Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/esg/smc/9.7/admin/en-us/index.html?contextId=task_1443085565420

Set up load balancing with Sophos UTM

This topic describes how to set up Sophos UTM as a load balancer for a cluster of Sophos Mobile server nodes. For more information on configuring Sophos UTM, see the Sophos UTM documentation.

Requirements

  • In order to use Sophos UTM for clustering you need a Sophos UTM license with a Sophos Webserver Protection subscription.

  • As described later in this section, you need to specify a certificate to protect the communication between the managed devices and the virtual web server that you set up in Sophos UTM.

    For simplicity, we recommend that you use the same certificate that you used for the Sophos Mobile server (see Request an SSL/TLS certificate). If you used a self-signed certificate, it is mandatory that you use that same certificate.

Set up load balancing with Sophos UTM

  1. Log into Sophos UTM WebAdmin.
  2. From the WebAdmin menu section Webserver Protection, go to the Web Application Firewall > Real Webservers tab.
  3. Click New Real Webserver to create an SMC node.

  4. In the Add Real Webserver dialog, enter the following settings:

    • Name: Enter a descriptive name for the web server (for example SMC node).

    • Host: Select or add a host. Select a host by clicking the folder symbol next to the Host field. Drag a host from the list of available hosts into the Host field.

      For additional information on how to add a definition, see “Network Definitions” in the UTM Administration Guide.

    • Type: Select Encrypted (HTTPS).

    Click Save to save the configuration.

    Repeat the previous step for each Sophos Mobile server node.

  5. From the WebAdmin menu section Webserver Protection, go to the Certificate Management > Certificates tab.

  6. Click New Certificate to upload an SSL/TLS web server certificate.

  7. In the Add Certificate dialog, enter the following settings:

    • Name: Enter a descriptive name for the certificate.
    • Method: Select Upload.
    • File type: Select PKCS#12(Cert+CA)
    • Password: Enter the password for your certificate file.
    • File: Click the folder icon next to the File box, select the certificate you want to upload and click Start Upload.

    Click Save to save the configuration. The certificate is added to the Certificates list.

  8. From the WebAdmin menu section Webserver Protection, go to the Web Application Firewall > Virtual Webservers tab.

  9. Click New Virtual Webserver to add a virtual web server for the cluster.

  10. In the Add Virtual Webserver dialog box, make the following settings:

    • Name: Enter a descriptive name for the virtual web server (for example SMC cluster).
    • In the Interface list, select the WAN interface over which the cluster should be accessible from outside.
    • Type: Select Encrypted (HTTPS) & redirect.
    • In the Certificate list, select the web server’s certificate you uploaded beforehand.

    • Domains (only with wildcard certificate, that is a public key certificate that can be used with multiple subdomains): Enter the domains the web server is responsible for, for example shop.example.com, or use the Action icon to import a list of domain names.

      Domains must be entered as fully qualified domain names (FQDN).

      You can use an asterisk (*) as a wildcard for the domain prefix, for example, *.mydomain.com. Domains with wildcards are considered as fallback settings: The virtual web server with the wildcard domain entry is only used when no other virtual web server with a more specific domain name is configured.

      Example

      A client request to a.b.c will match a.b.c before *.b.c before *.c.

    • Real Webservers: Select the SMC nodes you created beforehand.

    Note

    Do not select a firewall profile.

    Click Save to save the configuration. The server is added to the Virtual Webservers list.

  11. Enable the virtual web server.

    The new virtual web server is disabled by default. Click the toggle switch to enable the virtual web server. The toggle switch color should change from gray (disabled) to green (enabled).

  12. Go to the Site Path Routing tab.

  13. In the Virtual Webservers list, go to the virtual web server you added and click Edit.
  14. In the Edit Site Path Route dialog box, click Advanced and select Enable sticky session cookie. Click Save to save the configuration.