This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hotspot with LE certificate & external DNS

I'm trying to set up a Hotspot using UTM with the following assumptions:

- clients have no access to our internal infrastructure INCLUDING DNS -> clients get 1.1.1.1 from DHCP
- sign-in page with password of the day is using HTTPS with LE

This... is proving difficult. I can create a public URL pointing to our internal or external IP, but using the external IP the client wouldn't actually be able to access the hotspot page ("no hotspot on this interface" error), while using our internal IP UTM will be unable to generate a LE certificate.

Is there a some way around this?



This thread was automatically locked due to age.
Parents
  • Cześć Mateusz,

    I'm confused - why use a different cert than the WebAdmin cert generated one when you first setup the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Because the UTM-generated cert is not publicly trusted. I'd like the hotspot page to be SSL-protected AND available to our guests who most certainly won't have our company CA certificates. This is where LE comes in, but I don't know how to use it without also making the UTM DNS available for Hotspot users.

  • Have you tried just using the default WebAdmin cert for the 'Login Page Certificate'?  I don't see where a user would need a cert from your UTM except for the HTTP Proxy CA if using the UTM's Web Filtering.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry for the late response (I got sick).

    I'm not sure I understand what you're suggesting.

    The default WebAdmin cert is LE-generated for "firewall.ourcompany.com", and points to the public IP (otherwise LE couldn't be used). I can use a self-generated certificate, but that wouldn't be trusted.

    I've tried using "firewall.ourcompany.com" as the sign-in page on the Hotspot, but that doesn't appear to work as expected. It... just flat out doesn't work, and Sophos UTM even gives an error that the sign-in page isn't on the same subnet as the hotspot network.

Reply
  • Sorry for the late response (I got sick).

    I'm not sure I understand what you're suggesting.

    The default WebAdmin cert is LE-generated for "firewall.ourcompany.com", and points to the public IP (otherwise LE couldn't be used). I can use a self-generated certificate, but that wouldn't be trusted.

    I've tried using "firewall.ourcompany.com" as the sign-in page on the Hotspot, but that doesn't appear to work as expected. It... just flat out doesn't work, and Sophos UTM even gives an error that the sign-in page isn't on the same subnet as the hotspot network.

Children
  • I spent much time figuring this out. It is actually supported but the documentation is well hidden.

    First, go to web protection, filter options, certificate for end-user pages and place your domain "firewall.ourcompany.com" there.

    Second, manage to get a certificate for "passthrough.firewall.ourcompany.com" and "passthrough6.firewall.ourcompany.com" (the latter SAN is only required if you provide IPv6 connectivity to your guests). LetsEncrypt with these two SANs (and the base "firewall.ourcompany.com" as third) will do, but you can also get a wildcard if you are able to respond to DNS-01 challenges (Sophos can not).

    Having a split DNS setup ("firewall.ourcompany.com" points to the internal interface from inside) is required in this case.

    Life would be much easier if sophos could provide a trusted certificate for their domain "passthrough.fw-notify.net" (a domain they own) but they don't for security reasons.

  • I'm not entirely sure what the steps are. It seems you may have omitted the final step related to configuring the Hotspot itself?

    I can certainly prepare two LE certificates, one for "firewall.company.com" (already have one, actually) and one for "hotspot.firewall.company.com" (or "passthrough"?)... but I'm not sure what to do with the latter certificate, or what the next steps are related to Hotspot setup

    I'm currently already using a split-DNS setup to facilitate the Hotspot. I.e. I have "hotspot.company.com" which points to our public IP (so LE can be used), and the UTM DNS "overrides" that and points to the UTMs Hotspot local address, which is then used for the hotspot user page. The whole point of this question is to try and avoid using the UTMs DNS for the Hotspot, and instead serve Hotspot users something like 1.1.1.1 or 8.8.8.8...

  • The "passthrough" magic doesn't work if the UTM doesn't see the traffic.

    In this case you should use a wildcard certificate also covering "hotspot.firewall.company.com" and make the DNS point to the internal hotspot interface of the UTM in any (external) DNS so cloudflare and google can resolve it.

    clients will then connect to "https://hotspot.firewall.company.com:4501/?location=whatever" and should accept the certificate.

    However you have to fiddle with certbot and a DNS hook then to get a certificate for "*.firewall.company.com" from LE.

  • I assume that with a wildcard certificate I can then have a public DNS record like hotspot.firewall.company.com pointing at the UTMs Hotspot IP, so that the UTM can properly handle clients connecting.

    But if UTM is unable to handle LEs wildcard certificates then I'm probably better of leaving things as is - it's not like we have huge Hotspot traffic and I was hoping this would be a lot easier than it's turning out to be.

    To be absolutely honest, I'm still not following you on the "passthrough" and how that's supposed to work. I just can't visualise how having another public DNS record + LE certificate helps in this particular Hotspot-related scenario...