Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 1404 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Complex web protection / reverse authentication & load balancing

David Crowder1

We have an internal web application that needs to be accessible via the outside world.  The web application uses two TCP ports (443 + 1443).

Currently we have our UTM set up with a reverse proxy only protecting 443, with 1443 open to the wide world.  Not ideal.  It also only points to a single internal server - no load balancing.

It looks something like this:

We need to add a second server, load balance, and protect port 1443 with the same authentication/login used on port 443 -- so that when a user successfully logs in to the Reverse Proxy on port 443, port 1443 is also opened up for the user.  And, it will open both ports to the same server (not a mix of 443 on server A and 1443 on server B).

It should look something like this:

This type of thing is possible with stand-alone load-balancing systems, such as BIG-IP or Kemp.  Is there a way to make this work using a Sophos UTM, so we do not have to purchase another physical or virtual device?

I have been reading the Sophos KB articles, but have not seen this complex of a scenario.

Advice very much appreciated.  Stereo instructions even more appreciated!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community! 

    You can select multiple real web servers at Webserver Protection > Web Application Firewall > Virtual Webservers > Real Web servers to load-balance traffic. 

    Reference from the help menu: 

    "Real Webservers: Create a new real webserver or select the checkbox in front of the webserver you want to apply the firewall profile to. If you have mirroring webservers, you can also select more than one webserver. By default, traffic will be load-balanced between the selected webservers. The implemented request counting algorithm automatically assigns each new request to the web server with the lowest number of active requests at present. On the Site Path Routing tab, you can specify detailed balancing rules."

    Thanks,

  • 0 in reply to FormerMember

    Harsh,

    And the load-balancer can be configured to open up multiple ports with a single load-balance / reverse-proxy login?

    Thanks!

  • FormerMember
    0 FormerMember in reply to David Crowder1

    Hi ,

    No, you can only configure one port with the virtual web server configuration. You'd have to configure the second virtual server with the required port. 

    Thanks,

  • 0 in reply to David Crowder1

    Hi David and welcome to the UTM Community!

    As Harsh says, it's not possible to do load balancing with WAF while guaranteeing that both 443 and 1443 from the same IP will balance to the same server.  You can define a second Virtual Server on port 1443, but there's no way to do load balancing or even fail over without another tool between the UTM's WAF and your servers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML