Thread Info
  • State Verified Answer
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 36 replies
  • Answers 5 answers
  • Subscribers 43 subscribers
  • Views 86037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to use the hostname for captive portal instead of IP?

ChavousCamp

Really, the subject says it all... is there a way to configure the HTTPS & HTTP proxies to redirect to a hostname instead of the IP address of the firewall?

Reason I ask is I'd really like to keep my certificates consistent.  We use an internal PKI, and so I have issued the XG a valid certificate based on our root cert.  Yes, I can go back and re-issue it with the IP address, but I would like for it to redirect, if possible, to the internal hostname instead.

Similar to overriding the hostname for the external SSL vpn... I want to do it on an internal-facing service.

If the answer is currently "not possible" - I would like to suggest this as a feature.



This thread was automatically locked due to age.
  • 0 in reply to ChrisKnight
    Hi Chris,
    I appreciate that you are trying to understand the system but please be aware - you are hacking the system without any knowledge of how it works.  Some of what you are posting is wrong or at least misleading.  I don't want to spend too much time trying to explain how it works because, quite frankly, you shouldn't be doing that.
     
    Lets back up.
    Using the documentation in community.sophos.com/.../132058
    What end-to-end functionality is not working as you expect?
  • 0 in reply to Filippo Bastianello

    FilippoBastianello said:

    Why is that "The email Quarantine Digest will always use the IP". This way quarantine will be available only for internal or external users, not for both.

     

    The Email quarantine digest uses a separate setting, configured under Email > Quarantine Digest > Reference User Portal IP. When we built the "proxy_use_hostname" feature for 17.1 we did not realize email was a separate configuration (built by a different team).  We are looking at options for changing this in the future.

     

    There is no reason why you cannot use the same IP for both internal and external users, as long as you can route there.  Putting in a hostname/FQDN does not change the fact that the FQDN will resolve to a single IP address which will be one of the interface IPs (the same interface IPs you can select right now).

  • 0 in reply to Michael Dunn

    "There is no reason why you cannot use the same IP for both internal and external users". In Email > Quarantine Digest > Reference User Portal IP I can choose one interface (I usually choose LAN or WAN). How can I route users from one zone to the IP chosen?

    "Putting in a hostname/FQDN does not change the fact that the FQDN will resolve to a single IP address" is not necessarily true if you use, as in my case, split DNS in order to resolve FQDN differently, depending on which zone you are in; usually internal DNS for LAN and public DNS for WAN

  • +1 in reply to Filippo Bastianello

    Hello

    Refer the KB article to use FQDN for captive portal.

     

    https://community.sophos.com/kb/en-us/123035

     

    Regards, Ronak.

  • 0 in reply to Ronak Sheth

    Ronak Sheth said:

    Hello

    Refer the KB article to use FQDN for captive portal.

     

    https://community.sophos.com/kb/en-us/123035

     

    Regards, Ronak.

     

     

    Hello Ronak,

    I don't see the connection with the quarantine portal settings

     

    Regards

  • 0 in reply to Michael Dunn

    Thanks to the saint-like patience of Michael Dunn, I was able to work out that my Captive Portal certificate binding issue was due to the fact that PFX Import - while helpfully reporting that it imported the certificate chain correctly - would result in the awarrenhttp service (responsible for handling the Captive Portal) not being able to find the Root CA from the Intermediate CA and would silently roll back to using the ApplianceCertificate certificate. Once I imported the Root CA, Intermediate CA and leaf certificates separately as PEMs it worked correctly.