Webserver protection setup problems

Question

I'm attempting to set up Sophos UTM as Webserver protection, right now behind a different firewall, and running into issues. Looking at Sophos I may just use it as the main firewall in the future, but for now it has to be behind another as reverse proxy. 
 
 Main firewall - 10.1.1.9 
 Sophos - one NIC (I think as bridge mode?), 10.1.1.8 
 Webserver - 10.1.1.16 
 
 I have the main firewall forwarding port 80 traffic to Sophos. 
 
 In Sophos I've set up the real and virtual webservers. I have Pass host header enabled in the virtual web server. In Network Protection I've set up a firewall rule allowing port 80 traffic from any source to the Internal network. 
 
 At present I have no NATs set up as some of the documentation I was reading said NATs would effectively bypass the Webserver Protection. 
 
 On the webserver I've set up Sophos as Trusted Proxy, mostly so the real IPs will come through. 
 
 On Sophos I do see web traffic coming into the box, but the websites do not come up. I don't see the web traffic in the access or error logs of the webserver. I haven't done any network sniffing yet to see if they are getting there. The live web server protection logs don't show any sort of logging to indicate traffic. 
 
 Can anyone point me in the right direction, some documentation or how-tos? I'm stuck. I appreciate any help.

DouglasFoster · Answer

1) I do not believe that you do not have bridge mode. Bridge mode looks like this: 
 Switch --- UTM --- Firewall 
 Two (or more) physical interfaces are bound together as one logical interface to UTM. Everything going to the firewall has to pass through UTM. 
 From your description, you have this: 
 Switch --- UTM \____________ Firewall 
 In this mode, UTM only sees traffic that targets one of its addresses, so it can only do Standard Mode functions. For more detail on Standard and Transparent mode functions, see this post: 
 https://community.sophos.com/products/unified-threat-management/f/general-discussion/100848/how-to-understand-utm-port-usage 
 2) Basic process that I use for configuring a webserver: 
 On UTM 
 
 Configure the real webserver and test it internally 
 Get an SSL Certificate for the website so you can use HTTPS, which provides proof of server identity as well as encryption. 
 Configure an Additional Network Address on UTM. (Using the primary address will create conflicts with the user portal.) Since UTM is behind your firewall, this will be an internal address. 
 Create the virtual webserver and assign it to the chosen IP address and the (recommended) SSL certificate. 
 Enable the webserver. If it can connect to the real webserver, the status indicator will go green. (May need to navigate away and come back to see the correct status light.) 
 
 On a test machine with an internal IP address 
 
 Create a HOSTS file entry to force your test traffic to target the UTM virtual webserver address instead of the real webserver address. 
 Enable a firewall profile with all protections enabled but in monitor mode. 
 Do all of your tests 
 Review the logs and disable tests that are throwing false positives. 
 Decide whether to deploy to the internet in Monitor Mode or Reject Mode 
 
 On the firewall 
 
 Create a NAT rule from the chosen Internet address to the UTM virtual webserver address. 
 Test again from an external PC. 
 Enable Reject mode