Thread Info
  • Locked Locked
  • Replies 64 replies
  • Subscribers 25 subscribers
  • Views 229553 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[HOWTO] Let's Encrypt

rklomp

Hi all,

I have got a fully working Let's Encrypt setup for multiple domains of my Web Application Firewall on my Sophos UTM 9.4!

On github I have made a manual on how to set it up on your UTM as well. Currently it has a few manual steps to set it up, but I might script this in the future as well.

https://github.com/rklomp/sophos-utm-letsencrypt

Comments, questions and improvements are welcome! And please leave a message if you have got it working as well.

Have fun!

René
[Donate]



This thread was automatically locked due to age.
  • in reply to Chris Shipley

    Chris Shipley said:
    I give them a separate network to connect to.  This has different firewall rules that allow traffic out only to some approved categories/destinations and obeys any exceptions I've built, but denies others.  It's a "Guest" type network.

    Yes but how do you guarantee that they don't use as I mentioned before for example "psiphon", as long as https is open they will override any rule; and the problem is the variety of the applications on the mobiles, i.e. you mentioned applying "approved destinations" as workaround but you can't specify every single destination for these applications (whatsapp, messenger, telegram, gsuite, o365,slack ...etc) and they all required for business these days.

    We suffer from this especially in companies that don't have MDM, and don't provide their employees with work phones which can be pr-configured for some things (like installing the cert), and yet they demand that their investment in NGFW can help prevent unproductive and malicious traffic and prevent employees from overriding work policies

  • in reply to Wadood

    If they are required for business use, that's just a bit of research.  If a customer can't document all the online applications they require to run their business, then that's the next conversation you need to have with them to establish it.

  • in reply to Chris Shipley

    If you are supporting open WiFi networks in hotels and cafes, you run the risk of these things happening.  Enable isolation in these cases so peers can't communicate with each other.  I'd also put in traffic shaping to restrict each device to a specific amount of bandwidth instead of allowing them all bandwidth available.

  • Hi,

    I'm using your Scripts for Let's encrypt for several times now.

    At first thank you for your work. It was almost a fluent integration.

    I'm using Let's Encypt certificates directly on UTM for access from outsite with WAF.
    For ease of use I also use my local hosted servers with the eyternal DNS name (internal DNS resolution), as I don't want to have internat selfsigned or internat CA published to all devices, For these Services I also use Let's Encrypt certificates. For this I configured several SSH connection for ACME challenge an site-path-rules in WAF to get the challenges for UTM and the servers itself.
    It works fine so no need for any complain or problably switching over to native Let's encrypt in 9.6, as I don't know whether it woul work this way. (other question not your problem).

    But now I came to some questions. I'm short before changing my setup to an active passive UTM HA-Cluster and I'm a bit confused what I need to do that both machines are able to regenerate my certificates regardles which UTM is in active state.

    So my thoughts are:

    • Certificates are automaticly synchronized between the two UTM
    • I need the script and configs on both boxes (manualy as I think they are not synchronized)

    Has anybody of you here a running setup with the scripts in HA-Cluster (Active Passive) and could tell me what I have to think about.

     

    Thanks for your reply

    Carsten

Unfiltered HTML