This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sebastian757
Explorer
3 weeks ago

Let's Encrypt forward requests to the correct internal server (DNS-NAT)

Hello,

We have successfully been running Let's Encrypt certificate renewals.
There is a security rule for Let's Encrypt IPs on port 80 to our web server's external IP addresses and corresponding NAT rules for forwarding to the internal web servers. This works very well.

Now, however, several internal web servers are hiding behind one external IP, all of which want to renew a Let's Encrypt certificate with different domains.

How do I set up a Checkpoint Security Gateway so that the requested domain is read from Let's Encrypt accesses and then forwarded to the correct internal web server?
You can specify domains or FQDNs in the NAT rule, but then you also have to specify a domain name for the destination. However, the name is then resolved using either the external or internal IP address and therefore doesn't match the external or internal object entry.

So, how can I filter and forward requests based on the requested domain?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
3 weeks ago

NAT does nothing for the Layer 7 information inside of HTTP, only the IP headers.
In any case, this is more like Reverse Proxy functionality: https://support.checkpoint.com/results/sk/sk110348
Not sure it will work in this case, otherwise you're looking at an RFE

0 Kudos
Pedro_Espindola
Advisor
3 weeks ago
In response to PhoneBoy

Isn't the Mobile Access Reverse Proxy available only after logging in? That would prevent the inbound validation connection from Let's Encrypt.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Pedro_Espindola

This is a feature of Mobile Access Blade but this is not the Mobile Access Portal.
It won't require logging in.

the_rock
Legend
Legend
3 weeks ago

Might be worth TAC case to verify.

0 Kudos
Pedro_Espindola
Advisor
3 weeks ago

The best approach is to use a single certificate, with alt names for all your web applications, centralize the renewal in one server that listens to port 80 with the validation path /.well-known/acme-challenge correctly configured and use a renew hook script to copy the new cert to all your apps.

This approach would also let you use the certificate with inbound HTTPS Inspection, which you can automate using the Management API. To do that, create an inspection rule, get the rule UID, add the new certificate via API and replace the cert used in the rule. You cannot overwrite a certificate, just upload the new one and modify the rule.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events