Exchnage ./. Sophos Web Application Firewall


is there anyone here who has ever configured Sophos UTM and it's Web Application Firewall reverse proxy feature with Exchange 2010 using a single domain certificate and SRV-records as autodiscover-method?

The guide uses three different certificates and I am unable to follow as I have only one.


Ralph ScharpingDigital TherapistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

May just be the wording you have used, but it can be very difficult if you mean you only have single domain SSL that covers a single FQDN. Exchange doesn't like that and it can be a proper pain to sort. Much better to get the right kind of cert to start with.

To clarify:

Does your existing cert only cover a single host/domain?

or is it a wildcard certificate?

Or a UCC/SAN certificate?
Ralph ScharpingDigital TherapistAuthor Commented:
I do have a single domain cert covering one single name.  It works just fine in a lot of installations.  All it takes is split-brain DNS config internally and SRV-record for autodiscover externally.  No worries there.

My issue is in regard to the reverse-proxy in Sophos.  I have only one IP and I need to publish another host in addition to Exchange.  So I need Sophos Web Application Firewall to forward different names to different physical hosts.
In the guide I am following there are multiple certificates for Exchange - and so far I was certain that it's not even possible to use different certificates (not names) for Outlook Anywhere, Autodiscover and OWA/ECP, as the service HTTPS can only be bound to one certificate.

So I am asking:  Has anyone ever done this before using a single name for all exchange services?
Yes, I have seen the situation an it's a right pain, as noted above.  I recommend getting the proper certs instead of putting a workaround in place by sharing a single cert.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ralph ScharpingDigital TherapistAuthor Commented:
Even a "right" multi domain cert would be ONE cert.  The guide uses three.
Ralph ScharpingDigital TherapistAuthor Commented:
Well, it seems that this actually works, if you pay attention.
Sophos Proxy ignores all certificate errors on the inside.  So if you are careful not to access Exchange using https from the inside, it's fine.  You can actually get different Single-Domain-Certificates and bind them to different virtual web servers within the firewall.

It's a bit abusive, though, and a wildcard-certificate really is your better choice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.