Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12898 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup Multiple Web Servers with one Public IP

bulldogarkansas

Question for everyone:

 

I currently have one public IP and have several webservers I would like to access if possible. Is this possible with Sophos UTM, if so how do I do it?

 

I want to be able to access my UTM User Portal from the public using SSL by typing testwebsite.com or utm.testwebsite.com. Then I would like to access an internal webserver by typing server1.testwebsite.com using SSL along with various other ports to open on the server. And then would like to also access another internal webserver by typing server2.testwebsite.com. I want to be able to type any of these from inside and outside of my network and still be able to access them.

 

Thanks for your help in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Here is my understanding:

    Server Name Indication (SNI) is a way for multiple websites to coexist on the same IP address and port.   The receiving webserver sorts things out based on the host name.   I believe all of the websites have to exist on the same server, although some high-end devices may be able to perform that function and sort things out.   I don't think UTM WAF has any support for using SNI to accomplish this, and I don't think there is any chance that one or more WAF resources will coexist on the same IP and port as User Portal, because these are different subsystems on the box.

    You can definitely have multiple WAF sites share an IP address by configuring them on different ports.  My testing indicates that WAF opens port 443 even if no WAF site is configured on port 443, so I would recommend configuring the most-used site on 443.   This anomaly (bug?) also suggests that WAF cannot share an IP address with UserPortal, even on a different port.

    Even if sharing that primary IP address was possible, you would need to be careful not to collide with one of the built in ports for SMTP Proxy, SPX portal, SSL VPN, IPSEC VPN, WebAdmin, etc.

    If you configure multiple WAF sites on one IP address, you can certainly have multiple DNS names for the same IP Address.  You would need to do this if (as I have assumed) all of your WAF sites are HTTPS-enabled (they should be).   But your users will still need to know and enter the correct port number along with the name, as there is no mechanism for configuring DNS to know that server1.mycompany.com means 10.10.10.0:4449

    Bottom line:   If you need WAF sites, you should have more than one IP address from your ISP. 

Reply
  • 0

    Here is my understanding:

    Server Name Indication (SNI) is a way for multiple websites to coexist on the same IP address and port.   The receiving webserver sorts things out based on the host name.   I believe all of the websites have to exist on the same server, although some high-end devices may be able to perform that function and sort things out.   I don't think UTM WAF has any support for using SNI to accomplish this, and I don't think there is any chance that one or more WAF resources will coexist on the same IP and port as User Portal, because these are different subsystems on the box.

    You can definitely have multiple WAF sites share an IP address by configuring them on different ports.  My testing indicates that WAF opens port 443 even if no WAF site is configured on port 443, so I would recommend configuring the most-used site on 443.   This anomaly (bug?) also suggests that WAF cannot share an IP address with UserPortal, even on a different port.

    Even if sharing that primary IP address was possible, you would need to be careful not to collide with one of the built in ports for SMTP Proxy, SPX portal, SSL VPN, IPSEC VPN, WebAdmin, etc.

    If you configure multiple WAF sites on one IP address, you can certainly have multiple DNS names for the same IP Address.  You would need to do this if (as I have assumed) all of your WAF sites are HTTPS-enabled (they should be).   But your users will still need to know and enter the correct port number along with the name, as there is no mechanism for configuring DNS to know that server1.mycompany.com means 10.10.10.0:4449

    Bottom line:   If you need WAF sites, you should have more than one IP address from your ISP. 

Children
No Data
Unfiltered HTML