Sophos UTM different HTTPS websites on one public IP

You're right about DNATs taking precedence over WAF, Aaron.  See #2 in Rulz (last updated 2020-11-12).

Cheers - Bob

They're in an earlier reply in another "thread" of the page. Scrollup.

DNAT isn't specific to the application/website. It's simply taking all traffic going to (your public IP) on port 443 and sending it to whatever DESTINATION (hence DNAT) you have set. When you say "you disabled the DNAT for exchange" - it makes me think you aren't understanding the DNAT rule doesn't know or care if you're accessing Exchange or the other website. 

All your DNATs need to be disabled for the WAF to work, as far as I know. 

If connecting to the website sends your request to the exchange backend (real webserver - either 1) your DNAT is still enabled or 2) your virtual webserver/real webserver is misconfigured. 

Hello Ian,

no pictures from you ...

Here is the Virtual web server log file I got when I tried to connect. Not sure if it helps?

2021:01:28-19:37:07 SophosFW httpd[6119]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroExchaWebse] does not exist
2021:01:28-19:37:08 SophosFW httpd[6119]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroOrders] does not exist
2021:01:28-19:37:08 SophosFW httpd[6121]: [remoteip:notice] [pid 6121:tid 4147427008] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:28-19:37:08 SophosFW httpd[6121]: [security2:notice] [pid 6121:tid 4147427008] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
2021:01:28-19:37:08 SophosFW httpd[6128]: [remoteip:notice] [pid 6128:tid 4147427008] AH03494: RemoteIPProxyProtocol: disabled on 127.0.0.1:4080
2021:01:28-19:37:08 SophosFW httpd[6128]: [mpm_worker:notice] [pid 6128:tid 4147427008] AH00292: Apache/2.4.39 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2021:01:28-19:37:08 SophosFW httpd[6128]: [core:notice] [pid 6128:tid 4147427008] AH00094: Command line: '/usr/apache/bin/httpd'
2021:01:28-19:37:09 SophosFW httpd[6294]: Started
2021:01:28-19:41:06 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="165" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="728" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YBJcghxS3lzxdzdIupNF@gAAABw"
2021:01:28-19:41:29 SophosFW httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="165" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="285" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YBJcmRxS3lzxdzdIupNF@wAAACg"

Update - So I have disabled all the DNAT rules for Exchange (I did this out of business hours, hence the delay)

I have purchased a certificate with the full FQDN of the web site and I have installed this on both the webserver and the FW. (not using the wild card cert as mentioned by dirkkotte)

I have edited the Virtual Webserver to use the new Certificate.

I can browse to the website internally and get the HTTPS connection with no issues.

I can telnet from external to the FQDN of the webserver on port 443.

When I connect to the website, I get the Exchange OWA Cert and web page??

If it's working, then you need to leave your DNAT rule disabled and start building the Virtual web servers / real servers/ exceptions for Exchange as I liked to in one of the initial posts. If you already have this done, then I would verify the connectivity of Exchange. 

Sorry, the pictures above.

Did you still want the logs?

It is connecting now with the DNAT rule disabled.