Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

Web Server configuration.

Hello all,

I've been looking for information about the correct way to use the web server module on XG but I couldn't find anything.

Also ask to a Live support agent on chat and he didn't have any document that could help me.

So, what I want to know is if I'm available to have 2 servers published with the same public IP and the same port.

For example: https://mail.company.com and https://www.company.com

From my knowledge, which is pretty basic, it's not possible to publish 2 sites with the same port and same public IP but I was reading this on the 'Help' tab of the firewall:

From my understanding is possible to publish multiple sites using Path specific routing on the WAF rule. I did a rule for testing but wasn't working.

  • Hello John,

     

    Yes you can achieve this. In fact i have5 url's on the same outside ip and port wich will all be directed to different end points.

    Make sure you define the webservers, and add the correct FW rules.

     

    Grtz, Peter-Paul

  • In reply to Peter-Paul Gras:

    Hello Peter,

    I did try to use the web module but It wasn't working for me.

    I was using only 1 WAF rule to publish both servers. Also, if I use port 443 when I try to access the server it will show me the certificate error so I must upload a cert, it is not possible to use the same cert for both servers since I only can use 1 cert on the WAF rule.

    I can't create 2 WAF rules using the same IP and same port because the traffic will apply for the first rule.

    Would be great if you can add screenshots in this thread to take a look and have an idea how do you have it working.

    Best regards.

  • In reply to John Henry Vindas Carballo:

    Hi John,

     

    For security reasons i'm not going to add screenshots but I have written a simple step by step manual for you. If you follow this I believe you should be able to solve your

    1. System > Host and Services > FQDN Host
        add host (use the fqdn accordingly to the outside fqdn)
        
    2. Configure > DNS > DNS Host Entry section
        add DNS entry for the fqdn you added in  step 1. (use the same fqdn)
        this should be the ip adress of the host to witch you want to forward the Web Server (WAF)
        
    3. System > Host and Services > FQDN Host
        test if the FQDn resolves to the ip adres you just entered in step 2.
        
    4. Protect > Web Server > Web Servers
        add a web server:
        - host should be the host addes at step 1.
        - enter the port where your web servers listens to
        - i've got the keep alive option selected

    5. Protect > Firewall
        add a business application rule
        
        > Hosted Server section
        - select the WAN port that is being used to host your internal server
        
        > Protected Server(s) section
        - select the web server you created in step 3. from the Web server list
        
        > Advanced section
            - add the desired policies. I've added the Wan To Lan Intrusion Prevention policy and the High Guarantee Rule to the Traffic shaping policy

    6. repeat the above steps for every webserver you are hosteing. make sure you use unique host/port combinations

    7. If you are using any modem/router device in front of the SOPHOS XG make sure you have the correct ports forwarded!
            
    As far as i can remember this did it for me.

  • In reply to John Henry Vindas Carballo:

    Hello,

    You can have multiple WAF rules with the same port and IP as long as the FQDN name in the rules are different. We have about 20 different sites using the same IP and port using WAF configuration.

    so example.example.com and test.example.com are different rules. As long as there are two servers hosting the sites. If it is the same server you put both names in the rule and use the " Pass host header" in the rule.

  • In reply to RickardNordahl:

    WAN side port: yes

    Internal webserver: each one listens to a unique port when residing on the same physical server (afaik)

  • In reply to Peter-Paul Gras:

    I found this entry was non existent in my xg installation;

    2. Configure > DNS >  DNS Host Entry section

     

    it should be;

    2. Configure > Network >DNS and scroll down to DNS Host Entry section

     

    FYI

  • Hi John,

     

    You just need to create two business rules like below.

     

      

    Each would have the subdomain set to their respective address and point to their respective internal server that is configured under "Web Server"

    I would create the required certs for each sub-domain, or if you have a wildcard cert import that and use that on both.

    Order of the rules doesn't matter as each subdomain is different.

     

    As for site path rules, these are for the more to do with the same Server and multiple paths, so you can be restrictive on what you allow.

    So in your example with Exchange, they have OWA/ECP and ect set, but you could remove some of them and then you have essentially removed access to that path but still allowed access to another.