Hotspot with LE certificate & external DNS

Cześć Mateusz,

I'm confused - why use a different cert than the WebAdmin cert generated one when you first setup the UTM?

Cheers - Bob

Because the UTM-generated cert is not publicly trusted. I'd like the hotspot page to be SSL-protected AND available to our guests who most certainly won't have our company CA certificates. This is where LE comes in, but I don't know how to use it without also making the UTM DNS available for Hotspot users.

Have you tried just using the default WebAdmin cert for the 'Login Page Certificate'?  I don't see where a user would need a cert from your UTM except for the HTTP Proxy CA if using the UTM's Web Filtering.

Cheers - Bob

Sorry for the late response (I got sick).

I'm not sure I understand what you're suggesting.

The default WebAdmin cert is LE-generated for "firewall.ourcompany.com", and points to the public IP (otherwise LE couldn't be used). I can use a self-generated certificate, but that wouldn't be trusted.

I've tried using "firewall.ourcompany.com" as the sign-in page on the Hotspot, but that doesn't appear to work as expected. It... just flat out doesn't work, and Sophos UTM even gives an error that the sign-in page isn't on the same subnet as the hotspot network.

I spent much time figuring this out. It is actually supported but the documentation is well hidden.

First, go to web protection, filter options, certificate for end-user pages and place your domain "firewall.ourcompany.com" there.

Second, manage to get a certificate for "passthrough.firewall.ourcompany.com" and "passthrough6.firewall.ourcompany.com" (the latter SAN is only required if you provide IPv6 connectivity to your guests). LetsEncrypt with these two SANs (and the base "firewall.ourcompany.com" as third) will do, but you can also get a wildcard if you are able to respond to DNS-01 challenges (Sophos can not).

Having a split DNS setup ("firewall.ourcompany.com" points to the internal interface from inside) is required in this case.

Life would be much easier if sophos could provide a trusted certificate for their domain "passthrough.fw-notify.net" (a domain they own) but they don't for security reasons.

I'm not entirely sure what the steps are. It seems you may have omitted the final step related to configuring the Hotspot itself?

I can certainly prepare two LE certificates, one for "firewall.company.com" (already have one, actually) and one for "hotspot.firewall.company.com" (or "passthrough"?)... but I'm not sure what to do with the latter certificate, or what the next steps are related to Hotspot setup

I'm currently already using a split-DNS setup to facilitate the Hotspot. I.e. I have "hotspot.company.com" which points to our public IP (so LE can be used), and the UTM DNS "overrides" that and points to the UTMs Hotspot local address, which is then used for the hotspot user page. The whole point of this question is to try and avoid using the UTMs DNS for the Hotspot, and instead serve Hotspot users something like 1.1.1.1 or 8.8.8.8...

The "passthrough" magic doesn't work if the UTM doesn't see the traffic.

In this case you should use a wildcard certificate also covering "hotspot.firewall.company.com" and make the DNS point to the internal hotspot interface of the UTM in any (external) DNS so cloudflare and google can resolve it.

clients will then connect to "https://hotspot.firewall.company.com:4501/?location=whatever" and should accept the certificate.

However you have to fiddle with certbot and a DNS hook then to get a certificate for "*.firewall.company.com" from LE.

I assume that with a wildcard certificate I can then have a public DNS record like hotspot.firewall.company.com pointing at the UTMs Hotspot IP, so that the UTM can properly handle clients connecting.

But if UTM is unable to handle LEs wildcard certificates then I'm probably better of leaving things as is - it's not like we have huge Hotspot traffic and I was hoping this would be a lot easier than it's turning out to be.

To be absolutely honest, I'm still not following you on the "passthrough" and how that's supposed to work. I just can't visualise how having another public DNS record + LE certificate helps in this particular Hotspot-related scenario...

I assume that with a wildcard certificate I can then have a public DNS record like hotspot.firewall.company.com pointing at the UTMs Hotspot IP, so that the UTM can properly handle clients connecting.

But if UTM is unable to handle LEs wildcard certificates then I'm probably better of leaving things as is - it's not like we have huge Hotspot traffic and I was hoping this would be a lot easier than it's turning out to be.

To be absolutely honest, I'm still not following you on the "passthrough" and how that's supposed to work. I just can't visualise how having another public DNS record + LE certificate helps in this particular Hotspot-related scenario...