Publishing an internal website securely to the Internet goes by a number of names such as Reverse Proxy, Web Application Proxy (WAP) and Web Application Firewall (WAF). Sophos UTM refers to this functionality as Web Server Protection.
In this article, I will take you through the steps of publishing an internal website (using the Fastvue Sophos Reporter application as the example web app) using the Sophos UTM Web Server Protection feature.
To ensure the implementation goes smoothly, the following steps should be performed in order:
Since registering a domain (if needed) and propagating DNS records can take some time, you should start here.
You will need to create an A record pointing to the public IP address you will be using. The name is important to know before you proceed because it will be specified as an allowed domain when securing your virtual server, and it will also be used in the SSL certificate.
It is however possible to complete these steps using the IP address only, which may be suitable if you are just testing before going live with a public name.
Multiple public IP addresses are a great way to separate discreet services on the UTM, and you will need to add an additional interface for the Web Server Protection feature.
To add an additional IP address:
By default, other services such as SSL VPN and User Portal use the ANY network as the IP address on which they are available. In this context, ANY refers to all IP address assigned to the Sophos UTM.
To prevent your newly created IP address from being claimed by these other services using the ANY interface, make sure the other services have been configured with specific addresses.
For example, one conflicting service you may run into is the SSL VPN. Here is how to resolve the potential conflict:
The real web server is your actual internal web server's IP address that is bound to the web site you want to publish.
This is where the Sophos UTM will send traffic after it is received from the Internet. In our example it is our Sophos Reporter web server.
Next you need to define the Virtual Webserver. This will be the external facing IP address available from the Internet.
This completes the process of publishing the server with HTTP.
To test, click the Open Live Log button. This will open the log so that you can track access to the virtual server. From an Internet connected machine, enter the public IP address into your browser. The internal website should load in the browser, and you should see the log the events in the Live Log.
The next step would be to secure the site using HTTPS. A typical example of this would be to perform SSL offloading where web traffic over the Internet is encrypted, but not encrypted on the internal network. This means that the Fastvue Sophos Reporter server does not carry the overhead of performing SSL encryption. Instead this is performed by the UTM.
This means that traffic on the internal trusted network is not encrypted, but traffic leaving the Sophos UTM to the internet is encrypted. The tricky part, as always with SSL, is certificates. For the sake of simplicity I am going to step through generating a self signed certificate that is valid for the external IP address.
Next, we are going to convert the existing plain text HTTP Virtual Webserver to an Encrypted HTTPS Virtual Webserver.
You have now converted your virtual server from HTTP to HTTPS. The Redirect HTTP to HTTPS checkbox means that the Sophos UTM will still listen on port 80 but it will send the browser a 302 redirect to ensure the traffic is always bumped up to HTTPS.
To test, open a browser and connect to http://thepublicip/. You should observe the URL in the address bar changing to HTTPS.
You have now securely published your internal Fastvue Sophos Reporter application to the public Internet using Sophos UTM's Web Server Protection.
Beyond this guide, you should create and use an SSL certificate that contains the correct public DNS name. Since this is public, I generally always recommend using a 3rd party certificate from a public certificate authority. This prevents certificate warnings on external devices.
I also encourage you to experiment with the different firewall profiles that Sophos UTM offers aside from the 'Basic Protection' profile we selected in the above steps, as well as the Reverse Authentication feature introduced in Sophos UTM 9.2. This is useful for sites such that require corporate authentication details such as SharePoint, Outlook Web Access, and even Sophos Reporter when using Windows Authentication in IIS.
I hope this helps anyone looking to configure Web Server Protection in Sophos UTM. Please let me know how you go in the comments!
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Replacing Forefront TMG with Sophos UTM (Webcast)
How To Remove False Positives in Sophos UTM's Web Application Firewall