Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New to SOPHOS XG and Frustrated with SSL and Port Forwarding

Hello All, 

Im new to the Sophos family and I have had 3 full days of frustration with trying to install and configure this appliance to work with my Synology NAS. Prior to using a SOPHOS FW I just used a home Linksys router and forwarded ports to the NAS. It was working great, I had SSL working along with other applications running on the NAS.

 

My problem is I'm not really sure on the process for setting up the more advanced firewall and getting the NAS publicly accessible with SSL. Previously I has my HTTPS/443 forwarded directly to the NAS so when I used entered my domain name It went directly to my NAS login page. I cant get this to work with SOPHOS XG. 

 

I also don't understand the process for enabling the XG to use SSL authentication.

 

I guess a I need some basic installation help to templates to get me going.



This thread was automatically locked due to age.
Parents
  • Yendor,

    as starting point, please follow this kb:

    https://community.sophos.com/kb/en-us/126470

    if it does not work, as Ian suggested, post the WAF rule.

    Regards

  • So Im still having issues with getting reverse proxy to work with this WAF rule. Im not quite sure how this works with sophos. Do I set up the reverse proxy on the Synology system of does WAF take care of this? Also How and or what certificates do I use (LetsEncrypt) in the WAF Rule?  I tried uploading the ones I get from lets encrypt through the Synology process however the WAY does not recognize them 

    Im pretty sure the firewall is not allowing the reverse proxy to work. I run www.ssllabs.com/.../analyze.html and I get this result to there is some type of communication with the NAS if Im not mistaken.

     

     

     

     

     

     

     

     

  • Hi,

    The NAS only need to know about the network and the certifcate so traffic gets scanned and passed by the XG, the XG WAF does all the rest.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ok, how does that happen with a WAF rule? The certs that the sinology lets encrypt app provides are not recognized by the XG

  • Yendor,

    If you want that external users use https, you need to fix the certificate issue first.

    Before you even upload the certificate on XG, you need to upload the CA that released that certificate.

    So, what is the issue you have with that?

    Thanks

  • If you cannot select the Cert, You did not upload the cert with privat key. 

    You need to take the privat key of Lets encrypt and add this key as file to the certificate.

    Otherwise XG cannot use this cert for WAF. 

    __________________________________________________________________________________________________________________

  • I understand this. I'm new to Sophos and how things work here. I am asking on a step by step process on how to import the certificates from what sinology gives (Cert.pem, chain.pem, priv.pem) and get it to work with Sophos. I don't have a *.key files to upload. So how/where to I get this private key to upload to the Sophos appliance.

     

    Side note: I have got my reverse proxy to work and not my sinology box is publicly available through my firewall with ssl authentication. However the 5024 port is uses and shown rather than the https/443. Any ideas? It is also not available to my internal network users only external subnets

Reply
  • I understand this. I'm new to Sophos and how things work here. I am asking on a step by step process on how to import the certificates from what sinology gives (Cert.pem, chain.pem, priv.pem) and get it to work with Sophos. I don't have a *.key files to upload. So how/where to I get this private key to upload to the Sophos appliance.

     

    Side note: I have got my reverse proxy to work and not my sinology box is publicly available through my firewall with ssl authentication. However the 5024 port is uses and shown rather than the https/443. Any ideas? It is also not available to my internal network users only external subnets

Children