Link to home
Get AccessLog in
Avatar of Ralph Scharping
Ralph ScharpingFlag for Germany

asked on

Exchnage ./. Sophos Web Application Firewall

Hi,

is there anyone here who has ever configured Sophos UTM and it's Web Application Firewall reverse proxy feature with Exchange 2010 using a single domain certificate and SRV-records as autodiscover-method?

The guide uses three different certificates and I am unable to follow as I have only one.

https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf

Thanks,
Ralph
Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

May just be the wording you have used, but it can be very difficult if you mean you only have single domain SSL that covers a single FQDN. Exchange doesn't like that and it can be a proper pain to sort. Much better to get the right kind of cert to start with.

To clarify:

Does your existing cert only cover a single host/domain?
eg:
outlook.doman.com?

or is it a wildcard certificate?
eg:
*.domain.com

Or a UCC/SAN certificate?
eg
outlook.domain.com
autodiscover.domain.com
www.domain.com
Avatar of Ralph Scharping

ASKER

I do have a single domain cert covering one single name.  It works just fine in a lot of installations.  All it takes is split-brain DNS config internally and SRV-record for autodiscover externally.  No worries there.

My issue is in regard to the reverse-proxy in Sophos.  I have only one IP and I need to publish another host in addition to Exchange.  So I need Sophos Web Application Firewall to forward different names to different physical hosts.
In the guide I am following there are multiple certificates for Exchange - and so far I was certain that it's not even possible to use different certificates (not names) for Outlook Anywhere, Autodiscover and OWA/ECP, as the service HTTPS can only be bound to one certificate.

So I am asking:  Has anyone ever done this before using a single name for all exchange services?
ASKER CERTIFIED SOLUTION
Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Even a "right" multi domain cert would be ONE cert.  The guide uses three.
Well, it seems that this actually works, if you pay attention.
Sophos Proxy ignores all certificate errors on the inside.  So if you are careful not to access Exchange using https from the inside, it's fine.  You can actually get different Single-Domain-Certificates and bind them to different virtual web servers within the firewall.

It's a bit abusive, though, and a wildcard-certificate really is your better choice.