Certificates, Load Balancers and the SPX Portal

How to use encryption certificates and load balancers with the SPX Secure Email Portal.

Using Certificates With Internet-facing SPX Portal Deployments

Sophos strongly recommends certificates that use the Email Appliance's external hostname, especially if the appliance is accessible through the internet. This ensures that recipients who connect to your SPX portal will be able verify the authenticity of your site's identity. There are several possible scenarios, depending on how many appliances you use, and how they are configured:

  • Single appliance, facing the internet: You can choose to expose only one appliance's SPX portal to the internet, even if you use multiple appliances in a clustered scenario. This is the simplest choice, and the easiest to manage, but it lacks redundancy. In this case, you need only a single external hostname and a matching certificate.
  • Multiple appliances with no load balancer: If you use multiple appliances with no load balancer, they must be carefully configured to act as a single SPX portal. If they do not appear as the same host, PDF reply links may not direct recipients to the correct host. Each appliance must be configured to use the same external hostname, and must use the same certificate. You will need multiple A records configured in your DNS server.
  • Multiple appliances using a load balancer: When an external load balancer is used, configuration is simpler. While all the appliances must still use the same certificate, the load balancer will manage any requests, and the SPX portal hostname should be associated with it instead. Note that the hostname on the certificate should match the hostname associated with the load balancer.