SG 125 UTM9Hi,
we use a transparent proxy with an authentication against LDAP. If an user enter an URL, he will redirect to https://passthrough.fw-notify.net and has to login.Because SSL-certificate-problems with iOS-Devices we change this URL to our own domain and give them a public IP. Now appears passthrough.ourselfdomain.com, for a login. Thats fine. We cannot add the UTM-certificate, because the mobiles are private.
Now we want to use the same public IP-address and Port 443 for an internal Webserver and forward this IP/Port via NAT. Result: The address https://passthrough.ourselfdomain.com will forwarded to the webserver and the login page not appears.Does anyone have an idea to make both work?Thank you Heiko.
Agreed with Florian on using NAT.
We don't know much about your configuration, but you might be able to use Webserver Protection. You would create two Virtual Servers using port 443; one…
Either the webserver on the UTM public IP occupies port 443 OR portforwarding does. both at the same time is impossible.
Do you think, it will be possible to change the port to 8443? e.g. https://passthrough.ourselfdomain.com:8443 ?
i don't think thats possible. i wouldn't even know where to start to change the hostname of the passthrough authentication. If thats unter Web Protection > Filtering Options > misc > Certificate for End-User Pages then i'd say no because there is no option to change the port of the internal UTM Webserver
We don't know much about your configuration, but you might be able to use Webserver Protection. You would create two Virtual Servers using port 443; one for passthrough.ourselfdomain.com and the other for website.ourselfdomain.com. Let us know if that works for you. If you need help configuring that, please open a new thread in the Web Server Security forum.
Cheers - Bob
Hi Bob,you're right and it works so now, with a reverse proxy on the UTM. In a school i have a Webmail-Server(TCP 443), this one i need for a public access from outside. Inside the school I need for WLAN-Access the authentication against LDAP (eDirectory) from the UTM with the login page.Because https://passthrough.fw-notify.net not works for iOS (because wrong certificate), I change the domain and deploy a Letsencrypt-Certificate for passthrough.ourselfdomain.com.Thank You Heiko
Last challenge is the deployment of the LE-certificate, generated from a separate Linux-Box. I need to upload this to the UTM periodically, but automatically. Do you know a good source for the REST-API with some samples for the UTM?
I don't, Heiko - sounds like a good question for the Web Server Security forum.
We use the same construct for our Exchange OWA.
I just run multiple LE Certificates. One that resides on the UTM updating there and one on the Exchange Server. Both are totally seperate.
UTM Connects to Exchange just fine.
From the End User point of view, unless they know how to check certificate serial numbers both are undistinguishable.