This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF with Wildcard Certificate and two Real Webservers

Hi,

 

I have the following Setup at my HomeServer Environment:

- Sophos UTM 9.5 as a VM 

- Two VMs with each 1 Webserver hosting a website

- A Third Party Wildcard certificate thats currently securing both sites

- Exchange Server Running on Port 443 as well with DNAT

 

Right now, WAF is not working for me. Im using DNAT at the moment. 

Server1 with Port 8442 and Sever2 with Port 8443. That works great - but I would like to Access them both on the same Port 443. 

 The Servers are using the Tomcat Webserver, and are each configured to listen on Port 8442 / 8443 - im not really a geek on that one. Just if its important...

I tried to get WAF working over the current Ports by deactivating the DNAT rule and manually created the Firewall rule to allow traffic on Ports 8442 / 8443. 
Sadly no connection. Attached are the configurations I did on my sophos.

 

Any help is appreciated! :)

 



This thread was automatically locked due to age.
Parents
  • Sounds like you need to study the documentation and get clear about the concepts before diving into the configuration.  Here is a short course on the key concepts:

    You create two "Real Webserver" objects, one for each of your Tomcat sites.   That configuration information includes what UTM needs to connect to it:  the target port, target hostname, and portocol (http/https).

    You create two "Virtual Webservers" objects, one for each Real Webserver.  That configuration includes the public IP, target port certificate, hostname, and protocol that internet users will use to connect to the UTM.

    You also need to create Site Path Routes to define the allowed entry paths into your website.  This prevents certain path-bypass attacks.  It also specifies what user authentication is used on each Site Path Route.

    You create a Firewall Profile, which can include restrictions on what IP addresses are allowed to connect, what rules are enforced, and similar matters.

    DNAT will bypass WAF.   Firewall rules should be ignored if WAF is configured correctly.

    UTM virtual webservers only need to be unique on IPAddress-Port-Hostname, so you can get your desired configuration.

Reply
  • Sounds like you need to study the documentation and get clear about the concepts before diving into the configuration.  Here is a short course on the key concepts:

    You create two "Real Webserver" objects, one for each of your Tomcat sites.   That configuration information includes what UTM needs to connect to it:  the target port, target hostname, and portocol (http/https).

    You create two "Virtual Webservers" objects, one for each Real Webserver.  That configuration includes the public IP, target port certificate, hostname, and protocol that internet users will use to connect to the UTM.

    You also need to create Site Path Routes to define the allowed entry paths into your website.  This prevents certain path-bypass attacks.  It also specifies what user authentication is used on each Site Path Route.

    You create a Firewall Profile, which can include restrictions on what IP addresses are allowed to connect, what rules are enforced, and similar matters.

    DNAT will bypass WAF.   Firewall rules should be ignored if WAF is configured correctly.

    UTM virtual webservers only need to be unique on IPAddress-Port-Hostname, so you can get your desired configuration.

Children
No Data