This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I publish several HTTP only internal websites using a single IP using WAP?

I'm used to TMG and we use a single TMG listener when publically rev proxying internal sites that only needed to use HTTP e.g. several sites with the same IP in public DNS, single firewall IP to IP NAT rule natting to the single TMG listener IP.  (NOTE our proxies are installed as backend proxies and not edge devices)

I'm about to start migrating our internal rev proxied sites away from our TMGs to our UTMs and I know that I have to create new virtual servers for each published HTTPS website presumably each needing it's own additional IP (which we did on TMG using separate HTTPS listeners and IPs for each published site) but I'm hoping that I can assign all of my HTTP only virtual servers to a single additional IP on the UTM interface to minimise the number of IPs that I need to add to the UTM interface.

And yeah I realise that all of our sites should ideally be HTTPS but you know what it's like convincing web devs  :)

cheers

Mark



This thread was automatically locked due to age.
Parents
  • Mark, if you have appropriate certs, you can make all of your sites HTTPS.  In fact, WAF can force the use of HTTPS even when a user attempts to connect with HTTP.  The connection to the Real Server on the back end can be either HTTP or HTTPS.  In fact, doing HTTPS only in WAF takes the encryption/unencryption load off your web servers.  Yes, you should be able to use only a single public IP on your WAN connection.

    I've no experience with TMG.  If each of your sites has a separate IP on your web servers, then you will need Virtual and Real servers for each.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your help Bob

    I'd love to configure all sites over HTTPS but unfortunately that's out of my hands and is in the hands of the web devs but someday hopefully.

    Yes we do have sites on different webservers so they do have different webserver IPs so each will need separate Real and Virtual servers however can each Virtual server be given the same IP (UTM interface additional IP) which would mean only needing one edge firewall NAT rule between the single public IP and the UTM Virtual server IP?

  • Oh I have a second question too although I'm probably just being stupid.

    We use a SUM and are creating as many network definitions as possible on the SUM and deploying to the UTM arrays.

    Now when I create a Real server should I create a local UTM network definition or can I create the host definition on the SUM and then select this deployed host when creating the Real server? 

    The only difference that I can see is that when you create the host definition on the UTM you have the additional interface field which isn't present when you deploy the host definition from the SUM however if I'm following advice which seems to be to leave interface set to Any then does this matter?

    thanks

    Mark

  • "I'd love to configure all sites over HTTPS but unfortunately that's out of my hands and is in the hands of the web devs but someday hopefully."  The UTM can be configured to do it without the web devs having to do a thing.

    Yes - a single NAT.

    Cheers - Bob

    PS One of our unwritten rules here is "One topic per thread" - that makes it easier for people to find answers quickly here without having to go through asking a question that's already been answered.  Your second question deserves its own thread in the UTM Manager forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • "I'd love to configure all sites over HTTPS but unfortunately that's out of my hands and is in the hands of the web devs but someday hopefully."  The UTM can be configured to do it without the web devs having to do a thing.

    Yes - a single NAT.

    Cheers - Bob

    PS One of our unwritten rules here is "One topic per thread" - that makes it easier for people to find answers quickly here without having to go through asking a question that's already been answered.  Your second question deserves its own thread in the UTM Manager forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children