Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 7979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and the AWS ELB

L1meFire
In AWS, I'm trying to position Sophos between an External ELB and an Internal ELB balancing traffic to web servers.

External ELB -> Sophos -> Internal ELB -> Web Servers

The External ELB can point at Sophos instances with no issues.  Given that the ELB doesn't have an IP address only a DNS name, I obviously can't NAT to it.  Is there a way of directing the traffic to the Internal ELB once it hits Sophos?  In other words, how can I sandwich Sophos between the two ELBs, north to south?


This thread was automatically locked due to age.
  • 0
    Hi, L1meFire, and welcome to the User BB!  I haven't asked the question before - have you asked whether an ELB, let alone two, will gain you any advantage?  

    Cheers - Bob  

    Sorry for any short responses.  Posted from my iPhone.
  • 0 in reply to BAlfson
    I didn't see an answer to the original question of whether you could NAT to an AWS ELB, which uses a domain name.  I assume from one line in the documentation that this is possible, but I don't see how.

    Any assistance or links to relevant documentation would be appreciated.

    As to your question of why someone would want to do the following:
    ELB=>[Sophos]=>ELB=>Instances

    The first ELB provides failover/redundancy across AWS AZs.  The second ELB not only provides the ability to autoscale, but also provides redundancy for failed instances. 

    Thanks,

    Scott
  • 0

    Scott, thanks for responding.  I understand the need for them in general, but not when a UTM is in the mix.

    Is the first ELB faster/better than using Zone-53 with two External interfaces on the Sophos?

    Does the second ELB offer any advantage over 'Server Load Balancing' or using the reverseproxy with two Real Servers?

    Cheers - Bob
    PS NAT only works with IPs.  You can use a DNS Host object that gets its IP from a name server, but the FQDN will not be passed to the ELB.  Same problem with the reverse proxy.

    Note 2017-12-27: I haven't tried it, but I bet selecting 'Pass host header' in the 'Advanced' section of the Virtual Server would get the FQDN to the ELB.

  • 0 in reply to BAlfson

    WAF seems to be unable to accept connections from multiple internet-facing ELBs to multiple backends.  This is a requirement when terminating SSL using AWS ACM certificates since Sophos does not support them.  This common architecture (LB > UTM > LB) is extremely common but so far seems unobtainable using Sophos appliances on AWS.  AWS WAF is not practical when dealing with a legacy setup that supports over 1,000 domains due to the administrative overhead of modifying every DNS record to a new endpoint.

    https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41441/nat-based-on-domain-name/316605#316605

     

    I would love it if you could prove me wrong though.