This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using differing SSL certificates for WebAdmin and user Portal

Good evening Community, 

I am a relativley new user of Sophos UTM. I have managed to manually install an Let's Encrypt certificate for the WebAdmin & User portal and that works fine. Next Step, automating this. 

However, in order to get to the Webadmin, you have to be on the internal site of the UTM. From there it has a different server name. 

So the Let's Encrypt certificate is gw.domain.no while the internal servername is gw.domain.local. 

What I would like to implement is, that the Webadmin uses by AD CA certificate for gw.domain.local and the User Portal uses the Let's Encrypt Certificate. Is there a way of accomplishing this? 

Thank you for your answers!

B/R

maul0r



This thread was automatically locked due to age.
Parents
  • I see three different solutions to this problem.

    Restating your problem:

    utm.example.com is managed by external DNS and resolves to an external address on an external interface of UTM

    utm.example.local is managed by internal DNS and resolves to an internal address on an internal interface of UTM

    1) UTM MAGIC:  As long as your UTM is your firewall, or is on the path to your firewall, you should not need to do anything.   Use the external name.   UTM should hairpin the internal traffic as if it came in through the external interface.   I have not tested this personally because I have an oddball wiring configuration, but Sophos support assures me that they have tested it and it works.

    2) DNS MAGIC:  As alluded to in an earlier post, in your internal DNS, create a new ZONE for utm.example.com, and then create a default (no host name) host record in that zone for the internal address of UTM.  This has the effect of overriding the external DNS for this one name only. 

    3) CERTIFICATE MAGIC:   Buy a certificate for utm.example.com which also has a SAN (Subject Alternate Name) for utm.example.local.   Users can then connect to UTM using either name.   This may or may not be possible with Let's Encrypt, but it is common for commercially purchased certificates.  (But the extra SAN adds some cost.)

    This is such a common requirement, Sophos should have it in their documentation.

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data