This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
Parents Reply
  • Unknown said:

    So the alternative would be what?

     

    Install the UTM-generated SSL certificate into your systems.  Like this: https://community.sophos.com/kb/en-us/115315#How%20to%20deploy%20the%20Proxy%20CA - note that using the Active Directory deployment method doesn't cover Firefox because years ago Firefox divorced it's certificate management from Windows and there is no "easy" way to deploy that certificate on a mass scale - unless someone has access to GPO templates that include the Firefox certificate store since the last time I looked for some.

    The steps in that article are a bit light on how to do that AD import, but this article for their web gateway applies https://community.sophos.com/kb/en-us/42153#GPMC - just use the cert you download from the AD step in the previous article in step 8 from this link to the "Installing the CA with Group Policy Using the Group Policy Management Console (GPMC)" procedure.

Children
  • Thanks for your reply

    I am aware of and done this many times, my problem is when we don't have AD or we need to filter and inspect employees' mobile traffic or guest traffic or any place that have public access like Cafe , hotels ...etc.

    You can for example prevent p2p on computers but not on mobiles if they used psiphon for example (which btw cannot be blocked if you didn't implement https decryption)

    That's why I asked what is the alternative in these situations ?

  • Ahh, yes.  I give multiple networks in these cases.  So I protect my AD-enabled systems the way I described.  The systems I cannot install these certificates on (you can install on mobile, but in a BYOD situation, maybe untenable) I give them a separate network to connect to.  This has different firewall rules that allow traffic out only to some approved categories/destinations and obeys any exceptions I've built, but denies others.  It's a "Guest" type network.

    When you talk about open wifi hotels and cafes, your UTM isn't in the mix so that solution isn't applicable to roaming laptops.  For those you use something like Sophos Endpoint which has a web and application control in it, so the rules are deployed to the device itself.  Sophos MDM as well for company-owned mobile devices.  Sophos MDM can help you deploy the certificate from the UTM to those devices as well.

  • Chris Shipley said:
    I give them a separate network to connect to.  This has different firewall rules that allow traffic out only to some approved categories/destinations and obeys any exceptions I've built, but denies others.  It's a "Guest" type network.

    Yes but how do you guarantee that they don't use as I mentioned before for example "psiphon", as long as https is open they will override any rule; and the problem is the variety of the applications on the mobiles, i.e. you mentioned applying "approved destinations" as workaround but you can't specify every single destination for these applications (whatsapp, messenger, telegram, gsuite, o365,slack ...etc) and they all required for business these days.

    We suffer from this especially in companies that don't have MDM, and don't provide their employees with work phones which can be pr-configured for some things (like installing the cert), and yet they demand that their investment in NGFW can help prevent unproductive and malicious traffic and prevent employees from overriding work policies

  • If they are required for business use, that's just a bit of research.  If a customer can't document all the online applications they require to run their business, then that's the next conversation you need to have with them to establish it.

  • If you are supporting open WiFi networks in hotels and cafes, you run the risk of these things happening.  Enable isolation in these cases so peers can't communicate with each other.  I'd also put in traffic shaping to restrict each device to a specific amount of bandwidth instead of allowing them all bandwidth available.