It isn’t widely known that Sophos UTM (formally known as Astaro ASG) is also able to provide load balancing. It can be used to load balance a lot of services, or can act as a simple HA option for a service. In this item I will explain how to use it to publish and load balance a website using Sophos UTM 9.

Outmslb01n the webadmin page, go to network protection → Server Load Balancing. Click on New Load balancing rule. Add the service HTTP, and drag the external WAN address object to Virtual server. In real servers just add the web servers hosting the website. If you want to balance the load between both servers, the websites need to be identical on both of them. If you just want a HA option this isn’t necessary. You could even use the second web server as a sorry temporarily unavailable site which will appear as soon as the main web server goes offline.

There are several ways for the UTM to monitor if the load balanced service is still available on a server. The most simple one is a TCP or UDP port check. This is done though a connection establishment check on the specified TCP or UDP port.

Ping the host to check availability and for web services It’s possible to check with a HTTP of HTTPS request, this can be either with or without the hostname. (e.g. index.html or

The other settings are pretty straightforward, Interval is the interval between checks in seconds and timeout is the time span in which the servers need to respond before they are considered offline.

Next setting is a check box for automatic firewall rules, checking this creates the packet filter rules to allow any host to communicate to the service. Remember that if you check this, packets won’t show up in the logging files. Rule logging can be quite useful for trouble shooting purposes. If you don’t want the service to be publicly available or want to be able to enable logging, you’ll have to manually create the packet filter rule. Checking Shutdown Virtual Server Address will shutdown the additional address interface if the last server becomes unavailable. This won’t work if the service is on not on an additional address interface like in this example.

Next are the weight distribution settings, these are accessible in the real servers box by clicking on the wrench (hover text Edit scheduler.)

The load (weight) is distributed through a round robin algorithm, which can be adjusted using a weight number. The weight can be set from 0 to 100, and the values are relative to the other servers. If one server has a weight of 100 and the other 50. The first one with the 100 weight is going to get 2/3 of the traffic and the other with the 50 weight 1/3. There is no specific high availability option in these settings. But with 2 web servers, one with a weight of 100 and another with a weight of 0, effectively gives you a HA solution with an active/passive configuration. The weight of 0 means that this server will get no traffic unless it’s the only server left online. You could also have 3 web servers, 2 with a weight of 100 sharing the load of requests. And third server to host a temporarily unavailable page and configured with a weight of 0. You’ll have a HA load balanced site with a maintenance page.

The other setting is the persistence, this could be important if there are authenticated sessions. At this time only a time based persistence is possible using this kind of server load balancing. Persistence based on cookies can be done using the web application firewall, but that will be another blog. The persistence can be configured from 1 minute to 5days. The best setting depends on the service you’re load balancing. For a simple website with authenticated sessions I would choose a setting just above the session time-out of the web server itself. e.g. if the sessions on the site time out after 20 minutes, I would choose a persistence of 1 hour in UTM.

Save and enable the rule.

That’s it, now you have a load balanced website.

Stay tuned, there will be more posts on load balancing.


  1. Nguyen Hong Hai

    Can you show me Transaction Rate (TPS) of each model of Appliances?

  2. Sophos UTM 9 is really useful in load balancing.Nice post!I found an useful and to the point help on ” how to use it to publish and load balance a website”.

  3. Chile

    Will this load balance two mail server?

    1. Eric Verdurmen

      That’s a really complicated question, it all depends on what kind of mail-server and what kind of connections you want to load balance.

  4. Mohamed Bilal

    Will this load balance 2 CAS Server (Exchange 2013).

    1. Eric Verdurmen

      Technically, it should work. CAS servers don’t need Layer 7 load balancers, it only requires layer 4 (which is what Sophos UTM does), so it should work.

  5. Justin Robbins

    Is it possible to load balance two internal servers, and use a VIP on the internal interface? For example: I want to load balance inbound connections on the External Interface for ports 25, 587 to -> Exchange2016 Server1, Exchange2016 Server2. I want to load Balance External Interface ports 443 to -> Web Application Proxy Server. I’d like to also Load Balance port 443 on the Internal Interface for port 443 for the Exchange Servers, and point the web application proxy server to the VIP so that inbound traffic that goes to the Web Application Proxy is load balanced across multiple Exchange Servers. Is this type of config possible? When I try creating a load balancer on the internal interface, it doesn’t pass traffic and I don’t see anything in the firewall log.

    1. Eric Verdurmen

      short answer, No, this cannot be done in this manner using Sophos UTM. You can accomplish this using Kemp loadmasters.
      The Sophos UTM uses transparent load balancing, when the CAS server gets a connection request, it sees a IP address from the client, which it can connect to, without going though the UTM. The client will drop the packet, because it tries to communicate with the VIP of the UTM, not the IP of the CAS server.

  6. Dion

    Great article. With MS removing RR DNS, I’m trying to find a solution for a RR RDS GW in Server 2012. Do you think it’s possible to set this up accessible via internal and external sources?

    1. Eric Verdurmen

      Yes, this could be done using this option.

  7. John

    We using Webapplication firewall for connecting from outside to or network. I followed this how to and is working for me. But with 2 remote desktop gateway’s the firewall it’s not ‘load balancing’.

    Can I setup the load balancing option for incoming connections to or gateway servers?

    1. Eric Verdurmen

      Load balancing is based on source IP address, if the UTM sees only 1 IP addres of the webapplication firewall, it won’t load balance the incoming connections. As is sees only 1 IP address.

  8. Robert Biehl

    We are trying to bring HA to 2 CAS servers in a DAG. Can we set up load balancing so that users on the same network will access one CAS until it goes offline and then the other? I know we can point the authentication to a specific IP address, but will it time out through the process of going to the UTM and then to the CAS?

    1. Eric Verdurmen

      This is tricky, since UTM always uses NAT to load balance. This means that the virtual IP that the clients use to connect to the CAS. Needs to be in a different range than the CAS servers. If you can use a VIP in a different range, it should be possible to do HA this way.

Leave a Reply

Your email address will not be published. Required fields are marked *