This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using differing SSL certificates for WebAdmin and user Portal

Good evening Community, 

I am a relativley new user of Sophos UTM. I have managed to manually install an Let's Encrypt certificate for the WebAdmin & User portal and that works fine. Next Step, automating this. 

However, in order to get to the Webadmin, you have to be on the internal site of the UTM. From there it has a different server name. 

So the Let's Encrypt certificate is gw.domain.no while the internal servername is gw.domain.local. 

What I would like to implement is, that the Webadmin uses by AD CA certificate for gw.domain.local and the User Portal uses the Let's Encrypt Certificate. Is there a way of accomplishing this? 

Thank you for your answers!

B/R

maul0r



This thread was automatically locked due to age.
  • Hi, Sebastian, and welcome to the UTM Community!

    In this case, I would recommend following The Zeroeth Rule in Rulz and then then creating a forward Lookup Zone for domain.com so that gw.domain.no resolves to the same thing as gw.domain.local.  Will that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi! 

    Thank you for your answer. Just to make sure I understand, the suggestion is to ensure that my sophos hostname and fqn is public resolvable, i.e. gw.domain.no instead of my current gw.domain.local. 

    Then use my AD DNS to create the zone domain.com in order to ensure that my clients in the internal network can resolve gw.domain.local:4444 to the web admin? 

    If that's the case, then that is what I do not want to do. The reason being that client from within the domains should be able to resolve everything that is in the public dns domain.no as well. 

    I guess I could "mirror" my entries from my public dns to my internal fwd lookup zone but that's not neither elegant nor properly "engineered" is it? 

    I was looking for the "right" way of doing this - this feels a bit more like a "hack". 

  • Look up "split DNS" to see that this is an accepted practice.  A big advantage is that laptop users don't need two different FQDNs depending on whether they're inside the LAN (physically or via VPN) or out on the Internet.

    You're right that you must add to your Forward-Lookup Zone for domain.no an A-record for each public FQDN that should resolve to the same thing internally and externally.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • How did you manage to get the Cert?  Did you have to use the DNS challenge?

  • I see three different solutions to this problem.

    Restating your problem:

    utm.example.com is managed by external DNS and resolves to an external address on an external interface of UTM

    utm.example.local is managed by internal DNS and resolves to an internal address on an internal interface of UTM

    1) UTM MAGIC:  As long as your UTM is your firewall, or is on the path to your firewall, you should not need to do anything.   Use the external name.   UTM should hairpin the internal traffic as if it came in through the external interface.   I have not tested this personally because I have an oddball wiring configuration, but Sophos support assures me that they have tested it and it works.

    2) DNS MAGIC:  As alluded to in an earlier post, in your internal DNS, create a new ZONE for utm.example.com, and then create a default (no host name) host record in that zone for the internal address of UTM.  This has the effect of overriding the external DNS for this one name only. 

    3) CERTIFICATE MAGIC:   Buy a certificate for utm.example.com which also has a SAN (Subject Alternate Name) for utm.example.local.   Users can then connect to UTM using either name.   This may or may not be possible with Let's Encrypt, but it is common for commercially purchased certificates.  (But the extra SAN adds some cost.)

    This is such a common requirement, Sophos should have it in their documentation.

  • Hi

    Are you certbox  to get the certificates. I had a reverse proxy front of my firewall. I then entered the full qualified to my name into my  I then entered the full qualified to my name into my Kennesaw public dns server  and provided it to certbot in the request. Hope that helps

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA