Using differing SSL certificates for WebAdmin and user Portal

Hi, Sebastian, and welcome to the UTM Community!

In this case, I would recommend following The Zeroeth Rule in Rulz and then then creating a forward Lookup Zone for domain.com so that gw.domain.no resolves to the same thing as gw.domain.local.  Will that work for you?

Cheers - Bob

Hi! 

Thank you for your answer. Just to make sure I understand, the suggestion is to ensure that my sophos hostname and fqn is public resolvable, i.e. gw.domain.no instead of my current gw.domain.local. 

Then use my AD DNS to create the zone domain.com in order to ensure that my clients in the internal network can resolve gw.domain.local:4444 to the web admin? 

If that's the case, then that is what I do not want to do. The reason being that client from within the domains should be able to resolve everything that is in the public dns domain.no as well. 

I guess I could "mirror" my entries from my public dns to my internal fwd lookup zone but that's not neither elegant nor properly "engineered" is it? 

I was looking for the "right" way of doing this - this feels a bit more like a "hack". 

Look up "split DNS" to see that this is an accepted practice.  A big advantage is that laptop users don't need two different FQDNs depending on whether they're inside the LAN (physically or via VPN) or out on the Internet.

You're right that you must add to your Forward-Lookup Zone for domain.no an A-record for each public FQDN that should resolve to the same thing internally and externally.

Cheers - Bob

How did you manage to get the Cert?  Did you have to use the DNS challenge?

I see three different solutions to this problem.

Restating your problem:

utm.example.com is managed by external DNS and resolves to an external address on an external interface of UTM

utm.example.local is managed by internal DNS and resolves to an internal address on an internal interface of UTM

1) UTM MAGIC:  As long as your UTM is your firewall, or is on the path to your firewall, you should not need to do anything.   Use the external name.   UTM should hairpin the internal traffic as if it came in through the external interface.   I have not tested this personally because I have an oddball wiring configuration, but Sophos support assures me that they have tested it and it works.

2) DNS MAGIC:  As alluded to in an earlier post, in your internal DNS, create a new ZONE for utm.example.com, and then create a default (no host name) host record in that zone for the internal address of UTM.  This has the effect of overriding the external DNS for this one name only. 

3) CERTIFICATE MAGIC:   Buy a certificate for utm.example.com which also has a SAN (Subject Alternate Name) for utm.example.local.   Users can then connect to UTM using either name.   This may or may not be possible with Let's Encrypt, but it is common for commercially purchased certificates.  (But the extra SAN adds some cost.)

This is such a common requirement, Sophos should have it in their documentation.

Hi

Are you certbox  to get the certificates. I had a reverse proxy front of my firewall. I then entered the full qualified to my name into my  I then entered the full qualified to my name into my Kennesaw public dns server  and provided it to certbot in the request. Hope that helps

Accessing Internal or DMZ Webserver from Internal Network

Cheers - Bob