This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using differing SSL certificates for WebAdmin and user Portal

Good evening Community, 

I am a relativley new user of Sophos UTM. I have managed to manually install an Let's Encrypt certificate for the WebAdmin & User portal and that works fine. Next Step, automating this. 

However, in order to get to the Webadmin, you have to be on the internal site of the UTM. From there it has a different server name. 

So the Let's Encrypt certificate is gw.domain.no while the internal servername is gw.domain.local. 

What I would like to implement is, that the Webadmin uses by AD CA certificate for gw.domain.local and the User Portal uses the Let's Encrypt Certificate. Is there a way of accomplishing this? 

Thank you for your answers!

B/R

maul0r



This thread was automatically locked due to age.
Parents
  • Hi, Sebastian, and welcome to the UTM Community!

    In this case, I would recommend following The Zeroeth Rule in Rulz and then then creating a forward Lookup Zone for domain.com so that gw.domain.no resolves to the same thing as gw.domain.local.  Will that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi! 

    Thank you for your answer. Just to make sure I understand, the suggestion is to ensure that my sophos hostname and fqn is public resolvable, i.e. gw.domain.no instead of my current gw.domain.local. 

    Then use my AD DNS to create the zone domain.com in order to ensure that my clients in the internal network can resolve gw.domain.local:4444 to the web admin? 

    If that's the case, then that is what I do not want to do. The reason being that client from within the domains should be able to resolve everything that is in the public dns domain.no as well. 

    I guess I could "mirror" my entries from my public dns to my internal fwd lookup zone but that's not neither elegant nor properly "engineered" is it? 

    I was looking for the "right" way of doing this - this feels a bit more like a "hack". 

Reply
  • Hi! 

    Thank you for your answer. Just to make sure I understand, the suggestion is to ensure that my sophos hostname and fqn is public resolvable, i.e. gw.domain.no instead of my current gw.domain.local. 

    Then use my AD DNS to create the zone domain.com in order to ensure that my clients in the internal network can resolve gw.domain.local:4444 to the web admin? 

    If that's the case, then that is what I do not want to do. The reason being that client from within the domains should be able to resolve everything that is in the public dns domain.no as well. 

    I guess I could "mirror" my entries from my public dns to my internal fwd lookup zone but that's not neither elegant nor properly "engineered" is it? 

    I was looking for the "right" way of doing this - this feels a bit more like a "hack". 

Children
  • Look up "split DNS" to see that this is an accepted practice.  A big advantage is that laptop users don't need two different FQDNs depending on whether they're inside the LAN (physically or via VPN) or out on the Internet.

    You're right that you must add to your Forward-Lookup Zone for domain.no an A-record for each public FQDN that should resolve to the same thing internally and externally.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA