This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mgmt interface IP and certificate

Hello,

I have Sophos UTM with the configuration:

eth0-WAN (i set up here dynamic dns xxx.ddns.net)

eth1-LAN vlan

eth2-DMZ vlan

eth3-MGMT vlan

Questions:

1. I see the Webadmin GUI is reachable via any the IP of any of three interfaces above. Is there a way to set the GUI to be accessible on only one of the interfaces? (other than set explicit firewall rules that block access to those particular IPs on port 4444).

2. I have configured a certificate with Let's Encrypt for the xxx.ddns.net. When i access the Webadmin GUI on this hostname (from inside my networks or from the internet), the connection is secured, all good. When i access the GUI on the IP of any other interfaces (LAN/DMZ/MGMT as stated above), the connection is not secure. Is there a way to secure the connection to the GUI on LAN/DMZ/MGMT IPs of the firewall? If not, then question 1 again.

 

My goal:

Restrict the access on the Webadmin GUI from the internet, and to allow it to be reachable only via MGMT interface IP, coming from LAN and from VPN. In the same time, i want the User Portal to be accessible from the internet (for the VPNs). I want this scenario to be secured with a certificate.

Thanks.



This thread was automatically locked due to age.
  • Hi panicos,

    there is no way to set an listen interface for the webadmin

    But you can define the allowed networks for the webadmin:

    Here you can set your MGMT network, so that only device from the MGMT network can access the webadmin

    Best Regards
    DKKDG

  • Thx DKKDG. this answers my first question. I still have the second question as well.

  • Hi panicos,

    there is always a secure connection when you connect via https to your utm.

    The browser just says that the connect is not secure because the common name from the certificate does not match with your called url.

    The traffic is encrypted whether the common name matches or not.

    But to your second question.

    It is not possible to bind multiple certificates to different interfaces.

    You use a name for your certificate so just make dns records for networks where the name points to the ip of the utm in the specific network.

    Best Regards
    DKKDG

  • Again thanks DKKDG.

    "You use a name for your certificate so just make dns records for networks where the name points to the ip of the utm in the specific network."

    Can you please be a bit more specific on this? Give me an example in my case. My hostname xxx.ddns.net is bind to the WAN interface; when i access Webadmin GUI on another interface (let's say MGMT), coming from let's say LAN, how should i do that dns record you mentioned?