This article describes a new SFOS feature that changes the hyperlinks to several internal pages from IP Address to Hostname. Combined with using your own certificate, this will remove certificate warnings seen by end users.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall v17.1, v17.5
In several places the XG Firewall needs to provide links that redirect users to pages hosted on the device. By default these links use one of the IP Addresses of the XG Firewall. The following pages are the ones that the firewall links to:
Some of these links are HTTP and some are HTTPS. The HTTPS links are signed by the certificate of the XG Firewall appliance.
You can change the hostname at Administration > Admin Settings > Hostname. You should use a Fully Qualified Domain Name (FQDN) such as myfirewall.mycompany.com.
An administrator can upload a certificate to be used by the XG Firewall appliance. The certificate should be one that covers the hostname of the XG Firewall appliance. It could be a certificate that has been purchased from a public Certificate Authority and is automatically trusted by all clients. Alternately, it could be a self-signed certificate from an internal Certificate Authority that the clients have been configured to trust.
To upload a certificate, go to Certificates > Certificates.
To select the certificate to use, go to Administration > Admin Settings > Port Settings for Admin Console.
Starting with v17.5, when redirecting users to the captive portal or other interactive pages, you can choose to use the Firewall's configured hostname, the IP address of the first internal interface or a different hostname from the GUI with more flexibility like shown below. Also the Check settings button allows you to verify your settings for possible errors and resolutions.
set http_proxy proxy_url_use_hostname on
End User clients will need to be able to resolve the hostname to an IP address on the XG. The IP cannot be the WAN interface. Ideally it is the same IP as is used when proxy_url_use_hostname is off, however it can be any IP that exists in the file /cfs/proxy/skein/localinterfaces. In addition, make sure that the IP / Interface / Zone you resolve to has Captive Portal enabled in Device Access. See Sophos XG Firewall: Sandstorm and Web Protection Block page and Warn page timeout when Captive Portal is disabled for more details
If you are using the XG Firewall as your DNS server, it can be configured by going to Network > DNS > DNS Host Entry. If you are using a different DNS server, then add the resolution on that DNS server.
On all end user pages, all hyperlinks to pages hosted on the XG Firewall will use the hostname. The client will resolve the hostname to the IP that you want to use. For HTTPS, the pages will use a certificate that covers that hostname and there will be no certificate warnings on the client.
The Email quarantine digest uses a separate setting, configured under Email > Quarantine Digest > Reference User Portal IP. It currently does not support hostname.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.