question

CarlRowley-2397 avatar image
0 Votes"
CarlRowley-2397 asked sikumars-msft answered

Azure Application Proxy - Legacy TLS detected

Hi,

We have an Azure Enterprise App using Azure App Proxy with the Azure App Proxy Connector (v1.5.1975) installed on an on-prem server.

Everything is working fine functionally with the app.

But I have noticed that TLSv1.0 and TLSv1.1 appear to be enabled when querying the app from the internet (i.e. via Azure App Proxy service). Used ssllabs online tool and openssl to test/confirm this.

My understanding is that legacy TLS versions are no longer supported/present in Azure and the Azure App Proxy Connector installed only supports TLS v1.2. I can't find any configuration options for TLS in Azure Enterprise App or Azure App Proxy settings.

I've confirmed that only TLSv1.2 is enabled on the Azure App Proxy Connector server (Server 2016).

The target on-prem app/web server does have legacy TLS versions (and SSLv3 ... I know!) enabled but I assume that the Azure App Proxy would only allow TLSv1.2 connections. Is this correct?

Can anyone please shed any light on this? My searching skills have failed me thus far.

Thanks,

CR.



azure-ad-application-proxy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars-msft avatar image
0 Votes"
sikumars-msft answered

Hello @CarlRowley-2397,

Thanks for reaching out.

Yes, Azure Application Proxy agent (version 1.5.1526.0 and later versions enforce TLS 1.2) , but cloud endpoint still support legacy TLS version, but Microsoft Azure Active directory (Azure AD) will soon stop supporting the following Transport Layer Security (TLS) protocols and ciphers:

  • TLS 1.1

  • TLS 1.0

  • 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

These protocols and ciphers are being deprecated for public instances starting January 31, 2022. (This date has been postponed from June 30th, 2021 to January 31st, 2022, to give administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES))

However, if you want to change the TLS settings of the public endpoint for your tenant then I recommend you to open a support request so that they would help you with same.

For more information, refer.

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.