NAT based on domain name

This isnt working for me. I ha e multiple upsteam ELBs terminating SSL, the forwarding to Sophos on TCP:80. The WAF rules need to filter to different backends based on the source they receive a request from, but the ELB only has a public address, it sends to instances on a VPC private address, and these requests never get past the firewall. :(

Who's on First, What's on Second, ... [:D]

Seriously, maybe a diagram?

Cheers - Bob

 This is fairly common and I have created it with multiple other physical and virtual appliance vendors before.

Thanks, James, I'm a visual-tactile, so I would have spent awhile "seeing" this well enough to diagram it myself.  I figured you had experience with this since it seemed so obvious to you what you were describing.

"The WAF rules need to filter to different backends based on the source they receive a request from"

I'm not sure what this means.  Do you want all requests from inbound ELB1 to go to outbound ELB1, or ???

Cheers - Bob

ELB 1 & ELB 2 always point to WAF rule 1 which uses backend 1

ELB 3 always points to WAF rule 2 using backend 2

ELB 4 & ELB 5 always point to WAF rule 3 using backend 3, etc.

Here is my NAT for an example ELB inbound:

The DNS Host record is the DNS name for the internet-facing ELB (not posted here for obvious reasons...) but the ELB sends traffic to the UTM on private VPC RFC1918 addresses (depending on which AZs the UTMs reside in) and those addresses do not map back to that DNS name.  The goal is to get traffic from this ELB, and only this ELB to the corresponding WAF rule here:

Unfortunately, with or without using a secondary IP address with additional public address attached, requests never hit the correct WAF rules.

James, you don't realize that you're presenting a frustrating situation.  Each post (including the one on the other thread) contains new, significant details.  I expect that this is frustrating for you since you already know how to do this with a command-line-driven device.  I suspect that the UTM offers an easy, elegant solution, but we've been dealing with your guesses at how WebAdmin manipulates the underlying configuration databases with which the configuration daemon creates the lines of code that actually run the UTM.  If you'll check #2 in Rulz, you'll see that your Full NAT completely bypasses the reverse proxy.

At this point, I would recommend that you get your reseller involved to speak with Sophos Pre-sales support to get an answer if what you have in mind is possible with NAT, Load Balancing or WAF.  I suspect that, to get this implemented, your organization might need to pay someone to take the time to dig in to the underlying requirements.

We all work for a living - you won't get several hours of someone's time for free.  We in this forum are happy to help when the questions are incremental and well-described, but this isn't at that point yet.

Sorry if that sounded harsh, but you've already spent enough time waiting for an answer here, and I didn't want to lead you on.

Cheers - Bob

I have no expectation of free work.  Unfortunately I have gotten more assistance from the forum here that I have from the ticket I opened up with Sophos under my premium support license.  My main goal at this point is to determine if Sophos is able to accomplish this standard architecture between two load balancers, which it doesn't appear to.  I have spent months working with Sophos directly on this including a failed attempt to use their autoscaling solution in this environment, and still do not have an answer as to how to secure these domains using their products.  I suspect that Sophos is unable to solve for this without a feature request, and have communicated the details of such to them via the ticketing system.  The issue that I am describing is repeated over and over by various users in this community dating back years, and rather than answer the query they are usually met with questions about why they would want to do that instead.

I fully appreciate your assistance, and apologize if this is confusing, but to me this is a pretty basic edge configuration and Sophos appliances do not seem to be able to support it due to compatibility issues with AWS elastic load balancers.  This thread is itself showing a hack to get around this compatibility problem, and has been cited in my support ticket.

No worries. :)

I have no expectation of free work.  Unfortunately I have gotten more assistance from the forum here that I have from the ticket I opened up with Sophos under my premium support license.  My main goal at this point is to determine if Sophos is able to accomplish this standard architecture between two load balancers, which it doesn't appear to.  I have spent months working with Sophos directly on this including a failed attempt to use their autoscaling solution in this environment, and still do not have an answer as to how to secure these domains using their products.  I suspect that Sophos is unable to solve for this without a feature request, and have communicated the details of such to them via the ticketing system.  The issue that I am describing is repeated over and over by various users in this community dating back years, and rather than answer the query they are usually met with questions about why they would want to do that instead.

I fully appreciate your assistance, and apologize if this is confusing, but to me this is a pretty basic edge configuration and Sophos appliances do not seem to be able to support it due to compatibility issues with AWS elastic load balancers.  This thread is itself showing a hack to get around this compatibility problem, and has been cited in my support ticket.

No worries. :)

My recommendation is to get your reseller to engage Sophos Pre-Sales support.  The Sophos Support organization is more break-fix than what you need, James, and all "Premium" supprt does is give you the ability to open a ticket directly instead of going through your reseller.

The Pre-Sales people can get deep-dive help quickly.  You're looking at a go/no-go situation that your reseller should jump at to get Sophos Pre-Sales involved.

Cheers - Bob