Hello
I have seen the current question has been posted in various forums but other than saying "yes this can be done" there does not appear to be any clear documentation on HOW to do this.
Can someone please help me with a document or screenshots on HOW to configure multiple SSL websites through a Sophos UTM with one public IP Address?
Thank you in advance for your help.
I have created 2 separate Real Web servers and 2 separate Virtual web servers.
I have also registered the 2 different URL's in the public DNS to point to the same Public IP Address.
They both work, as the first one is coming through Port 443 and the second one through Port 80.
If I change the second web server Port 80 to Port 443, it resolves to the webpage of the first web server (my Exchange OWA page)
How do I stop this from happening?
I have tried creating an "Additional Addresses" on the interface with its own IP Address and using this. It makes no difference, it still resolves to the first web page (Exchange OWA)
As a trouble shooting step, you could try disabling your owa front end (virtual server) and seeing what happens (error vs going to the correct backend/real server. If it works when the owa virtual webserver is disabled, you might have a site path routing issue.
A less destructive/intrusive way to gather info would be to watch the logs while the request comes in and see what it says, what virtual server is handling the request and what backend it's selecting.
Webserver Protection> Web Application Firewall (WAF) (left) >
Virtual Webservers (top left tab)
and immediately under +New Virtual Webserver click "Open Live Log"
You're going to see a line with something similar to this in it: It'll also have your public request and server IPs in there, make sure to keep those private before posting if you so choose.
url="/" server="targetdomain.com" port="443"
I cannot see any connections in this log?
Here is the output I get.
2021:01:26-09:22:50 SophosFW httpd[31390]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOrders] does not exist
2021:01:26-09:22:50 SophosFW httpd[6104]: [mpm_worker:notice] [pid 6104:tid 4147730112] AH00297: SIGUSR1 received. Doing graceful restart
2021:01:26-09:22:50 SophosFW httpd[6104]: [remoteip:notice] [pid 6104:tid 4147730112] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:26-09:22:50 SophosFW httpd[6104]: [mpm_worker:notice] [pid 6104:tid 4147730112] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2021:01:26-09:22:50 SophosFW httpd[6104]: [core:notice] [pid 6104:tid 4147730112] AH00094: Command line: '/usr/apache/bin/httpd'
2021:01:26-09:22:50 SophosFW httpd[6104]: [mpm_worker:warn] [pid 6104:tid 4147730112] AH00291: long lost child came home! (pid 31113)
2021:01:26-09:22:51 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="26700" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1425" url="/status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YA8omyvSuuRqPBRvLe64BAAAAAw"
2021:01:26-09:22:51 SophosFW httpd[31453]: Restarted
2021:01:26-12:24:18 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="164" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1016" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YA9TItuPDAOxmluGM20WLgAAAAA"
2021:01:26-12:24:27 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="164" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="305" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YA9TK9uPDAOxmluGM20WLwAAAAE"
And I have prompted connections to both HTTP & HTTPS
any DNAT rules that could apply? I'm not 100% sure of the processing order (I know it's around here somewhere) but if you're NAT'ing (port forwarding) 443/80 to the webserver, it could be bypassing the WAF?
When you make a request to OWA does it show logs on the WAF logs?
Turn off the WAF entirely, does your external access to OWA break (or the weird redirect issue occur)?
As I understand the architecture of the Sophos, and I'm not an expert nor an employee/official support, a DNAT will override the WAF. You need to pick one to use. the WAF is going to look at the URL and assign the appropriate backend, the DNAT isn't. In order to have all your subdomains come into the same IP, I think you'd have to use the WAF and cut the DNAT rules. The DNAT rule is probably taking all the requests to (your public IP- it doesn't care about the url) and sending them to your owa backend server.
As expected, your websites were being routed via the DNATS through the firewall, not the WAF.
Now you get to explore why your WAFs are not functioning properly. As BAlfson mentioned below, provide images of the edits of the WAF frontents (Virtual Web Servers) because that's likely where the misconfiguration error lies.
You won't be able to accomplish what you want through the firewall using purely DNATS unless your webserver behind the firewall is doing some type of virtual web hosts (sometimes called v-hosts if you're using HTTPD/apache).
Windows IIS servers can do the same virtual hosting, but I forget what they call it as it's been a while since I've worked on IIS.
Either way - What happens when you enable both the real and virtual servers, leave the DNAT disabled, and attempt a website access? Can you provide the logs from that test?
If it's working, then you need to leave your DNAT rule disabled and start building the Virtual web servers / real servers/ exceptions for Exchange as I liked to in one of the initial posts. If you already have this done, then I would verify the connectivity of Exchange.
Update - So I have disabled all the DNAT rules for Exchange (I did this out of business hours, hence the delay)
I have purchased a certificate with the full FQDN of the web site and I have installed this on both the webserver and the FW. (not using the wild card cert as mentioned by dirkkotte)
I have edited the Virtual Webserver to use the new Certificate.
I can browse to the website internally and get the HTTPS connection with no issues.
I can telnet from external to the FQDN of the webserver on port 443.
When I connect to the website, I get the Exchange OWA Cert and web page??
Here is the Virtual web server log file I got when I tried to connect. Not sure if it helps?
2021:01:28-19:37:07 SophosFW httpd[6119]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroExchaWebse] does not exist
2021:01:28-19:37:08 SophosFW httpd[6119]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOrders] does not exist
2021:01:28-19:37:08 SophosFW httpd[6121]: [remoteip:notice] [pid 6121:tid 4147427008] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:28-19:37:08 SophosFW httpd[6121]: [security2:notice] [pid 6121:tid 4147427008] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
2021:01:28-19:37:08 SophosFW httpd[6128]: [remoteip:notice] [pid 6128:tid 4147427008] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:28-19:37:08 SophosFW httpd[6128]: [mpm_worker:notice] [pid 6128:tid 4147427008] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2021:01:28-19:37:08 SophosFW httpd[6128]: [core:notice] [pid 6128:tid 4147427008] AH00094: Command line: '/usr/apache/bin/httpd'
2021:01:28-19:37:09 SophosFW httpd[6294]: Started
2021:01:28-19:41:06 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="165" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="728" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YBJcghxS3lzxdzdIupNF@gAAABw"
2021:01:28-19:41:29 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="165" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="285" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YBJcmRxS3lzxdzdIupNF@wAAACg"
DNAT isn't specific to the application/website. It's simply taking all traffic going to (your public IP) on port 443 and sending it to whatever DESTINATION (hence DNAT) you have set. When you say "you disabled the DNAT for exchange" - it makes me think you aren't understanding the DNAT rule doesn't know or care if you're accessing Exchange or the other website.
All your DNATs need to be disabled for the WAF to work, as far as I know.
If connecting to the website sends your request to the exchange backend (real webserver - either 1) your DNAT is still enabled or 2) your virtual webserver/real webserver is misconfigured.
