Virtual Webservers

On the Web Application Firewall > Virtual Webservers tab you can create virtual webservers. Those webservers, as part of Sophos UTM, build the firewall between the Internet and your webservers. That is why this kind of intervention is also known as reverse proxy. Sophos UTM picks up the requests for the webservers and protects the real webservers from various attacks. Each virtual webserver maps to a real webserver and determines what level of protection is applied. You can also use more than one real webserver in one virtual webserver definition. That way you get load balancing for your real webservers.

To add a virtual webserver, do the following:

Click the New Virtual Webserver button.

The Add Virtual Webserver dialog box opens.
Make the following settings:

Name: Enter a descriptive name for the virtual webserver.

Interface: Select an interface from the drop-down list over which the webserver can be reached.

Note – If there is an interface with an IPv4 address and an IPv6 link local address defined as frontend interface, the virtual webserver is only reachable at the IPv4 address. Interfaces for which only an IPv6 link local address is defined cannot be selected as frontend interface for a virtual webserver.

Type: Determine whether you want the communication between the client and the virtual webserver to be Plaintext (HTTP), Encrypted (HTTPS) or Encrypted (HTTPS) & Redirect. When you want to use reverse authentication, we highly recommend to select Encrypted (HTTPS) for security reasons. If enabled Encrypted (HTTPS) & Redirect, users entering the URL without https:// will be redirected automatically to the virtual webserver.

Note – A HTTP request requires a host header if Encrypted (HTTPS) & Redirect is enabled.

Port: Enter a port number on which the virtual webserver can be reached from external. Default is port 80 with Plaintext (HTTP) and port 443 with Encrypted (HTTPS).

Certificate (not with Plaintext (HTTP)): Select the webserver's certificate from the drop-down list. The certificate needs to be created beforehand on the webserver, and be uploaded on the Certificate Management > Certificates tab. Alternatively, you can create a certificate through Let’s Encrypt on that tab which will then be instantly available here.

Domain: This field displays the hostname for which the certificate had been created.

Domains (only with SAN certificates): The WAF supports Subject Alternative Name (SAN) certificates. All hostnames covered by a certificate will be listed in this box. You can then select one or more hostnames by selecting the checkbox in front of a hostname.

Domains (only with Plaintext (HTTP) or Encrypted (HTTPS) with wildcard certificate): Enter the domains the webserver is responsible for as FQDN, e.g. shop.example.com, or use the Action icon to import a list of domain names. You can use an asterisk (*) as a wildcard for the prefix of the domain, e.g.,*.mydomain.com. Domains with wildcards are considered as fallback settings: The virtual webserver with the wildcard domain entry is only used when no other virtual webserver with a more specific domain name is configured. Example: A client request to a.b.c will match a.b.c before *.b.c before *.c.

Real Webservers: Create a new real webserver or select the checkbox in front of the webserver you want to apply the firewall profile to. If you have mirroring webservers you can also select more than one webserver. By default, traffic will be load-balanced between the selected webservers. The implemented request counting algorithm automatically assigns each new request to the webserver with the lowest number of active requests at present. On the Site Path Routing tab you can specify detailed balancing rules.

Firewall profile: Select a firewall profile from the drop-down list. This profile is applied to protect the selected webservers. You can also select No Profile to not use any firewall profile.

Theme: Select a theme form the drop-down list. This theme is applied to error responses, which means the configured templates will get rendered and delivered in response to a blocked request. You can also select No Customization to not use any theme. The WAF will then present the system default pages.

Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:

Disable compression support (optional): By default, this checkbox is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, in case of websites being displayed incorrectly or when users experience content-encoding errors accessing your webservers, it can be necessary to disable compression support. When the checkbox is enabled, the WAF will request uncompressed data from the real webservers of this virtual webserver and will send it on uncompressed to the client, independent of the HTTP request's encoding parameter.

Rewrite HTML (optional): Select this option to have Sophos UTM rewrite links of the returned webpages in order for the links to stay valid. Example: One of your real webserver instances has the hostname yourcompany.local but the virtual webserver's hostname on Sophos UTM is yourcompany.com. Thus, absolute links like <a href="http://yourcompany.local/"> will be broken if the link is not rewritten to <a href="http://yourcompany.com/"> before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your webserver or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook Web Access and/or Sharepoint Portal Server.

Note – It is likely that some links cannot be rewritten correctly and are therefore rendered invalid. Ask your website author(s) to format links consistently.

Apart from URL rewriting, the HTML rewriting feature also fixes malformed HTML, for example:
- <title> tags are moved in DOM tree from node html > title to correct html > head > title
- Quotes around HTML attribute values are fixed (e.g., name="value becomes name="value")
Note – HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting feature.

Cross Reference – Please see the libxml documentation for further information (http://xmlsoft.org/html/libxml-HTMLparser.html).

Rewrite cookie (optional, only visible if Rewrite HTML is enabled): Select this option to have Sophos UTM rewrite cookies of the returned webpages.

Note – If Rewrite HTML is disabled the Rewrite cookie option will be also disabled.

Pass host header (optional): When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the webserver. Whether passing the host header is necessary in your environment however depends on the configuration of your webserver.
Click Save.

The server is added to the Virtual Webservers list.
Enable the virtual webserver.

The new virtual webserver is disabled by default (toggle switch is gray). Click the toggle switch to enable the virtual webserver.

The virtual webserver is now enabled (toggle switch is green).

Note – The virtual webserver cannot be enabled if the corresponding interface is disabled. The interface can be enabled on Interfaces & Routing > Interfaces > Interfaces.

The Virtual Webservers list displays a status icon for each real webserver assigned to a virtual webserver. The status icon of a real webserver is red when the real webserver has not been enabled. It is amber when the real webserver is down or unavailable and green if everything is working.