This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS Offload

If the virtual webserver uses https, and the real webserver http, the WAF offloads the SSL/TLS. But what happpens if you configure the real webserver with https as well? Does the WAF just act as a passthrough, sending everything to the real webserver, or does it still offload by decrypting the initial data between client and UTM and then re-encrypt between UTM and real webserver?

This thread was automatically locked due to age.

0 BAlfson over 8 years ago

If the Real Server also is configured for HTTPS, it's not offloaded at all.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 InformaticaOostkamp over 8 years ago

Thank you!
Cancel
Vote Up 0 Vote Down

Cancel
0 ewadie over 8 years ago

WAF always decrypts HTTPS traffic sent by the client and then re-encrypts it when sending it to a real webserver that uses HTTPS (man-in-the-middle style). Otherwise you wouldn't be able to enable any protection features.
Cancel
Vote Up 0 Vote Down

Cancel
0 InformaticaOostkamp over 8 years ago

Okay so it does offload then. Which means you always need to import the certificate of the real webserver on the Sophos, correct?
Cancel
Vote Up 0 Vote Down

Cancel
0 ewadie over 8 years ago

HTTPS from WAF to the real webserver works without importing any certificate.
Cancel
Vote Up 0 Vote Down

Cancel
0 InformaticaOostkamp over 8 years ago

Let's say we have real webserver with an internally issued certificate for app.domain.com, and we also have a public certificate for app.domain.com installed on the WAF for external clients. The internal cert doesn't need to be added to the WAF?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago

If the idea is to offload the SSL processing from the web server to the UTM, then the Real Server will NOT be defined as HTTPS.

I'm not sure why you would have a separate, internal certificate for the physical server.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 8 years ago in reply to BAlfson

I'm not sure why you would have a separate, internal certificate for the physical server.

Some services like Exchange OWA requires using SSL.
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 8 years ago in reply to InformaticaOostkamp

Let's say we have real webserver with an internally issued certificate for app.domain.com, and we also have a public certificate for app.domain.com installed on the WAF for external clients. The internal cert doesn't need to be added to the WAF?

Why don't you just import the certificate issued from public CA on internal web site also (since FQDN app.domain.com is the same both for internal and external clients) ?
Cancel
Vote Up 0 Vote Down

Cancel