passing via firewall. 
 https://community.sophos.com/kb/en-us/131475 So based on your setup and requirement, the last suggestion is best to achieve your requirement ( to not enable HTTP and HTTPS scanning and import CA on server) and apart from this you may apply IPS on DNAT rule to prevent match or know signature attack to secure your server via IPS policy.

Vishal_R · Answer

Hi Memorycard As you are aware WAF will help you to prevent Layer 7 attack as well which would be more advantageous in comparison to DNAT. For WAF hosted on HTTPS you have option to choose specific certificate for that WAF rule as well. So you may upload 3rd party cert on firewall as well to use it for publishing server via WAF on Cyberoam. Reference snapshot: 
 More information (Page 33): http://docs.sophos.com/nsg/Cyberoam/Version%2010.x/10.6.3/Guides/Cyberoam%20WAF%20User%20Guide.pdf