Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8134 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver in DMZ mit WAF

Ralph Sikau

Hallo,

ich wollte von DNAT auf WAF umstellen. Dazu habe ich - wie in der Anleitung - einen Webserver in der DMZ auf Listen 80 umgeschaltet und einen virtuellen Webserver angelegt mit HTTPS-Umleitung, der an einer bestimmten festen IP horcht. Aber das funktioniert nicht. Weder ist der Webserver vom LAN über http:// erreichbar noch korrekt von außerhalb. Soll heißen: Anmeldung in der Cloud geht, hochladen nicht.
Ein zweiter virtueller Webserver verbindet zu einem Exchange Server (Horde) im internen Netz. Das klappt einwandfrei, abgesehen von einigem Gemecker über unsignierte Cookies. Aber das ist ein anderes Thema.
Was muss anders konfiguriert werden, wenn der Server in einer DMZ steht? Mit DNAT lief alles einwandfrei.

Danke für Tipps und Ratschläge! Oder braucht ihr noch mehr Informationen?

Gruß - Ralph



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Ralph and welcome to the UTM Community!

    I'm not sure why accesses from outside the UTM are not functioning.  Please show us an example from the Web Application Firewall log where an access fails.  Also, show us what you see that causes you to conclude that it fails.

    From the inside, I agree with Doug that you'll want just split DNS causing access to bypass WAF.  If you do want internal users to transit the WAF, be sure to have those accesses skipped in Web Protection and create an Additional Address on the Internal interface for use in a duplicate Virtual Server.

    Cheers - Bob

    PS If you want me to, I will move this thread to the German forum.  For now, I'll move it to the Web Server Security forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    meanwhile almost everything works as it should. The reason for the problems was a HTTPS parameter in the php configuration of the real webserver. It forced the access into ssl from internal as well. So the whole concept of connecting without encryption within the Lan and getting encryption with the certificate on the UTM for external access was counteracted.

    There is just one problem unresolved: The Android app cannot connect to the Nextcloud server. But that belongs into another thread.

    Cheers - Ralph

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    meanwhile almost everything works as it should. The reason for the problems was a HTTPS parameter in the php configuration of the real webserver. It forced the access into ssl from internal as well. So the whole concept of connecting without encryption within the Lan and getting encryption with the certificate on the UTM for external access was counteracted.

    There is just one problem unresolved: The Android app cannot connect to the Nextcloud server. But that belongs into another thread.

    Cheers - Ralph

Children
No Data
Unfiltered HTML