This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM different HTTPS websites on one public IP

Hello

I have seen the current question has been posted in various forums but other than saying "yes this can be done" there does not appear to be any clear documentation on HOW to do this.

Can someone please help me with a document or screenshots on HOW to configure multiple SSL websites through a Sophos UTM with one public IP Address? 

Thank you in advance for your help.



This thread was automatically locked due to age.
Parents Reply
  • If it's working, then you need to leave your DNAT rule disabled and start building the Virtual web servers / real servers/ exceptions for Exchange as I liked to in one of the initial posts. If you already have this done, then I would verify the connectivity of Exchange. 

Children
  • Update - So I have disabled all the DNAT rules for Exchange (I did this out of business hours, hence the delay)

    I have purchased a certificate with the full FQDN of the web site and I have installed this on both the webserver and the FW. (not using the wild card cert as mentioned by dirkkotte)

    I have edited the Virtual Webserver to use the new Certificate.

    I can browse to the website internally and get the HTTPS connection with no issues.

    I can telnet from external to the FQDN of the webserver on port 443.

    When I connect to the website, I get the Exchange OWA Cert and web page??

  • Here is the Virtual web server log file I got when I tried to connect. Not sure if it helps?

    2021:01:28-19:37:07 SophosFW httpd[6119]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroExchaWebse] does not exist
    2021:01:28-19:37:08 SophosFW httpd[6119]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOrders] does not exist
    2021:01:28-19:37:08 SophosFW httpd[6121]: [remoteip:notice] [pid 6121:tid 4147427008] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
    2021:01:28-19:37:08 SophosFW httpd[6121]: [security2:notice] [pid 6121:tid 4147427008] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
    2021:01:28-19:37:08 SophosFW httpd[6128]: [remoteip:notice] [pid 6128:tid 4147427008] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
    2021:01:28-19:37:08 SophosFW httpd[6128]: [mpm_worker:notice] [pid 6128:tid 4147427008] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
    2021:01:28-19:37:08 SophosFW httpd[6128]: [core:notice] [pid 6128:tid 4147427008] AH00094: Command line: '/usr/apache/bin/httpd'
    2021:01:28-19:37:09 SophosFW httpd[6294]: Started
    2021:01:28-19:41:06 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="165" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="728" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YBJcghxS3lzxdzdIupNF@gAAABw"
    2021:01:28-19:41:29 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="165" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="285" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YBJcmRxS3lzxdzdIupNF@wAAACg"

  • DNAT isn't specific to the application/website. It's simply taking all traffic going to (your public IP) on port 443 and sending it to whatever DESTINATION (hence DNAT) you have set. When you say "you disabled the DNAT for exchange" - it makes me think you aren't understanding the DNAT rule doesn't know or care if you're accessing Exchange or the other website. 

    All your DNATs need to be disabled for the WAF to work, as far as I know. 

    If connecting to the website sends your request to the exchange backend (real webserver - either 1) your DNAT is still enabled or 2) your virtual webserver/real webserver is misconfigured. 

  • You're right about DNATs taking precedence over WAF, Aaron.  See #2 in Rulz (last updated 2020-11-12).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob - I did check your Rulz page - I didn't see WAF listed specifically. Is it part of the "Proxies" category? 

  • Correct - the name of the log file in Linux is reverseproxy.log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Gents

    Thank you for your help. BAlfson you can close this if you would like, as it does not seem to work.

    If I disable ALL the DNAT rules Exchange breaks and the 2nd website then works. I cannot have this, email is more important.

    I have used this link https://support.sophos.com/support/s/article/KB-000035032?language=en_US to set up the Exchange but no success.

    I will find another way to do this, thank you all (especially Aaron) for your time and help.

  • I'm not sure you'll find another way to do this on the Sophos - but I'm not a subject expert. In the event you choose to revisit this: I'm fairly confident you can't have any NAT rules active for the public IP you're trying to balance your different websites behind. Properly configure the WAF for the different websites you're trying to host, and things will start to work. 

  • Thanks Aaron, yes I realize that I am looking at using another firewall system and going away from Sophos.