Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I've been looking for information about the correct way to use the web server module on XG but I couldn't find anything.
Also ask to a Live support agent on chat and he didn't have any document that could help me.
So, what I want to know is if I'm available to have 2 servers published with the same public IP and the same port.
For example: https://mail.company.com and https://www.company.com
From my knowledge, which is pretty basic, it's not possible to publish 2 sites with the same port and same public IP but I was reading this on the 'Help' tab of the firewall:
From my understanding is possible to publish multiple sites using Path specific routing on the WAF rule. I did a rule for testing but wasn't working.
Yes you can achieve this. In fact i have5 url's on the same outside ip and port wich will all be directed to different end points.
Make sure you define the webservers, and add the correct FW rules.
In reply to Peter-Paul Gras:
I did try to use the web module but It wasn't working for me.
I was using only 1 WAF rule to publish both servers. Also, if I use port 443 when I try to access the server it will show me the certificate error so I must upload a cert, it is not possible to use the same cert for both servers since I only can use 1 cert on the WAF rule.
I can't create 2 WAF rules using the same IP and same port because the traffic will apply for the first rule.
Would be great if you can add screenshots in this thread to take a look and have an idea how do you have it working.
In reply to John Henry Vindas Carballo:
For security reasons i'm not going to add screenshots but I have written a simple step by step manual for you. If you follow this I believe you should be able to solve your
1. System > Host and Services > FQDN Host add host (use the fqdn accordingly to the outside fqdn) 2. Configure > DNS > DNS Host Entry section add DNS entry for the fqdn you added in step 1. (use the same fqdn) this should be the ip adress of the host to witch you want to forward the Web Server (WAF) 3. System > Host and Services > FQDN Host test if the FQDn resolves to the ip adres you just entered in step 2. 4. Protect > Web Server > Web Servers add a web server: - host should be the host addes at step 1. - enter the port where your web servers listens to - i've got the keep alive option selected5. Protect > Firewall add a business application rule > Hosted Server section - select the WAN port that is being used to host your internal server > Protected Server(s) section - select the web server you created in step 3. from the Web server list > Advanced section - add the desired policies. I've added the Wan To Lan Intrusion Prevention policy and the High Guarantee Rule to the Traffic shaping policy6. repeat the above steps for every webserver you are hosteing. make sure you use unique host/port combinations
7. If you are using any modem/router device in front of the SOPHOS XG make sure you have the correct ports forwarded! As far as i can remember this did it for me.
You can have multiple WAF rules with the same port and IP as long as the FQDN name in the rules are different. We have about 20 different sites using the same IP and port using WAF configuration.
so example.example.com and test.example.com are different rules. As long as there are two servers hosting the sites. If it is the same server you put both names in the rule and use the " Pass host header" in the rule.
In reply to RickardNordahl:
WAN side port: yes
Internal webserver: each one listens to a unique port when residing on the same physical server (afaik)
I found this entry was non existent in my xg installation;
2. Configure > DNS > DNS Host Entry section
it should be;
2. Configure > Network >DNS and scroll down to DNS Host Entry section
You just need to create two business rules like below.
Each would have the subdomain set to their respective address and point to their respective internal server that is configured under "Web Server"
I would create the required certs for each sub-domain, or if you have a wildcard cert import that and use that on both.
Order of the rules doesn't matter as each subdomain is different.
As for site path rules, these are for the more to do with the same Server and multiple paths, so you can be restrictive on what you allow.
So in your example with Exchange, they have OWA/ECP and ect set, but you could remove some of them and then you have essentially removed access to that path but still allowed access to another.