https://passthrough.fw-notify.net and Portforwarding 443 (NAT)

You can't.

Either the webserver on the UTM public IP occupies port 443 OR portforwarding does. both at the same time is impossible.

Do you think, it will be possible to change the port  to  8443? e.g. https://passthrough.ourselfdomain.com:8443 ?

i don't think thats possible. i wouldn't even know where to start to change the hostname of the passthrough authentication. If thats unter Web Protection > Filtering Options > misc > Certificate for End-User Pages then i'd say no because there is no option to change the port of the internal UTM Webserver

Hallo Heiko,

Agreed with Florian on using NAT.

We don't know much about your configuration, but you might be able to use Webserver Protection.  You would create two Virtual Servers using port 443; one for passthrough.ourselfdomain.com and the other for website.ourselfdomain.com.  Let us know if that works for you.  If you need help configuring that, please open a new thread in the Web Server Security forum.

Cheers - Bob

Hallo Heiko,

Agreed with Florian on using NAT.

We don't know much about your configuration, but you might be able to use Webserver Protection.  You would create two Virtual Servers using port 443; one for passthrough.ourselfdomain.com and the other for website.ourselfdomain.com.  Let us know if that works for you.  If you need help configuring that, please open a new thread in the Web Server Security forum.

Cheers - Bob

Hi Bob,
you're right and it works so now, with a reverse proxy on the UTM.
In a school i have a Webmail-Server(TCP 443), this one i need for a public access from outside. Inside the school I need for WLAN-Access the authentication against LDAP (eDirectory)  from the UTM with the login page.
Because  https://passthrough.fw-notify.net not works for iOS (because wrong certificate), I change the domain and deploy a Letsencrypt-Certificate for passthrough.ourselfdomain.com.
Thank You Heiko 

Last challenge is the deployment of the LE-certificate, generated from a separate Linux-Box. I need to upload this to the UTM periodically, but automatically. Do you know a good source for the REST-API with some samples for the UTM?

I don't, Heiko - sounds like a good question for the Web Server Security forum.

Cheers - Bob

We use the same construct for our Exchange OWA.

I just run multiple LE Certificates. One that resides on the UTM updating there and one on the Exchange Server. Both are totally seperate.

UTM Connects to Exchange just fine.

From the End User point of view, unless they know how to check certificate serial numbers both are undistinguishable.