Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.
We are going to publish a HTTPS website through Cyberoam UTM. As you know, we always create a new Virtual Host for publishing a new service for internet users. But in this scenario, we have encryption considerations. In such scenarios, we need to generate a CSR and install issued certificate. The question is that, where to generate CSR and install certificate? Cyberoam or Server?
For the clarification: I've read if we are going to use WAF, we are supposed to generate CSR and install certificate on Cyberoam (Everything would be done on UTM). But if we use Virtual Host (Port Forwarding), everything (CSR and installation) must be done on Server.
Am I right? or...
Hi Memorycard Yes for virtual host suggestion is to do everything on server ( in place of firewall) and once VH is created on Cyberoam do not enable HTTP/s scanning on WAN to respected zone rule for that particular VH. So end user which is browsing website will get your server certificate ( not the firewall one).
Regards,Vishal RanpariyaTechnical Account Manager | Sophos Technical SupportSophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link.
Hello Vishal_R ,
Thanks for replying.
Could you please describe the operation of AV scanning including HTTP/HTTPS scanning ? I thought this feature will scan HTTP and HTTPS , IM Scanning and ... packets for treats and malware. Which features do you suggest to be activated on Virtual Host rules? (Imaging we want to publish web services, RDP and .... ).
Hi Memorycard Yes you are correct, the scanning option will scan HTTP and HTTPS content for published website. But when you will enable scanning on virtual host, CR firewall use the certificate selected under HTTPS scanning CA and that would be "Cyberoam SSL CA" as a default certificate. So external users will get this CA rather then your purchased generated CA but you want your own CA to encrypt and decrypt traffic and this why we suggested you to off HTTP/s scanning of on specific virtual host rule.
You may use your CA as well by importing on firewall but again that will be getting used by all DNAT rules and other traffic where HTTPS scanning on and traffic passing via firewall.
https://community.sophos.com/kb/en-us/131475So based on your setup and requirement, the last suggestion is best to achieve your requirement ( to not enable HTTP and HTTPS scanning and import CA on server) and apart from this you may apply IPS on DNAT rule to prevent match or know signature attack to secure your server via IPS policy.
Hello again Vishal_R ,
I got it. Could you please describe the WAF scenario as well ?
Hello Keyur ,
Imagine we're going to publish a HTTPS website:
- In case of using Virtual Host, what is the procedure to not get SSL error on client side? (We are going to use a valid certificate generated by a valid CA like Cetrum)
- In case of using WAF, what is the procedure to not get SSL error on client side? (We are going to use a valid certificate generated by a valid CA like Cetrum)
As Vishal_R described, I need to know the effect of using HTTPS scanning on the above scenarios.
Hi Memorycard As you are aware WAF will help you to prevent Layer 7 attack as well which would be more advantageous in comparison to DNAT.For WAF hosted on HTTPS you have option to choose specific certificate for that WAF rule as well. So you may upload 3rd party cert on firewall as well to use it for publishing server via WAF on Cyberoam.Reference snapshot:
More information (Page 33): http://docs.sophos.com/nsg/Cyberoam/Version%2010.x/10.6.3/Guides/Cyberoam%20WAF%20User%20Guide.pdf