Letsencrypt Sophos Xg

Posted on  by admin
Lets encrypt zertifikat sophos xg

Let’s Encrypt is a free SSL/TLS certificate provider, with automated certificate issuance and renewal tools for Linux and Windows. You can use it to automatically issue and renew SSL certificates on your web servers. This guide shows you how to correctly setup Let’s Encrypt for Microsoft Window’s Remote Desktop Services and IIS using freely available tools.

Let’s Encrypt is a great option for SSL/TLS Certificates, as the certificates can be renewed automatically (and it’s totally free!). I worked out this installation method after seeing the price of our upcoming Wildcard SSL Certificate renewal – I quickly realised the increased setup time would be quickly offset by the reduced certificate price.

Create and Import a Public Signed Certificate for UTM Web Application Security KB-000034590 08 27, 2020 16 people found this article helpful. Hi, After spending some time on these forums it seems everyone is WAAY ahead of me in terms of knowledge. I find my way around most challenges by using guides/videos/anything I can find but am struggling to understand what I need to do to acheive using Nextcloud behind a Sophos XG Firewall. I have been using letsencrypt as a docker on my unraid server for some years but it obviously installs. Generate a CSR code on Sophos XG Firewall CSR stands for Certificate Signing Request, a block of encrypted text containing your contact details such as domain and company identity. When applying for an SSL certificate, you must submit the CSR to your CA for validation. Feb 14, 2021 Applies to the following Sophos products and versions Sophos Firewall Configuration First, verify the HTTPS scanning CA used by the XG Firewall. It can be found on XG webadmin Web General settings. To download and install the certificate in your browser and the local machine, follow the steps below. Download the certificate to your local. Let's Encrypt and Sophos XG Firewall I am publishing my web server behind the Sophos XG firewall. I need SSL certificate that is free and trusted by most of internet browsers. The answer is Let's Encrypt.


What you need

  • Microsoft Remote Desktop Services Server
  • Public-facing access to IIS Server Port 80 (including public DNS records)
  • My free Powershell script to install the certificates in RDS

I’ve tested this process on Windows Server 2012 R2, with all RDS Role Services housed on the one server. You will need to modify these instructions and the script if you have split your role services amongst multiple servers.

Setup Instructions

  1. Download Let’s Encrypt Windows Simple and extract the files to C:Program FilesLets Encrypt
  2. Download my Powershell script and save it as C:Program FilesLets EncryptRDS_INSTALL_CERT.ps1
  3. Run LetsEncrypt.exe
    1. Enter your email address
    2. Accept the terms and conditions
    3. Enter “N” to create a new certificate
    4. Select Option 1 for “Single binding of an IIS site”
    5. Select your IIS site from the list
    6. Select the “HTTP-01” option: “Create temporary application in IIS”
    7. After the certificate has been created, don’t let it create the auto-renewal scheduled task (we’ll do this later)

If all goes well, you should now have a new SSL Certificate installed in your IIS site. You can confirm this by opening your RDP site in a browser and checking that the SSL Certificate has been issued by Let’s Encrypt.

There should also be a series of certificate files saved in C:ProgramDataletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org

However, if you open Server Manager and navigate to Remote Desktop Services > Deployment Properties, you’ll see the four role services don’t have this new certificate.

Our job now is to install the certificates into RDS. You could do so using the “Select Existing Certificate” button, but you’ll need to do this manually every 60 days as the certificate comes up for renewal.

Instead, we’re going to use Powershell.

If you run the Powershell script, you’ll need to provide just two parameters:

  1. -CertificateImport – The path to the PFX file generated by Let’s Encrypt (found in C:ProgramDataletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org)
  2. -RDCB – The FQDN of your server (the internal DNS name used by Active Directory, not any external alias you may have)

Running this script within 10 minutes of generating the original certificates should allow it to install successfully.

You can check this from that same Deployment Properties windows in Server Manager. You can also try to access a Remote Resource and see which certificate it presents.

Letsencrypt Privkey.pem Is The Key File

Automating the Renewal of Remote Desktop Certificates

All we need to do now is setup automatic renewal. Thankfully, this can be done with a simple batch script:

Edit this script to contain the full path to your PFX file, and then schedule it to run in Task Scheduler once per day. The renewal will only take place close to the 60-day expiry window, and when that happens the Powershell script will update the RDS certificates.

Monitoring the Certificate Renewal

Sophos Xg Letsencrypt Ca

No one likes lapsed certificates or certificate warnings. Prevent this by subscribing to a free SSL Expiry Checker, such as CertificateMonitor.org (or the host-it-yourself version).


Api Access Should Use Passwordform='plain'

That’s it! Hopefully these instructions have allowed you to install a Let’s Encrypt Free SSL Certificate in Microsoft’s Remote Desktop Server. If you have any tips, please post them in the comments below!