Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 1822 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

https://passthrough.fw-notify.net and Portforwarding 443 (NAT)

hschoene

SG 125 UTM9

Hi,

we use a transparent proxy with an authentication against LDAP. If an user enter an URL, he will redirect to  https://passthrough.fw-notify.net and has to login.
Because SSL-certificate-problems with iOS-Devices we change this URL to our own domain and give them a public IP. Now appears  passthrough.ourselfdomain.com, for a login. Thats fine. We cannot add the UTM-certificate, because the mobiles are private.


Now we want to use the same public IP-address and Port 443 for an internal Webserver and forward this IP/Port via NAT. 
Result: The address https://passthrough.ourselfdomain.com will forwarded to the webserver and the login page not appears.

Does anyone have an idea to make both work?
Thank you Heiko.



This thread was automatically locked due to age.
  • 0

    You can't.

    Either the webserver on the UTM public IP occupies port 443 OR portforwarding does. both at the same time is impossible.

  • 0 in reply to Florian Gall

    Do you think, it will be possible to change the port  to  8443? e.g. https://passthrough.ourselfdomain.com:8443 ?

  • 0 in reply to hschoene

    i don't think thats possible. i wouldn't even know where to start to change the hostname of the passthrough authentication. If thats unter Web Protection > Filtering Options > misc > Certificate for End-User Pages then i'd say no because there is no option to change the port of the internal UTM Webserver

  • +1 in reply to hschoene

    Hallo Heiko,

    Agreed with Florian on using NAT.

    We don't know much about your configuration, but you might be able to use Webserver Protection.  You would create two Virtual Servers using port 443; one for passthrough.ourselfdomain.com and the other for website.ourselfdomain.com.  Let us know if that works for you.  If you need help configuring that, please open a new thread in the Web Server Security forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,
    you're right and it works so now, with a reverse proxy on the UTM.
    In a school i have a Webmail-Server(TCP 443), this one i need for a public access from outside. Inside the school I need for WLAN-Access the authentication against LDAP (eDirectory)  from the UTM with the login page.
    Because  https://passthrough.fw-notify.net not works for iOS (because wrong certificate), I change the domain and deploy a Letsencrypt-Certificate for passthrough.ourselfdomain.com.
    Thank You Heiko 

  • 0 in reply to hschoene

    Last challenge is the deployment of the LE-certificate, generated from a separate Linux-Box. I need to upload this to the UTM periodically, but automatically. Do you know a good source for the REST-API with some samples for the UTM?

  • 0 in reply to hschoene

    I don't, Heiko - sounds like a good question for the Web Server Security forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to hschoene

    We use the same construct for our Exchange OWA.

    I just run multiple LE Certificates. One that resides on the UTM updating there and one on the Exchange Server. Both are totally seperate.

    UTM Connects to Exchange just fine.

    From the End User point of view, unless they know how to check certificate serial numbers both are undistinguishable.

Unfiltered HTML