Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 Web Server Protection with Websocket


I have an internal application, and more specifically MeshCentral and I am using UTM9 since I need to do SNI having just on public IP.

After creating the server and listener in UTM9 with Pass host header and Enable WebSocket passthrough options configured I would expect for my app to work. The thing is that the remote agent (over internet) cannot connect to my internal MeshCentral server. The agent is using websocket wss://fqdn:443.

If I configure my firewall to bypass the UTM9 appliance and direct the 443 traffic directly to the MeshCentral server, then the remote agent pops-up in the console just fine.

With Nginx proxy this is double, but I don't know how to configure the below lines in UTM9

  #Websocket Support
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";

Any ideas?


Am văzut pe interiorI ahve see on the in
Detected language : English

This thread was automatically locked due to age.
  • Bună Adrian,

    Please insert pictures of the Edits of the Virtual and Real Server definitions.  Also, copy here the lines from the Webserver log when this access is not allowed.

    Does Karlos suggestion help?

    If you have a paid subscription, please open a support ticket and share here what Sophos has to say about this issue which I thought was fixed last year.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for getting by.

    After more investigation I kind of have the feeling the problem is not in the UTM9 proxy because if I disconnect the internal server network adapter and restart the remote agent in order to force it to reconnect, I can see in the UTM logs that the proxy module is trying to forward the agent request to the server's internal IP but it fails (since it is disconnected).

    If I connect the adapter back and restart the remote agent again, I see nothing in the logs even tough I should still have some pass lines here, but it is empty.

    Unfortunately I cannot upload the images here that I have taken from the UTM, I keep getting an empty box during upload, but I have uploaded them here

    Let me know your thoughts,


  • Just wanted to update the post since I have found the issue, and it is not form the UTM, maybe it will help someone.

    The Mesh server checks the hash of the certificate that it issued to the agents, and since the certificate was coming from the UTM proxy it had a different one and the handshake was broken. I had to tell the Mesh server to check the proxy certificate and accept its hash ("certUrl": "">"). From here one everything stat working.

    provin de lacoming from
    Detected language : English