I'm a bit of a Sophos newbie, having come from a decade of ISA+TMG experience (with a little other stuff thrown in at times). I'm trying to replicate, or at least come close to replicating, TMG SSO across multiple sites.
So in the TMG world I would have a web listener. This is pretty much what UTM terms a Virtual Web Server, although a TMG Web Listener has both HTTP and HTTPS ports (and the ability to seamlessly upgrade a connection to HTTPS).
Then, in TMG, I have a Forms Authentication "site" (collection of HTML, CSS, graphics etc) to gather credentials. This would seem to be a Reverse Authentication Template, using Form mode.
If I configure the Listener for Forms Auth I get almost the equivalent of a Profile. So far so good, I think.
Finally, in TMG, I write a rule to publish a particular internal server using the listener, specifying the collection of site names (e.g. mysite.example.com) and path mappings (e.g. mysite.example.com/site1 --> server1.internal/). So this would seem to be a part of the Virtual Web Server as well as Site Path Routing.
And indeed, without authentication, it seems to work. Not well (yet, for me), but that is most likely my lack of knowledge. What I cannot find though is a way to replicate the site consolidation features of TMG with single sign on, where you can have:
mysite.domain.com/.../ --> server1.internal.local/.../
mysite.domain.com/.../ --> server2.internal.local/.../
mysite.domain.com/.../ --> server2.internal.local:5466/
The same forms page, credentials and session is applied to all three. Now because I'm playing with this at home, I figured I'd use my home theatre servers to trial this. What I'd like to achieve is this:
media.qwerty.com/.../ --> nas01.internal.local/.../
media.qwerty.com/.../ --> http://mm.internal.local:8112/
media.qwerty.com/.../ --> http://mm.internal.local:5050/
media.qwerty.com/.../ --> http://mm.internal.local:8080/
media.qwerty.com/ --> nas01.internal.local:8081/
I have a single Virtual Web Server with the following config:
Type: Plaintext (HTTP)
Domains: media.qwerty.com
Real Webservers:
Site Path /deluge --> [active] MediaManager (Deluge) (mm, HTTP, 8112)
Site Path /Media --> [active] NAS01 (nas01, HTTP, 80)
Site Path /Sab --> [active] MediaManager (Sab) (mm, HTTP, 8080)
Site Path /Couch --> [active] MediaManager (CP) (mm, HTTP, 5050)
Site Path / --> [active] MediaManager (Sick) (mm, HTTP, 8081)
Firewall Profile: Basic Protection
Advanced: Pass Host Header
Rewrite HTML
I find I can only assign the Reverse Authentication to the Site Path Route, and that if I try to assign it to more than one, I get this error:
"An authentication profile with frontend mode 'Form' can only be deployed once on any one Virtual Webserver".
So ... I'm guessing that I'm doing it wrong, but I can't understand from the error how to do it better/right. Can someone enlighten me? For example, do I need to create multiple virtual web servers with the same port and DNS name, or am I trying to do the impossible and I need to split it all up?
Guest User!
You are not Sophos Staff.
