This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to forward https, get "SSL connection error"

Hi,

I am new to Sophos XG, I only installed it yesterday to replace my broadband router and give me a bit more flexibility, but I am having real trouble setting up some simple port forwarding.

All I am trying to do is forward incoming https requests to a server in my garage but I am getting an SSL protocol error. I am not interested in any https scanning, I just want to forward the traffic. I have got this working using a network rule, but I want to use a business rule so I can route 80 and 443 to different servers based on the FQDN in the http request (I have multiple servers sat behind the same WAN IP address).

I have defined the web server as an https web server as follows:

Here is my rule, I used the http based template, port 1 is my WAN IP (it's connected to my fibre router via PPoE), I have https disabled because I don't want to do scanning, I have a DNS A record that matches the domain name in "hosted server":

The problem I get is this:

The other problem is there doesn't seem to be any logging option on the http rule so if I to the security policy logs I can't see if my rule is being hit. Does it log by default because if it is I'm not seeing anything.

Can someone point me in the right direction?

Cheers,

Paul

This thread was automatically locked due to age.

Parents

0 ewadie over 8 years ago

You are trying to use HTTPS but you disabled that. Use http://test.callevanetworks.com:443/ instead.

BTW, are you sure you want to use port 443 for HTTP? That's super confusing.
Cancel
Vote Up 0 Vote Down

Cancel
0 PaulRoberts over 8 years ago in reply to ewadie

No I want to use https but I thought I read somewhere that you only needed to enable the https toggle if you wanted to do scanning? I want to do https but without the scanning.

I had a think about this and concluded that in order to determine the host FQDN in the https request, the firewall probably does need to break open the ssl session so it can read it, hence it needs a cert? I guess if you were just doing normal port forwarding then a cert wouldn't be necessary.

So anyway, I generated some self-signed certs in XG, enabled https and used these when prompted and it seems to be working now. So I have two https servers behind the same public IP...

dras.callevanetworks.com &
ib-dras.callevanetworks.com

After clicking through the cert warning you should get to a different server. This is exactly what I wanted to achieve and was the main driver behind installing XG.

Now I just need to get some certs!

Regards,

Paul
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to PaulRoberts

Paul,

if you are using WAF, HTTP and HTTPS will be intercepted by WAF and analyzed for additional control.
If you enable HTTPS, WAF needs the certificate that will be displayed to customers in order to get an https connection until the web server.

To use the same Public IP to connect to 2 different urls, you need HTTP Based policy otherwise XG will forward requests using ports and not URL. This features is called "virtual domains" in apache server.

So create self-signed certificate and create 2 HTTP Based Policy where HTTPS is enabled.

Luk
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 8 years ago in reply to PaulRoberts

Paul,

if you are using WAF, HTTP and HTTPS will be intercepted by WAF and analyzed for additional control.
If you enable HTTPS, WAF needs the certificate that will be displayed to customers in order to get an https connection until the web server.

To use the same Public IP to connect to 2 different urls, you need HTTP Based policy otherwise XG will forward requests using ports and not URL. This features is called "virtual domains" in apache server.

So create self-signed certificate and create 2 HTTP Based Policy where HTTPS is enabled.

Luk
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data