Exchnage ./. Sophos Web Application Firewall

Ralph Scharping
Ralph Scharping used Ask the Experts™
on
Hi,

is there anyone here who has ever configured Sophos UTM and it's Web Application Firewall reverse proxy feature with Exchange 2010 using a single domain certificate and SRV-records as autodiscover-method?

The guide uses three different certificates and I am unable to follow as I have only one.

https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf

Thanks,
Ralph
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SteveArchitect/Designer

Commented:
May just be the wording you have used, but it can be very difficult if you mean you only have single domain SSL that covers a single FQDN. Exchange doesn't like that and it can be a proper pain to sort. Much better to get the right kind of cert to start with.

To clarify:

Does your existing cert only cover a single host/domain?
eg:
outlook.doman.com?

or is it a wildcard certificate?
eg:
*.domain.com

Or a UCC/SAN certificate?
eg
outlook.domain.com
autodiscover.domain.com
www.domain.com
Ralph ScharpingDigital Therapist

Author

Commented:
I do have a single domain cert covering one single name.  It works just fine in a lot of installations.  All it takes is split-brain DNS config internally and SRV-record for autodiscover externally.  No worries there.

My issue is in regard to the reverse-proxy in Sophos.  I have only one IP and I need to publish another host in addition to Exchange.  So I need Sophos Web Application Firewall to forward different names to different physical hosts.
In the guide I am following there are multiple certificates for Exchange - and so far I was certain that it's not even possible to use different certificates (not names) for Outlook Anywhere, Autodiscover and OWA/ECP, as the service HTTPS can only be bound to one certificate.

So I am asking:  Has anyone ever done this before using a single name for all exchange services?
Architect/Designer
Commented:
Yes, I have seen the situation an it's a right pain, as noted above.  I recommend getting the proper certs instead of putting a workaround in place by sharing a single cert.
Ralph ScharpingDigital Therapist

Author

Commented:
Even a "right" multi domain cert would be ONE cert.  The guide uses three.
Ralph ScharpingDigital Therapist

Author

Commented:
Well, it seems that this actually works, if you pay attention.
Sophos Proxy ignores all certificate errors on the inside.  So if you are careful not to access Exchange using https from the inside, it's fine.  You can actually get different Single-Domain-Certificates and bind them to different virtual web servers within the firewall.

It's a bit abusive, though, and a wildcard-certificate really is your better choice.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial