[LetsEncrypt] How To in Sophos Firewall

Added Sophos Factory to this Thread. 

This Feature was one of the top ranked Requests in Ideas (rip).

On every corner in the Forums people ask for it.

The feature was promised the same time it was for UTM. UTM has it for years now - and XG it is still "on the Roadmap" with no sign of anybody even touching it.

Just another Feature, the "next gen" does not have - and likely will not get any time soon. 

Sophos' communication on development and feature implementation in xg is getting to a point where it is embarrassing at best - fraudulent at worst.

I do not understand, why the firewall should be part of the work of being a certificate store. But i am from the old school of having a separate service for such tasks. And i am a fan of automate such task for multiple instances at once. 

Again: I am not a Product Manager nor do i have influence on the roadmap or any other topics. I am here to help and give advice. 

If you want to prioritize this, feel free to reach out to your local Sales rep to get sorted out. 

I cannot comment on this any further. 

SFOS has a WAF, that's why. UTM supports it. Put your products on feature parity. It's simple. Cleary if UTM has it, someone at Sophos thought it was an important feature and can see the need for a firewall to handle the certificates of the websites that use it's WAF.

So you will need Webserver Protection Licenses for LE? That would be requirement to get this to work. And most customers, i am talking to, are not licensing WAF anymore. (Only if Exchange on Prem is present). 

Again: If you have a business case and a customer needing this feature, you can contact Sales to get the prioritization right. I am not seeing much LE requests from customer lately. 

I am more in implementation of ZTNA lately, and ZTNA need a wildcard certificate, which means, it needs DNS LE Challenge as well. 

I don't know if our provider would support that (SCHLUNDTECH), but that's not the point.

On the UTM it works since version 9.6 from 2018-11-22 with the http method. In XG/SFOS timeline that would be 17.5MR 9 or so.
We have seen 18, 18.5 and 19 until then and still the community feels a bit "ignored" when a so often requested feature is somewhere down in development.

I don't see the fact you state about the "much more secure" DNS way. UTM users can choose to use the "unsecure" HTTP method for almost 2 years now. UTM users can choose if or not, XG users have no choice and can somehow be frustrated.

Don't get me wrong. In our deployments there is mainly one certificate in use for the user portal and web admin. If the customer has a more complex WAF he is using a wildcard certificate. No deal.
But if I imagine some of our customers with their 10+ domains that all have some kinds of subdomains and different portals, they won't be using 10+ wildcard certificates, because of a firewall that is not able to do LE-integration. They would change their vendor because they could nearly buy a new firewall for the wildcard certificate costs.

Sophos should make clear if they want to target customers from small to enterprise size or maybe BIG enterprises only where "additional costs" for a firewall (like certificates, renewal processes) don't count.

Perfectly said. Thanks kerobra

As i know, you are in the German/DACH Market: Could you give me (via DM) a list of those customers facing this challenges of multiple domains? Because i am not seeing nor talking to them. 

If this is the reason, they change there vendors, this need to be clearly addressed to Sophos. I am not seeing any customer coming to us and telling us/me: "I cannot migrate to SFOS or cannot use SFOS because of lack of LE." 

If you have such customers, feel free to reach out to me to discuss this further. 

I don't have a list of customers, I only wanted to give you some arguments, how small businesses - at least here in germany - are thinking.

We as a Sophos Partner are already having issues selling them a newer firewall or renewals (because of the bill they have to pay), they don't spend money into IT security like big enterprises do. We are glad about any customer we can move to Sophos from another firewall vendor. But at the latest with the next renewal we get a "can we make something about the pricing?" as the first response. Having them to migrate to a new system that maybe has more - but on the other side LESS features than the previous firewall we have to explain them why they need an additional 15€/year ssl certificate for webadmin/userportal, no joke!

I just wanted to remind, that not all Sophos customers are the same and in my opinion Sophos is putting the focus only on big enterprises - at least since the takeover/invest of Thoma Bravo.

This is clear but i want to state out, if you tackle some customer like that, please inform Sophos in this process of migration and discussions. If nobody is reaching out to Sales about the issues you have, it cannot be addressed. 

Sophos should be aware of it, User Voice and all the comments with every release. If they are not aware they dont care about there customers.

LuCar Toni said:

NOT using those API

Mainly those

We don't try to migrate existing DNS records for new customer to our vendor. We rather use, whats there - and most of that doesn't come with an API.

Further I support, what kerobra said - but at least from my mind, I never had the customers really complaining about costs for certificates. Maybe, because we never really forced Let's Encrypt on any system and always sticked with paid certs for exchange and other services.

Therefore, I would still support LuCar Toni. As more and more services become Cloud-hosted, this discussion becomes more irrelevant to me. Those customers who still wants on prem exchange servers already have to pay for services, management, ongoing updates, etc. 15€/year for a certificate is the smallest cost point on running exchange locally. Those who want to safe cost will go to Microsoft 365 (or any other cloud service). Those we still want to have an exchange locally (mostly) know, that they need certificates - and in the context of a new exchange server project this costs are there, but I never spoke about the price for them (maybe why and if the customer really needs those - but answering this is part of the consulting i.m.o.).

The lack of LE - speaking of me personally - mainly happens, when there is a non exchange service and no wildcards are bought and I would like to reroute everything through SFOS to get HTTPS. This happens, but it is a really edge case - and I don't know any other person in my team that would do this at all.

I see, that both WAF and E-Mail Protection won't be part of core SFOS anymore. This trend has already started as the new total protect doesn't come with both AddOns. For me this is fine - even if its cool to administrating both. But with this trend - If I don't have any service where I could use the certificate on the majority of appliances, I totally understand, why the main focus of 18.0 to 19.0 were  features inside Network and Web Protection (SD-WAN, NAT, SSL/TLS inspection). Also - those are features, that I use even at SMB customers.

TL;DR;: Yes - I still want LE on XGS. Yes - I still want LE be integrated in SFOS and I don't want another third party in that process. And yes - I will cheer, when LE makes its way to SFOS.
But the impact that LE would have today (or in the future) is way smaller, then it had on SG back with  and I would even say, that I wouldn't swap a feature I got today for having LE.

LuCar Toni said:

NOT using those API

Mainly those

We don't try to migrate existing DNS records for new customer to our vendor. We rather use, whats there - and most of that doesn't come with an API.

Further I support, what kerobra said - but at least from my mind, I never had the customers really complaining about costs for certificates. Maybe, because we never really forced Let's Encrypt on any system and always sticked with paid certs for exchange and other services.

Therefore, I would still support LuCar Toni. As more and more services become Cloud-hosted, this discussion becomes more irrelevant to me. Those customers who still wants on prem exchange servers already have to pay for services, management, ongoing updates, etc. 15€/year for a certificate is the smallest cost point on running exchange locally. Those who want to safe cost will go to Microsoft 365 (or any other cloud service). Those we still want to have an exchange locally (mostly) know, that they need certificates - and in the context of a new exchange server project this costs are there, but I never spoke about the price for them (maybe why and if the customer really needs those - but answering this is part of the consulting i.m.o.).

The lack of LE - speaking of me personally - mainly happens, when there is a non exchange service and no wildcards are bought and I would like to reroute everything through SFOS to get HTTPS. This happens, but it is a really edge case - and I don't know any other person in my team that would do this at all.

I see, that both WAF and E-Mail Protection won't be part of core SFOS anymore. This trend has already started as the new total protect doesn't come with both AddOns. For me this is fine - even if its cool to administrating both. But with this trend - If I don't have any service where I could use the certificate on the majority of appliances, I totally understand, why the main focus of 18.0 to 19.0 were  features inside Network and Web Protection (SD-WAN, NAT, SSL/TLS inspection). Also - those are features, that I use even at SMB customers.

TL;DR;: Yes - I still want LE on XGS. Yes - I still want LE be integrated in SFOS and I don't want another third party in that process. And yes - I will cheer, when LE makes its way to SFOS.
But the impact that LE would have today (or in the future) is way smaller, then it had on SG back with  and I would even say, that I wouldn't swap a feature I got today for having LE.