will there be a feature like Authentication / captive portal (e.g. the proxy settings"transparent with authentication" ) for enabling a reverse proxy?
This would be so usfull for small installations with no frontend exchange / DMZ.
(juniper calls this "webauth" )

Astaro 8 now supports an HTTP reverse proxy, but it is not as feature rich as it does not allow for custom configurations. 10.0.0.1:5449/ ProxyPassReverse /director2/ http://10.0.0.1:5449/

Since the Apache reverse proxy service is already configured for mod_rewrite, among other things, simply having a way to include these settings in an advanced section or via the command-line is all that may be necessary.

It would be great, if you could add " *.domain.com " in WAF.
So that you dont need to add every single FQDN for every site.

Please provide the option to use reverse proxy also with transparent mode. This way permits to have the real remote host IP traced on the web server log files instead of the IP of the firewall. Now without transparent mode, every web analyzer software is not able to give real traffic reports...

I would like to see an option to deny or allow certain ip adresses that can access the webservers. Not only based on country but on the ip adres itself.

The WAF strips the Accept-Encoding header from client requests, which is fine, as compression is not generally useful between the origin server and the proxy. However, it doesn't use the header itself, either. It doesn't compress proxied traffic before returning it to the client. Interestingly, pages generated by the WAF itself (such as error documents) are compressed. Only the proxied content remains uncompressed, and this can have a substantial impact on page speed.

When using ASG to terminate SSL sessions (SSL Offloading), it’s sometimes needed to get the client certificate (mutual authentication) and pass some SSL info such as SSL Session IDs and Client-SSL Certificate information (e.g. certificate fingerprint and serial number) inside HTTP header to be used and processed by the protected web applications.
An example of this use; let’s assume that I have a plain-text web application with certificate-based user authentication, so, it’s necessary to have such features in my WAF appliance.

Add Email and SNMP Notification for Web Application Firewall (HTTP/S Reverse Proxy) when the ASG found a Virus in Web Application Firewall traffic.
This is very useful for the Network Administrator to find any Security holes.

There are many situations where a Web application needs to know whether the original connection was made over HTTPS or HTTP. Typically, SSL proxies communicate this by inserting the X-Forwarded-Proto header into the request. Currently, the ASG only adds the following headers:
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Server

The strong security features like URL-hardening, cookie-signing and form-hardening are still not available with owa newer than 2003. The knowledgebase just told me, to deactivate those feature. But they are important for higher security level.

It would be nice to have Form based authentication as Microsoft ISA or FTMG has. Means an authentication on the Astaro against the AD (SSO) and then store the Information so that Users do not have to authenticate twice if they hit different Web Servers from outside.
Squid has that functionality, i am suprised that Sophos has not implemented it.

For those saavy enough to create their own rules, it should be possible to craft and deploy custom ones.

Please implement the ability to restrict access to specific paths on a website to defined source IP's. Usually this has been done on the webserver, but NAT'ting of the Webserver Protection breaks this feature on webservers (sees the internal IP of UTM instead of public source IP).

Usage Examples:

a)
Website globally allowed
path /administrator only allowed to defined source IP's

b)
Partner hosts a private company Website - should anly be accessible from Company public IP's
path / only allowed to defined source IP's

Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong category.

Please add Time Events to WAS so it's possible to only allow access within timeframes as is possible in Packet Filter rules.

The title says it all. In WAF, allow the Primary Uplink Addresses object to be used as an interface options for those with multiple WAN links and Uplink Balancing/Standby Interfaces for failover.

I d like to have the ability to add regular expressions in WAF Profiles just like in the normal WebSecurity.
For example allow String "user=BGates" but not "user=BClinton"

For web sites with larger uploads (e.g. ownCloud) there is currently a 128MB (134217728 byte) limit in Web Server protection, the so called request body limit in ModSecurity.
Please add the possibility to configure this parameter (it's "SecRequestBodyLimit" in the Apache config) to allow larger uploads to sites protected by WAF.

Now it's quite a hassle to renew existing certificates in the web application security section. Have the option during upload of the new certificate to replace the existing certificate with the same common name.

Can we please get Layer 7 http health-checks when using the WAF? We'd like to look at http response code on a configured object and/or match some text received in a response.