Hi All,
First time poster. This is a quick documentation on how to host your Plex server behind a Sophos UTM 9 Web Application Firewall.
A few things that you will need:
- A SSL Public Certificate. (GoDaddy have $6.00 SSL Certificates)
- A Public Domain. (GoDaddy can do $1.99 Domains)
- A Sophos UTM 9 Firewall (Preconfigured and working)
- A Decent understanding of IIS, Networking, DNS & SSL.
- A Windows Plex Server connected to the internet on port 32400.
Let’s Start!
- The first thing you need to have a think about what domain name you want to host. For example: bobsmith.com
From that you will then need to create a subdomain called Plex.. For example if I was using bobsmith.com the subdomain would be plex.bobsmith.com. Below is a good tutorial on how to create a subdomain in go daddy.
https://au.godaddy.com/help/how-do-i-create-a-subdomain-in-simple-control-panel-2290
(If you have a static IP address from your ISP)
- Create a subdomain A record and point it to your public IP address
(If you have a dynamic IP address from your ISP)
2. Create a no-ip account (or similar) and register a free DNS name. This DNS name can be anything but for naming purposes keep it similar to your existing domain name.
3. Download the Dynamic DNS software, or alternatively configure it on your SOPHOS UTM. Here is a link: (http://www.fastvue.co/sophos/blog/how-to-configure-dynamic-dns-on-sophos-utm/)
4. On your DNS domain that you have just purchased (Godaddy), add a CNAME entry and point it to your OpenDNS or similar domain.
Test and verify that it is working by performing a name resolution to it.
Once you have done that and that is setup DNS you will need to setup a SSL Certificate.
- Go ahead and purchase a Standard SSL certificate (single domain).
- Generate a CSR and Create a Certificate. Make sure the SAN (Subject Alternative Name is your domain name) (https://au.godaddy.com/help/iis-8windows-server-2012-generate-csrs-certificate-signing-requests-4950)
- Once the Certificate is created and is in IIS, export the certificate (with private keys) with a password. (Note that when this is in Plex, it is clear text so make sure that password is secure but different to all your other passwords)
- Download Open SSL. (http://gnuwin32.sourceforge.net/packages/openssl.htm)
- Fire up Command Prompt or PowerShell (It doesn’t matter)
- Using openssl we are going to make a copy of the cert but in a PEM format (for the UTM)
openssl.exe pkcs12 -in “pfx file” -out “pem file” - Import Password:
- Pem Passphrase:
- Completed.
Let’s add the SSL Certificate to your Plex Server.
- Copy the SSL pfx certificate to your Plex server. Make sure that Plex can see the certificate.
- Login into your Plex server.
- Click Settings\Server\Network\Show Advanced
- Under “Custom certificate location” place the path of the PFX file.
- Under “Custom certificate encryption key” input the password listed in Step 3 in (Once you have done that and that is setup DNS you will need to setup a SSL Certificate.)
- Under “Custom certificate domain” place your domain name with the port number. For example: plex.bobsmith.com:32400
- Under “Custom server access URLs” place your domain name in. For example: https://plex.bobsmith.com
- Plex is now configured for action! To test. Browse to: :32400/web/index.html. There should be no certificate errors.
Let’s configure the Web Application Firewall
- Login into your Sophos UTM
- Go to the Webserver Protection menu in the GUI and select Certificate Management
- Click “New Certificate” and select “Upload” in the “Method:” dropdown box.
- Fill in a name, the required password and a comment (if needed).
- Click the folder next to the upload field to select the PEM to import and click “Save” when done.
- Goto WebServer Protection\Web Application Firewall\Firewall Profiles
- “New Firewall Profile”
Name: Plex Profile
Mode: Reject
Hardening & Signing: (Optional) Form Hardening cannot be used by Plex.
Filtering:
Antivirus: (Single - Uploads). You need to have a think about this since this will affect performance.
Block Client’s with Bad Reputation
Common Threats Filter (All) - Save
- Click on Real WebServers
- “New Real WebServer”
Name: Plex Server Name
Host: Your Plex Server
Port: 32400 - Save and Enable the WebServer
- Click on Exceptions
- New Exception List (Here we want to not scan anything that comes from Plex.TV but only other external sources)
Name: Plex Exceptions
Skip these checks: All
Skip these categories: All.
Virtual Web Servers: (Your Plex Server)
For All Requests (Coming from these source networks):
Plex Global Domain (All devices coming from plex.tv)
Plex Global IP #1: 58.87.2.254
Plex Global IP #2: 108.171.134.164
Your Local Subnet: (For Example: 192.168.1.1) - Save and Enable.
- Click Virtual Webservers
- New Virtual Webserver
Name: Plex External Facing
Interface: WAN Interface
Type: HTTPS & Redirect
Port: 32400
Certificate: (Select your certificate here) (plex.bobsmith.com)
Domain: Tick your domain. (For example: plex.bobsmith.com)
Real WebServers: Tick your Plex server
Firewall Profile: Plex Profile - Under (Advanced) enable Pass Host Header
- Click Save and Enable
- Test by browsing to plex.tv, logging in and verifying that “Remote Access is working”.
Let’s optimise performance! (Optional)
If you having multiple subnets (and or VLANs) internally on your home network, you will need to configure DNS so it points directly to your Plex Server rather then contacting the WAF. To do this:
- (On your DNS Server). Create your external domain. (For Example: bobsmith.com)
- Create an A Record called Plex and point it directly to your Plex server.
- Change your DNS on your devices to point to your DNS server.
If you are using Sophos as a DNS server.
- Network Services
- DNS
- Static Entries
- Click “Static Entries Button”
- “New Network Definition”
- Name:
Type: Host
IPv4: IP of Plex Server
DNS Settings:
Hostname:
Enable: Reverse DNS
Advanced:
Interface: (Internal Interface) - Save
- To test on a device perform a nslookup on your domain and it should return locally. If not make sure DNS is correctly setup and that you flushed the DNS Cache.
- Completed!
