This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and the AWS ELB

In AWS, I'm trying to position Sophos between an External ELB and an Internal ELB balancing traffic to web servers.

External ELB -> Sophos -> Internal ELB -> Web Servers

The External ELB can point at Sophos instances with no issues. Given that the ELB doesn't have an IP address only a DNS name, I obviously can't NAT to it. Is there a way of directing the traffic to the Internal ELB once it hits Sophos? In other words, how can I sandwich Sophos between the two ELBs, north to south?

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

Scott, thanks for responding. I understand the need for them in general, but not when a UTM is in the mix.

Is the first ELB faster/better than using Zone-53 with two External interfaces on the Sophos?

Does the second ELB offer any advantage over 'Server Load Balancing' or using the reverseproxy with two Real Servers?

Cheers - Bob
PS NAT only works with IPs. You can use a DNS Host object that gets its IP from a name server, but the FQDN will not be passed to the ELB. Same problem with the reverse proxy.

Note 2017-12-27: I haven't tried it, but I bet selecting 'Pass host header' in the 'Advanced' section of the Virtual Server would get the FQDN to the ELB.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago

Scott, thanks for responding. I understand the need for them in general, but not when a UTM is in the mix.

Is the first ELB faster/better than using Zone-53 with two External interfaces on the Sophos?

Does the second ELB offer any advantage over 'Server Load Balancing' or using the reverseproxy with two Real Servers?

Cheers - Bob
PS NAT only works with IPs. You can use a DNS Host object that gets its IP from a name server, but the FQDN will not be passed to the ELB. Same problem with the reverse proxy.

Note 2017-12-27: I haven't tried it, but I bet selecting 'Pass host header' in the 'Advanced' section of the Virtual Server would get the FQDN to the ELB.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 james scollard over 8 years ago in reply to BAlfson

WAF seems to be unable to accept connections from multiple internet-facing ELBs to multiple backends. This is a requirement when terminating SSL using AWS ACM certificates since Sophos does not support them. This common architecture (LB > UTM > LB) is extremely common but so far seems unobtainable using Sophos appliances on AWS. AWS WAF is not practical when dealing with a legacy setup that supports over 1,000 domains due to the administrative overhead of modifying every DNS record to a new endpoint.

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41441/nat-based-on-domain-name/316605#316605

I would love it if you could prove me wrong though.
Cancel
Vote Up 0 Vote Down

Cancel