Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
Im new to the Sophos family and I have had 3 full days of frustration with trying to install and configure this appliance to work with my Synology NAS. Prior to using a SOPHOS FW I just used a home Linksys router and forwarded ports to the NAS. It was working great, I had SSL working along with other applications running on the NAS.
My problem is I'm not really sure on the process for setting up the more advanced firewall and getting the NAS publicly accessible with SSL. Previously I has my HTTPS/443 forwarded directly to the NAS so when I used entered my domain name It went directly to my NAS login page. I cant get this to work with SOPHOS XG.
I also don't understand the process for enabling the XG to use SSL authentication.
I guess a I need some basic installation help to templates to get me going.
please post your WAF rule?
as starting point, please follow this kb:
if it does not work, as Ian suggested, post the WAF rule.
In reply to lferrara:
As far as i understand, you compare a WAF (reverseproxy) with a DNAT.
Of course will a DNAT be straight forward in his process.
WAF is more complicated in his implementation.
So Im still having issues with getting reverse proxy to work with this WAF rule. Im not quite sure how this works with sophos. Do I set up the reverse proxy on the Synology system of does WAF take care of this? Also How and or what certificates do I use (LetsEncrypt) in the WAF Rule? I tried uploading the ones I get from lets encrypt through the Synology process however the WAY does not recognize them
Im pretty sure the firewall is not allowing the reverse proxy to work. I run www.ssllabs.com/.../analyze.html and I get this result to there is some type of communication with the NAS if Im not mistaken.
In reply to Yendor:
The NAS only need to know about the network and the certifcate so traffic gets scanned and passed by the XG, the XG WAF does all the rest.
In reply to rfcat_vk:
Ok, how does that happen with a WAF rule? The certs that the sinology lets encrypt app provides are not recognized by the XG
If you want that external users use https, you need to fix the certificate issue first.
Before you even upload the certificate on XG, you need to upload the CA that released that certificate.
So, what is the issue you have with that?
If you cannot select the Cert, You did not upload the cert with privat key.
You need to take the privat key of Lets encrypt and add this key as file to the certificate.
Otherwise XG cannot use this cert for WAF.
In reply to LuCar Toni:
I understand this. I'm new to Sophos and how things work here. I am asking on a step by step process on how to import the certificates from what sinology gives (Cert.pem, chain.pem, priv.pem) and get it to work with Sophos. I don't have a *.key files to upload. So how/where to I get this private key to upload to the Sophos appliance.
Side note: I have got my reverse proxy to work and not my sinology box is publicly available through my firewall with ssl authentication. However the 5024 port is uses and shown rather than the https/443. Any ideas? It is also not available to my internal network users only external subnets
For the CA, Private key and Certificate, you can check how to do it on the vendor website.
also on the Sophos Community you can find many threads. For example:
Hope these 2 links help!