Ralph Scharping
asked on
Exchnage ./. Sophos Web Application Firewall
Hi,
is there anyone here who has ever configured Sophos UTM and it's Web Application Firewall reverse proxy feature with Exchange 2010 using a single domain certificate and SRV-records as autodiscover-method?
The guide uses three different certificates and I am unable to follow as I have only one.
https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf
Thanks,
Ralph
is there anyone here who has ever configured Sophos UTM and it's Web Application Firewall reverse proxy feature with Exchange 2010 using a single domain certificate and SRV-records as autodiscover-method?
The guide uses three different certificates and I am unable to follow as I have only one.
https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf
Thanks,
Ralph
ASKER
I do have a single domain cert covering one single name. It works just fine in a lot of installations. All it takes is split-brain DNS config internally and SRV-record for autodiscover externally. No worries there.
My issue is in regard to the reverse-proxy in Sophos. I have only one IP and I need to publish another host in addition to Exchange. So I need Sophos Web Application Firewall to forward different names to different physical hosts.
In the guide I am following there are multiple certificates for Exchange - and so far I was certain that it's not even possible to use different certificates (not names) for Outlook Anywhere, Autodiscover and OWA/ECP, as the service HTTPS can only be bound to one certificate.
So I am asking: Has anyone ever done this before using a single name for all exchange services?
My issue is in regard to the reverse-proxy in Sophos. I have only one IP and I need to publish another host in addition to Exchange. So I need Sophos Web Application Firewall to forward different names to different physical hosts.
In the guide I am following there are multiple certificates for Exchange - and so far I was certain that it's not even possible to use different certificates (not names) for Outlook Anywhere, Autodiscover and OWA/ECP, as the service HTTPS can only be bound to one certificate.
So I am asking: Has anyone ever done this before using a single name for all exchange services?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Even a "right" multi domain cert would be ONE cert. The guide uses three.
ASKER
Well, it seems that this actually works, if you pay attention.
Sophos Proxy ignores all certificate errors on the inside. So if you are careful not to access Exchange using https from the inside, it's fine. You can actually get different Single-Domain-Certificates and bind them to different virtual web servers within the firewall.
It's a bit abusive, though, and a wildcard-certificate really is your better choice.
Sophos Proxy ignores all certificate errors on the inside. So if you are careful not to access Exchange using https from the inside, it's fine. You can actually get different Single-Domain-Certificates
It's a bit abusive, though, and a wildcard-certificate really is your better choice.
To clarify:
Does your existing cert only cover a single host/domain?
eg:
outlook.doman.com?
or is it a wildcard certificate?
eg:
*.domain.com
Or a UCC/SAN certificate?
eg
outlook.domain.com
autodiscover.domain.com
www.domain.com