Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 40 subscribers
  • Views 3507 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom SSL for Sophos User Portal

djb-sophos

Hello,

We would like to use our own SSL certificate for our Sophos User Portal so users aren't presented with the "Not Secure" warnings when going to the user portal. We have our wildcard SSL imported into the Sophos Firewall. When I went to Administration --> Admin and user setttings --> Admin console and end-user interaction settings and changed the Certificate drop-down from "ApplianceCertificate" to our own SSL certificate, I received a warning upon clicking Apply, and am wondering what exactly this means and what the repercussions will be?? We originally imported this SSL for WAF features but haven't set anything up yet with that, just testing out the IPSec VPN at the moment.



This thread was automatically locked due to age.
  • +1

    After changing TLS certificates you will need to refresh the page since the connection between your client ant the web server will be closed. *The warning already tells you a re-connection will be necessary.

    This won't affect the Firewall or any of it's connections, only the users which are logged in on either the user portal or web admin - will need to refresh the page.

    Just be sure the hostname set in the firewall matches the certificate. (You can set on the "Use a different hostname" box.)

    Example:

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Thanks, that helps. Our firewall hostname has been named to something that our data center, who deployed it, can easily know what customer it's for etc etc (e.g. CustomerName-VFW-VB01). If our wildcard SSL cert is *.mydomain.com, can we still do this? Would we need to rename the firewall hostname first? If so, rename it to what? mydomain.com? I currently have a new DNS (A) record that points vpn.mydomain.com to the VPN interface on the firewall.

    Currently, we're using the ApplianceCertificate and in the "When redirecting users to the captive portal or other interactive pages:" option, we have the middle selected -- which is the local LAN IP of the Sophos firewall.

  • 0 in reply to djb-sophos

    You don't need to change the hostname of the Firewall itself, you can set it on the box as it shows in the picture above, in there It will only use that hostname for the web connections for the Firewall.

    In that box you should use the full domain, including the subdomain if necessary - for the certificate that you will be using; Then set a DNS (A) record for it

    An example would be "firewall.mydomain.com"

    After It all Web Admin | User Portal | DPI Warning/Block messages will shown through that domain and certificate.

    EDIT: Yes, you can use a wildcard certificate for this.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    I think I understand. Switch to my certificate and enter the public URL that I have set up for the user portal in "use a different hostname" field? I just did that and clicked the Check Settings box, and see the below response. A little strange that the second line says the hostname resolves to an internal interface's IP address. Internal to me means a private 192, 172, or 10 address, when really vpn.mydomain.com points to an external public IP. Thinking

  • 0 in reply to djb-sophos

    You do a DNS query to see if everything is as expected.

    But If I remember correctly, It always showed as "Internal" interface IP address.

    I think "Internal" on the "Sophos Terminology" means It's already available by the Firewall. (Through an interface.)

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Thanks. Maybe I'm being too cautious, but if I make this change does that mean the admin console is only accessible via the https://vpn.mydomain.com URL, and I can no longer use https://<INTERNAL_LAN_IP>:4444 ? Meaning, would I have to make a host file entry pointing vpn.mydomain.com to the internal LAN IP to manage? We don't have the admin portal available/enabled on the WAN interface, only the User Portal.

  • 0 in reply to djb-sophos

    I just did a small test on my end, I can still access directly through the Firewall IPv4 without any issues.

    Of course, your browser will give you a warning because of the hostname mismatch.

    But I will recommend you to use Sophos Central, just in case. :)

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Gah! I was just about to click Apply until I read your last one-liner about Sophos Central. Haha.... 

  • 0 in reply to Prism

    I just did it, it worked as I hoped. YOLO! Beers Thanks for your help

Unfiltered HTML