This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM different HTTPS websites on one public IP

Hello

I have seen the current question has been posted in various forums but other than saying "yes this can be done" there does not appear to be any clear documentation on HOW to do this.

Can someone please help me with a document or screenshots on HOW to configure multiple SSL websites through a Sophos UTM with one public IP Address? 

Thank you in advance for your help.



This thread was automatically locked due to age.
Parents
  • In the webserver protection you can select different URLs in the virtual servers and redirect them to different real servers.

    In (public?) DNS you have to point all URLs to the same IP

  • I have created 2 separate Real Web servers and 2 separate Virtual web servers.

    I have also registered the 2 different URL's in the public DNS to point to the same Public IP Address.

    They both work, as the first one is coming through Port 443 and the second one through Port 80.

    If I change the second web server Port 80 to Port 443, it resolves to the webpage of the first web server (my Exchange OWA page)

    How do I stop this from happening?

    I have tried creating an "Additional Addresses" on the interface with its own IP Address and using this. It makes no difference, it still resolves to the first web page (Exchange OWA)

  • Do your virtual webservers have different domains / subdomains? The virtual webserver should be selected based on the FQDN of the request.

    Have you checked the logs? 

    what version of Exchange are you trying to provide WAF for? A while ago there used to be a config guide for WAF/Exchange. I keep an old config guide around in case they disappear from the web. Let me see if I can find a link.

    EDIT: Shame. It looks like the config guide has been put behind a paywall "SophServ." let me know what version of Exchange you're running and I can see if I can get a copy to you. Someone also has a tutorial online as well: networkguy.de/.../

  • They are both part of the same Domain, "mail.mydomain.com" and "orders.mydomain.com" 

    I have a "mail.mydomain.com" certificate and I also have a "*.mydomain .com" wild card certificate.

    I am using the mail certificate for Exchange and the wild card for the second web server.

    The Exchange server has been working for 3 years through the UTM, with no issues at all, so the configuration is good.

    It was Exchange 2013 I have upgraded to Exchange 2016 about 6 months ago, but as I say, Exchange works fine.

    It is trying to add a second web server that has been a challenge for me?

    Thanks for the link.

  • so the problem is when you go to orders.mydomain.com it is redirecting you to something else? Which virtual webserver is the request being handled by (should say in the logs). Do both virtual webservers have the same backend or different "real" servers?

  • "so the problem is when you go to orders.mydomain.com it is redirecting you to something else?" - Yes it goes to the OWA page.

     "Do both virtual webservers have the same backend or different "real" servers?" - Different "real" webservers.

  • As a trouble shooting step, you could try disabling your owa front end (virtual server) and seeing what happens (error vs going to the correct backend/real server. If it works when the owa virtual webserver is disabled, you might have a site path routing issue. 

    A less destructive/intrusive way to gather info would be to watch the logs while the request comes in and see what it says, what virtual server is handling the request and what backend it's selecting. 

Reply
  • As a trouble shooting step, you could try disabling your owa front end (virtual server) and seeing what happens (error vs going to the correct backend/real server. If it works when the owa virtual webserver is disabled, you might have a site path routing issue. 

    A less destructive/intrusive way to gather info would be to watch the logs while the request comes in and see what it says, what virtual server is handling the request and what backend it's selecting. 

Children
  • Thanks Aaron.

    I have been rubbish at reading the Sophos logs. Which log should I be looking at whilst connecting to the web page?

  • Webserver Protection> Web Application Firewall (WAF) (left) >

    Virtual Webservers (top left tab)
    and immediately under +New Virtual Webserver click "Open Live Log" 
    You're going to see a line with something similar to this in it: It'll also have your public request and server IPs in there, make sure to keep those private before posting if you so choose. 

    url="/" server="targetdomain.com" port="443" 

  • I cannot see any connections in this log?

    Here is the output I get.

    2021:01:26-09:22:50 SophosFW httpd[31390]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOrders] does not exist
    2021:01:26-09:22:50 SophosFW httpd[6104]: [mpm_worker:notice] [pid 6104:tid 4147730112] AH00297: SIGUSR1 received. Doing graceful restart
    2021:01:26-09:22:50 SophosFW httpd[6104]: [remoteip:notice] [pid 6104:tid 4147730112] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
    2021:01:26-09:22:50 SophosFW httpd[6104]: [mpm_worker:notice] [pid 6104:tid 4147730112] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2021:01:26-09:22:50 SophosFW httpd[6104]: [core:notice] [pid 6104:tid 4147730112] AH00094: Command line: '/usr/apache/bin/httpd'
    2021:01:26-09:22:50 SophosFW httpd[6104]: [mpm_worker:warn] [pid 6104:tid 4147730112] AH00291: long lost child came home! (pid 31113)
    2021:01:26-09:22:51 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="26700" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1425" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YA8omyvSuuRqPBRvLe64BAAAAAw"
    2021:01:26-09:22:51 SophosFW httpd[31453]: Restarted
    2021:01:26-12:24:18 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="164" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1016" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YA9TItuPDAOxmluGM20WLgAAAAA"
    2021:01:26-12:24:27 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="164" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="305" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YA9TK9uPDAOxmluGM20WLwAAAAE"

    And I have prompted connections to both HTTP & HTTPS

  • The device you're using to generate the request isn't behind (local to) the firewall, is it?

  • No, I am, connecting from another server completely outside of the network.

  • any DNAT rules that could apply? I'm not 100% sure of the processing order (I know it's around here somewhere) but if you're NAT'ing (port forwarding) 443/80 to the webserver, it could be bypassing the WAF? 
    When you make a request to OWA does it show logs on the WAF logs? 
    Turn off the WAF entirely, does your external access to OWA break (or the weird redirect issue occur)? 

  • I have DNAT rules for the Exchange /OWA/Autodiscover and a DNAT rule for HTTP connection to the second webserver

  • As I understand the architecture of the Sophos, and I'm not an expert nor an employee/official support, a DNAT will override the WAF. You need to pick one to use. the WAF is going to look at the URL and assign the appropriate backend, the DNAT isn't. In order to have all your subdomains come into the same IP, I think you'd have to use the WAF and cut the DNAT rules. The DNAT rule is probably taking all the requests to (your public IP- it doesn't care about the url) and sending them to your owa backend server. 

  • I will try disabling all the DNAT rules and see what happens and get back to you, thanks Aaron.

  • Hi Aaron, when I disable the DNAT the website does not work on port 80.