![]() With this “dual-brain” setup, all LE certs (for both external and internal traffic) auto renew. Since the certs auto renew, there’s really nothing to manage. I use Let’s Encrypt for all internal traffic. The NGINX reverse-proxy uses DNS challenges so that I do not have to open any ports for the Let’s Encrypt renewals. ![]() I have some web apps that require TLS connections and are accessible only internally and via VPN. Some of my domains/sub-domains are on different servers.įor internal traffic, I have a NGINX reverse-proxy that handles SSL certs for private IP’s to private IP’s traffic. Then the Sophos UTM WAF port forwards the traffic (by sub-domain) to each server (port 443 to 80 or 443 to 443). I let the Sophos UTM’s WAF handle the SSL certs for the external-inbound traffic, only (external interface to private IP’s). The Sophos UTM does the forward DNS lookups. I use a Windows domain controller for DNS and DHCP for a “dual-brain” approach so that I can serve the same web apps to internal and external users. It does web and application filtering very nicely and it is very granular. Seriously, the Sophos UTM is a beast, it works very well and it is very secure. It also handles anti-virus, spam filtering, DKIM etc for the email server. The Sophos UTM has a WAF (reverse-proxy) that handles anti-virus, SSL certs (Let’s Encrypt, self-signed and commercial) and uses Snort for IPS and it works wonderfully. I run different web apps/web servers, file sharing servers, email servers etc behind the Sophos UTM and most are open to the Internet. I listed in my OP some of the features I need. They have been making improvements to XG over the course of many years but it still lags far behind the UTM in many ways and it’s not nearly as user friendly. I’ve used it for over 10 years (home license) and it’s really sad to see Sophos abandon its mature product in favor of the CyberRoam crap that they are calling XG. You just don’t know what you’ve been missing if you’ve never given it a deep dive but there’s no point in doing so now since an EOL date has been announced. I would appreciate any advice including best practices if that means moving some of the functionality away from the firewall if it can be done reasonably well with open source in conjunction with *Sense or Untangle.įor home/lab use, there’s nothing out there that comes close to the feature richness of the Sophos UTM with its ease of use unless you want to pay big bucks. Based on the info I’ve obtained so far, it appears that pfSense only goes down to interface level. In Sophos UTM’s WAF, you can disable different Snort rules and add exceptions for each web app behind the UTM even if they are on the same interface. It looks like I may be able to cobble together all of the pieces with *Sense but it looks like a hot mess to me. So, is the UTM doing the man-in-the-middle thing by hosting the certs, accepting the HTTPS traffic and forwarding it to the internal web servers? Can I get the same functionality with *Sense or Untangle, with HTTPS traffic?Ĭontrary to what some may think, I have been searching my butt off trying to answer my own questions but I’m still confused. The UTM’s WAF (reverse-proxy) handles the certs and port forwarding. ![]() I never installed any certs on the workstations or servers behind the UTM but I still see plenty of Snort blocked activity and false-positives in the WAF log so it must be working with HTTPS traffic, right? I’m referring to external traffic (443) coming into the UTM->WAF->internal webserver (80 or 443). I’ve read a lot of posts that state that IPS only works as man-in-the-middle and that you have to install a cert on all of the clients. The UTM’s IPS (Snort) catches a lot of things even with HTTPS traffic. Back then, not every connection was encrypted but now, all of my stuff uses HTTPS. It was several years back when I set everything up. Outbound content filtering is not a huge concern for me as long as I can use URL lists and feeds but inbound inspection is very important to me. Please tell me, can I replace the Sophos UTM’s functionality with pfSense, OPNsense or Untangle? I saw a post by Tom where he stated he usually pushes people towards Untangle when they need content filtering and WAF but Untangle doesn’t seem to have a reverse-proxy WAF. There must be some people on this forum that are very familiar with the Sophos UTM. I’ve been utilizing most of the features of the UTM. This is for personal/home lab use but I do host quite a few things behind the device so I need the WAF, VPN, anti-virus, IPS, SMTP proxy, web protection etc. ![]() Since the UTM is reaching EOL, I’m looking for a replacement but I haven’t found anything that is a direct replacement, that I can afford. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |