Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 1556 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Home Web Server not working

TheCodeGeek

Hello all,

I am coming over from PFsense and trying out Sophos XG Firewall Home Edition because I have heard some good things. I have a web server hosting 3 websites with 3 different domains. IIS filters the traffic based on the domain and serves the appropriate website and TLS certificate. The problem I have is after adding my server to the Web Servers list, and setting up my protection policy to monitor, and using the Server Access Assistant, I am still unable to reach my web server.

I have already changed the user portal to use another port so that it will not conflict with my web server. My web server is on my LAN and I suspect that I need to add a VLAN and place the web server on it, then use routing to send traffic to it. But I'm not sure that is what I need or how to do it. I cannot figure out what I am doing wrong. Someone, please help.



This thread was automatically locked due to age.
Parents
  • 0

    Hi ,

    Can you go to the Log Viewer and take a screenshot inside "Web Server Protection" ?

    TheCodeGeek said:
    I am still unable to reach my web server.

    Does It gives any error ? If yes, what code ? Also, is DNS Setup correctly?

    TheCodeGeek said:
    I have a web server hosting 3 websites with 3 different domains.

    I'm not familiar with IIS onside Sophos XG WAF, but since all three web instances are being hosted on the same server, did you enabled "Pass host header" on each of the WAF Rules ?

    TheCodeGeek said:
    My web server is on my LAN and I suspect that I need to add a VLAN and place the web server on it,

    There's no need for this.

    Thanks!

  • 0 in reply to Prism
    Prism said:
    Can you go to the Log Viewer and take a screenshot inside "Web Server Protection" ?

    There are no logs On this page. I tested the policy and I get Accepted.

    Prism said:
    Does It gives any error ? If yes, what code ? Also, is DNS Setup correctly?

    I don't get any errors, it simply times out.

    Prism said:
    did you enabled "Pass host header" on each of the WAF Rules ?

    I am unable to find this on my Home Edition of XG Firewall. I found the documentation on "Pass host header", But my Firewall does not have a Business application rule option, just "Server access assistant (DNAT)".

  • +1 in reply to TheCodeGeek
    TheCodeGeek said:
    I am unable to find this on my Home Edition of XG Firewall. I found the documentation on "Pass host header", But my Firewall does not have a Business application rule option, just "Server access assistant (DNAT)".

    After creating a Web Server you have to create a WAF Rule, in there you will be able to decide what features you want.

    To create a WAF Rule in v18 you have to go to "Rules and Policies", then "Add a New Firewall Rule" and on Action you will be able to select "Protect with web server protection".

    For more information check out: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/WAFRuleAdd.html

    Thanks!

  • 0 in reply to Prism

    Okay, awesome. I have just one last question. My server issues the TLS certificate for each of the three domains, but the WAF rule wants me to select a certificate. As I understand it, I will have to create one rule for each domain since I can only select one certificate. is this correct? Or is there a way to issue a certificate for the three domains? The domains are completely different and I even have two different TLDs.

    The certificate selection is just throwing me off. In reading the documentation, the firewall supports SNI

    If you selected HTTPS, select the certificate.

    XG Firewall supports SNI (Server Name Indication), allowing you to create more than one virtual web server that's accessible over the same IP address and port. You can assign a different certificate to each server. Servers are presented to clients based on the requested hostname.

    To create or upload a certificate, go to Certificates > Certificates.

    But I don't see any indication of how to do this.

    This is the last piece to the puzzle that I'm trying to solve. Thank you for helping me with this.

  • 0 in reply to TheCodeGeek
    TheCodeGeek said:
    My server issues the TLS certificate for each of the three domains, but the WAF rule wants me to select a certificate. As I understand it, I will have to create one rule for each domain since I can only select one certificate. is this correct?

    You can have multiple WAF Rules (Servers) running on HTTP & HTTPS simultaneously.

    The best way to do this is a WAF Rule for each domain. At each WAF Rule you will use the desired certificate with the correct SNI.

    Also, did you already imported the certificates?

Reply
  • 0 in reply to TheCodeGeek
    TheCodeGeek said:
    My server issues the TLS certificate for each of the three domains, but the WAF rule wants me to select a certificate. As I understand it, I will have to create one rule for each domain since I can only select one certificate. is this correct?

    You can have multiple WAF Rules (Servers) running on HTTP & HTTPS simultaneously.

    The best way to do this is a WAF Rule for each domain. At each WAF Rule you will use the desired certificate with the correct SNI.

    Also, did you already imported the certificates?

Children
  • 0 in reply to Prism

    Yes, I didn't seem to have any issue with that. In fact, I created a multi-domain certificate to cover all of the websites that I host and uploaded it to the certificates page of the XG Firewall. When I selected the certificate in the WAF rule, it auto-populated all of the domains. So I think everything is good to go when I swap my virtual firewalls back out. Thanks for your help Prism.