It would be very nice if Let's Encrypt CA start with public certificates (letsencrypt.org), that we can get certs throug the UTM Gui. So that the "Let's Encrypt Client" is integrated in the UTM. Would it be possible?
Best Regards1,641 votes
One of the most important problems of the website users is, when they want to open the page that is HTTPS, they forget to type HTTPS at the beginning of the address and the request is sent via HTTP. Therefore they can not view the page successfully. If the "URL redirection" feature will provided on Sophos UTM or WAF it is possible to automatically redirect all HTTP requests to HTTPS before the request reaches to the real web server. This will solve the problem of the website users.131 votes
This feature was released as part of version 9.2
It would be great, if you could add " *.domain.com " in WAF.
So that you dont need to add every single FQDN for every site.47 votesCompleted · AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded
Available in UTM 9 Webserver Protection.
Please implement the ability to restrict access to specific paths on a website to defined source IP's. Usually this has been done on the webserver, but NAT'ting of the Webserver Protection breaks this feature on webservers (sees the internal IP of UTM instead of public source IP).
Website globally allowed
path /administrator only allowed to defined source IP's
Partner hosts a private company Website - should anly be accessible from Company public IP's
path / only allowed to defined source IP's16 votes
This functionality was implemented in UTM 9.x
Currently in the Web Application Firewall it is not possible to create a catch all domain that will manage all unknown adresses.
Let's say you work as a web host and want you're customer to access their web site under user.webhost.com ... It would be great to have a *.webhost.com that would catch all unspecified address and forward it to the web server6 votes
As Elmar mentions this was completed in 8.103 and enhanced in 8.200 with SAN support. Ensure your URL hardening lists are setup correctly, as URL hardening needs the concrete domain in the URL listings.
We need an Outlook Anywhere connection over the Web Application Firewall to secure the Exchange 2010 Server. Currently it is not possible to forward the RPC Requests through the WAF. A NAT rule is not secure enough.483 votes
This feature has been released as part of UTM 9.1. The Web Server Protection (WAF) area has been upgraded with new features to allow the handling of the Outlook Anywhere Protocol. Enjoy!
Please add session stickyness to the reverse proxy loadbalancer13 votes
If trying to configure WAS for https when having SSL vpn enabled on port 443 this can not be done, resrict SSL VPN to one interface / adress to avoid this issue3 votes
This is already possible, via the “settings” tab of SSL VPN. If you look into the Online help, you will find
“Interface Address: Default value is Any. When using the web application firewall you need to give a specific interface address for the service to listen for SSL connections. This is necessary for the site-to-site/remote access SSL connection handler and the web application firewall to be able to differentiate between the incoming SSL connections.”
Hope that helps!
I'd like to have a redirecting feature in the reverse proxy, where I:
a) can redirect a request to a specific path (as root path /) of a website to a specific startpath as https://owa.mydomain.tld ==> https://owa.mydomain.tld/exchange
b) redirecting disallowed entry point URL's (by URL hardening) or non existing folders to a defined path (where I may store a custom errorpage or simply redirect such requests to a working entry point)22 votes
Especially when using Microsoft Exchange with Outlook Anywhere and OWA it is common to use a SAN certificate. At the moment the Reverse Proxy does not recognize the SubjectAlternativeName-Field of the used certificate when securing HTTPS traffic. A support for this type of certificate would be greatly appreciated.4 votes
Banks in Australia want the ability for the WAF to refuse connections from known anonymous proxies.
While there would still be many ways to circumvent this and still connect anonymously the Banks control the compliance landscape so it would be good to be able to comply with their requirements.2 votes
Add a Reverse proxy to ASG which is mainly requested for securing OWA as customers do not want to put it directly onto the internet. - some customers ask for Authentication prior allowing access - other customer want SSL-Offloading - third want Webseite security by preventing Cross site scripting and SQL injection..207 votes
This feature is included as part of ASG Version 8 which will be Generally Available at the end of June.
Watch http://up2date.astaro.com for the official announcement.
- Don't see your idea?