Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple domain forwarding 1 Public IP

 Hi People,

Can someone advice how to configure XG Firewall for the following scenario

environment:

1 Public IP
2 different domains (each domain A record points to public IP)
2 different web servers

Goal:

Domain A hits public IP of (XG Firewall) and forwards to server 1
Domain B hits public IP of (XG Firewall) and forwards to server 2

Is there w way to configure that without using WAF?

 

Thanks,

Rafal



This thread was automatically locked due to age.
Parents
  • Hi  

    Yes, this can be easily done using WAF in Sophos XG. But make sure you select Pass host header in your WAF Business Application rule.

    Please refer to this KBA Sophos XG Firewall: WAF configuration guide and in case if you need there's a Sophos XG Firewall: WAF Troubleshooting guide as well.

    Regards

    Jaydeep

  • Hi,

     

    Can you please give me an example how to configure this business rule (WAF) for the mentioned scenario?

    environment:

    1 Public IP
    2 different domains (each domain A record points to public IP)
    2 different web servers (no vhosts)

    Goal:

    Domain A hits public IP of (XG Firewall) and forwards to server 1
    Domain B hits public IP of (XG Firewall) and forwards to server 2

    The KBA https://community.sophos.com/kb/en-us/126470 only describes how to publish one webserver. But here we have two (or more) webservers behind one public IP and multiple DNS-Names.

    As far as i understand, the option "Pass host header" just passes the host header to the webserver, so it can route to a configured vhost. In the described environment we have to seperate webservers without vhosts. The option "pass host header" has no effect here?

    Thank you!

     

     

  • RasalGhul,

    follow the KB above. You need to create 2 different WAF rule, where in each one you define the domain name for server 1 and in the second rule, the domain name for server 2.

    Regards

  • Make sure the servers are using different ports.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you for clarify this. It works with different WAF rules for each server/domain!

     

    I had trouble with my browser cache so things were not running as they should.

  • No need to use different ports for the servers nor WAF rules. Both servers listen to port 80 internal (LAN) and are reachable on port 443 from external (WAN) through WAF rule. 

  • I have another question/issue regarding this topic.

    Beside the two WAF rules i need a DNAT rule for port 443. The WAF rules have a higher priority, so the DNAT rule will be last one to be processed ("fallback").

    For example i have following domains (all same public IP), rules and servers

    - prio1 > domain: waf1.domain.com > rule: waf1 443 rule > server-waf1

    - prio2 > domain: waf2.domain.com > rule: waf2 443 rule > server-waf2

    - prio3 > domain: dnat1.domain.com / dnat2.domain.com > rule: dnat 443 > server-fallback

     

    The problem is, the two "dnat1/2" subdomains will be processed by rule "waf2 443" and it returns an 403 http error. This error shows up is in the log "/log/reverseproxy.log": 

    [Thu Feb 27 15:51:35.073229 2020] [url_hardening:error] [pid 47656:tid 140695402669824] [client xxx.xxx.xxx.xxx:58401] Hostname in HTTP request (dnat2.domain.com) does not match the server name (waf2.domain.com), referer: https://dnat2.domain.com/

    [Thu Feb 27 15:51:35.073091 2020] timestamp="1582815095" srcip="xxx.xxx.xxx.xxx" localip="192.168.0.2" user="-" host="xxx.xxx.xxx.xxx" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" duration="250" url="/favicon.ico" server="dnat.domain.com" referer="https://dnat.domain.com/" cookie="-" set-cookie="-" recvbytes="494" sentbytes="429" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="2"

     

    Why is rule "waf2 443" processed at all, the server name does not match?

     

    Thank you

Reply
  • I have another question/issue regarding this topic.

    Beside the two WAF rules i need a DNAT rule for port 443. The WAF rules have a higher priority, so the DNAT rule will be last one to be processed ("fallback").

    For example i have following domains (all same public IP), rules and servers

    - prio1 > domain: waf1.domain.com > rule: waf1 443 rule > server-waf1

    - prio2 > domain: waf2.domain.com > rule: waf2 443 rule > server-waf2

    - prio3 > domain: dnat1.domain.com / dnat2.domain.com > rule: dnat 443 > server-fallback

     

    The problem is, the two "dnat1/2" subdomains will be processed by rule "waf2 443" and it returns an 403 http error. This error shows up is in the log "/log/reverseproxy.log": 

    [Thu Feb 27 15:51:35.073229 2020] [url_hardening:error] [pid 47656:tid 140695402669824] [client xxx.xxx.xxx.xxx:58401] Hostname in HTTP request (dnat2.domain.com) does not match the server name (waf2.domain.com), referer: https://dnat2.domain.com/

    [Thu Feb 27 15:51:35.073091 2020] timestamp="1582815095" srcip="xxx.xxx.xxx.xxx" localip="192.168.0.2" user="-" host="xxx.xxx.xxx.xxx" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" duration="250" url="/favicon.ico" server="dnat.domain.com" referer="https://dnat.domain.com/" cookie="-" set-cookie="-" recvbytes="494" sentbytes="429" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="2"

     

    Why is rule "waf2 443" processed at all, the server name does not match?

     

    Thank you

Children
No Data