Configure a URL Redirect with Sophos UTM's Web Application Firewall

Sophos UTM is a great Reverse Proxy solution. However, it currently lacks the capability to redirect a request.

There are several reasons you might want to redirect a site, but the most common scenario is to temporarily take a site offline and display a 'Site Under Maintenance' page instead. This is far better for a public site than to simply drop off the Internet or start showing an error if someone attempts to connect to the site during maintenance.

In this article, I'll take you through you how to setup a URL redirect using Microsoft IIS and Sophos UTM's Web Server Protection feature.

Configuring the IIS Server

The reason I specifically mention an existing IIS server is because your redirector will typically only be used periodically. Since it won’t really handle any load, as it only serves 302 redirects, it makes no sense to deploy a complete separate Windows Server (even if it is a virtual one).

Before we start make sure the HTTP Redirection feature is installed on your IIS server:

The following steps are all preformed from the IIS Management console:

1. Expand the server tree and select the Sites Node
2. Click Add Website from the Actions Pane
3. Complete the site configuration in a similar manager to the image below

1. Now that you have a new site, select the site on the left hand side
2. Double click the HTTP Redirect icon
3. Check the box for Redirect requests to this destination
4. Specify the URL to your maintenance page
5. Check the box for Redirect all requests to the exact destination
6. Click Apply in the Actions Pane

IIS Bindings allow you to have multiple sites on the same server, on the same IP, on the same port. This is the right way to host multiple sites. We have already specified 'redirector' as a hostname for our site, but you are most likely passing the host header for your public site in your publishing rule.

To accommodate for this we add a similar binding to our redirector:

• Select the Site on the server tree
• Click Bindings in the Actions Pane
• Click the Add button
• In the hostname field specify the public name of the site you are redirecting
• Click OK and then Close

Configuring Sophos UTM's Web Application Firewall

To actually enforce the URL redirect on the public internet site, we also need to configure Sophos UTM's Web Application Firewall. We have to add the redirector server as a real webserver for the UTM to use. To do this:

1. Open the Sophos UTM Management interface
2. Select Webserver Protection | Web Application Firewall | Real Web Servers tab | + New Real Webserver and give the web server the following details:
   • Name : Redirector
   • Host: Select or create and entry for the hostname or IP address of the Redirecting IIS server
   • Port: 80
   • Save

The following steps will actually cause the public site to redirect. So only do this when you are ready to redirect the site:

1. Select Webserver Protection | Web Application Firewall | Virtual Webservers
2. Click Edit on the Public Virtual Webserver
3. Uncheck the current real webserver
4. Check the redirector real Web server
5. Confirm Advanced | Pass host header is checked
6. Save
7. Repeat for the HTTPS virtual server if there is one

This should be all that is required to enable the URL redirect. Once the site maintenance is complete, simply reverse the steps in the last procedure to get the normal site back up and running.

Optional steps for configuring many site hostnames

If you have a public site for a brand that has numerous sub-brands, domains or old sites aliased to the main public site, you need to accommodate for those names too. A couple of entries are easy enough to add manually. But if you have more than a couple, you can export and import to configure them faster.

1. Go to Virtual Webserver properties and select the Menu Icon on the Domain box.
2. Select Export | New Line Delimiter
3. Select and copy all of the hostnames and paste them into a notepad textfile and save

For the import, we are going to use a very simple PowerShell script. Since you are likely to only do this very infrequently let’s do it from the ISE.

1. On the Redirector IIS Server, open the PowerShell ISE as an Administrator
2. Click View | Show Script Pane
3. Paste the following into the script pane
4. Change the fields in red to match your configuration
5. Click the Play Icon to execute

foreach ($bindname in get-content C:\install\binding.txt)

{

New-WebBinding -Name "redirector" -IPAddress "*" -Port 80 -HostHeader $bindname

}

Check the IIS site's bindings to confirm that all of the hostnames are imported. This means all of the public names will be correctly redirected.

Conclusion

By implementing this work-around, you can extend the functionality of Sophos UTM's Web Application Firewall to redirect 'under maintenance' web sites. For former Forefront TMG administrators who used redirects frequently, this is hopefully a good substitute!