Avatar of Ralph Scharping
Ralph Scharping
Flag for Germany asked on

Exchnage ./. Sophos Web Application Firewall

Hi,

is there anyone here who has ever configured Sophos UTM and it's Web Application Firewall reverse proxy feature with Exchange 2010 using a single domain certificate and SRV-records as autodiscover-method?

The guide uses three different certificates and I am unable to follow as I have only one.

https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf

Thanks,
Ralph
ExchangeSophos

Avatar of undefined
Last Comment
Ralph Scharping

8/22/2022 - Mon
Steve

May just be the wording you have used, but it can be very difficult if you mean you only have single domain SSL that covers a single FQDN. Exchange doesn't like that and it can be a proper pain to sort. Much better to get the right kind of cert to start with.

To clarify:

Does your existing cert only cover a single host/domain?
eg:
outlook.doman.com?

or is it a wildcard certificate?
eg:
*.domain.com

Or a UCC/SAN certificate?
eg
outlook.domain.com
autodiscover.domain.com
www.domain.com
Ralph Scharping

ASKER
I do have a single domain cert covering one single name.  It works just fine in a lot of installations.  All it takes is split-brain DNS config internally and SRV-record for autodiscover externally.  No worries there.

My issue is in regard to the reverse-proxy in Sophos.  I have only one IP and I need to publish another host in addition to Exchange.  So I need Sophos Web Application Firewall to forward different names to different physical hosts.
In the guide I am following there are multiple certificates for Exchange - and so far I was certain that it's not even possible to use different certificates (not names) for Outlook Anywhere, Autodiscover and OWA/ECP, as the service HTTPS can only be bound to one certificate.

So I am asking:  Has anyone ever done this before using a single name for all exchange services?
ASKER CERTIFIED SOLUTION
Steve

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ralph Scharping

ASKER
Even a "right" multi domain cert would be ONE cert.  The guide uses three.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Ralph Scharping

ASKER
Well, it seems that this actually works, if you pay attention.
Sophos Proxy ignores all certificate errors on the inside.  So if you are careful not to access Exchange using https from the inside, it's fine.  You can actually get different Single-Domain-Certificates and bind them to different virtual web servers within the firewall.

It's a bit abusive, though, and a wildcard-certificate really is your better choice.