Real Webservers

On the Web Application Firewall > Real Webservers tab you can add webservers that should be protected by the WAF.

To add a webserver, do the following:

  1. Click the New Real Webserver button.

    The Add Real Webserver dialog box opens.

  2. Specify the following settings:

    Name: Enter a descriptive name for the webserver.

    Host: Add or select a host, which can either be of the type Host or DNS Host. We highly recommend to use the DNS hostname here because otherwise the host header contains the IP address of the Host which may lead to problems with some browsers. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

    To transmit the host header of the original HTTP request, enable Pass Host Header in the corresponding virtual webserver definition.

    Type: Determine whether you want the communication between Sophos UTM and the webserver to be Encrypted (HTTPS) or Plaintext (HTTP).

    Port: Enter a port number for the communication between Sophos UTM and the webserver. Default is port 80 with Plaintext (HTTP) and port 443 with Encrypted (HTTPS).

    Comment (optional): Add a description or other information.

  3. Optionally, make the following advanced settings:

    Enable HTTP keepalive: By default, the WAF uses HTTP keepalive, i.e., HTTP persistent connections, which helps to reduce CPU and memory usage. In rare cases where the real webserver does not support HTTP keepalive properly, this feature can provoke reading errors or timeouts and should then be disabled for the affected webserver. When a virtual webserver is assigned at least one real webserver with HTTP keepalive disabled, the feature will automatically be disabled for all real webservers assigned to this virtual webserver.

    Timeout: Define a connection timeout value, that is the number of seconds the WAF waits for data sent by or sent to the real webserver. Values between 1 and 65535 seconds are allowed. Data can be received as long as the web server sends data before the timeout expires. After expiring, the WAF sends an HTTP 502 message to clients. The default timeout is 300 seconds.

    Disable backend connection pooling: If enabled, the WAF creates a new connection to the backend server every time it is used, instead of reusing an old connection from the connection pool. This option is disabled by default. Only use it if you face connection problems because it may decrease system performance.

  4. Click Save.

    The server is added to the Real Webservers list.

The webservers present can now be assigned firewall profiles on the Virtual Webservers tab.