This article describes how to use the Azure portal to configure listener-specific SSL policies on your Application Gateway. Listener-specific SSL policies allow you to configure specific listeners to use different SSL policies from each other. You'll still be able to set a default SSL policy that all listeners will use unless overwritten by the listener-specific SSL policy.
Note
Only Standard_v2 and WAF_v2 SKUs support listener specific policies as listener specific policies are part of SSL profiles, and SSL profiles are only supported on v2 gateways.
If you don't have an Azure subscription, create a free account before you begin.
Create a new Application Gateway
First create a new Application Gateway as you would usually through the portal - there are no additional steps needed in the creation to configure listener-specific SSL policies. For more information on how to create an Application Gateway in portal, check out our portal quickstart tutorial.
Set up a listener-specific SSL policy
Before you proceed, here are some important points related to listener-specific SSL policy.
We recommend using TLS 1.2 as this version will be mandated in the future.
You don't have to configure client authentication on an SSL profile to associate it to a listener. You can have only client authentication or listener-specific SSL policy configured, or both configured in your SSL profile.
Using a 2022 Predefined or Customv2 policy enhances SSL security and performance for the entire gateway (SSL Policy and SSL Profile). Therefore, you cannot have different listeners on both old as well as new SSL (predefined or custom) policies.
Consider this example, you're currently using SSL Policy and SSL Profile with "older" policies/ciphers. To use a "new" Predefined or Customv2 policy for any one of them will also require you to upgrade the other configuration. You may use the new predefined policies, or customv2 policy, or combination of these across the gateway.
To set up a listener-specific SSL policy, you'll need to first go to the SSL settings tab in the Portal and create a new SSL profile. When you create an SSL profile, you'll see two tabs: Client Authentication and SSL Policy. The SSL Policy tab is to configure a listener-specific SSL policy. The Client Authentication tab is where to upload a client certificate(s) for mutual authentication - for more information, check out Configuring a mutual authentication.
Search for Application Gateway in portal, select Application gateways, and click on your existing Application Gateway.
Select SSL settings from the left-side menu.
Click on the plus sign next to SSL Profiles at the top to create a new SSL profile.
Enter a name under SSL Profile Name. In this example, we call our SSL profile applicationGatewaySSLProfile.
Go to the SSL Policy tab and check the Enable listener-specific SSL Policy box.
Set up your listener-specific SSL policy given your requirements. You can choose between predefined SSL policies and customizing your own SSL policy. For more information on SSL policies, visit SSL policy overview. We recommend using TLS 1.2
Select Add to save.
Associate the SSL profile with a listener
Now that we've created an SSL profile with a listener-specific SSL policy, we need to associate the SSL profile to the listener to put the listener-specific policy in action.
Navigate to your existing Application Gateway. If you just completed the steps above, you don't need to do anything here.
Select Listeners from the left-side menu.
Click on Add listener if you don't already have an HTTPS listener set up. If you already have an HTTPS listener, click on it from the list.
Fill out the Listener name, Frontend IP, Port, Protocol, and other HTTPS Settings to fit your requirements.
Check the Enable SSL Profile checkbox so that you can select which SSL Profile to associate with the listener.
Select the SSL profile you created from the dropdown list. In this example, we choose the SSL profile we created from the earlier steps: applicationGatewaySSLProfile.
Continue configuring the remainder of the listener to fit your requirements.
Click Add to save your new listener with the SSL profile associated to it.
Limitations
There is a limitation right now on Application Gateway that different listeners using the same port cannot have SSL policies (predefined or custom) with different TLS protocol versions. Choosing the same TLS version for different listeners will work for configuring cipher suite preference for each listener. However, to use different TLS protocol versions for separate listeners, you will need to use distinct ports for each.
Search for Application Gateway in portal, select Application gateways, and click on your existing Application Gateway.Select SSL settings from the left-side menu.
Search for Application Gateway in portal, select Application gateways, and click on your existing Application Gateway.Select SSL settings from the left-side menu.
Limited to 100 active listeners that are routing traffic. Active listeners = total number of listeners - listeners not active. If a default configuration inside a routing rule is set to route traffic (for example, it has a listener, a backend pool, and HTTP settings) then that also counts as a listener.
The minimum version of TLS that Application Gateways accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS. Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
To renew a listener certificate from the portal, navigate to your application gateway listeners. Select the listener that has a certificate that needs to be renewed, and then select Renew or edit selected certificate. Upload your new PFX certificate, give it a name, type the password, and then select Save.
A listener is a logical entity that checks for incoming connection requests by using the port, protocol, host, and IP address. When you configure the listener, you must enter values for these that match the corresponding values in the incoming request on the gateway.
Unfortunately, Application Gateway WAF does not have a way to rate limit incoming connections. Rate-limiting, geo-filtering, and Azure managed Default Rule Set rules are supported only with WAF on Azure Front Door. If you wish you may upvote the feedback in the below forum requesting this feature.
The default value for request body size is 128 KB. But for CRS 3.2 (on the WAF_v2 SKU) and newer, you can set a 2 MB request body size limit. And if the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.
Open the Tools menu (click on the tools icon or type Alt - x) and select Internet options. Select the Advanced tab. Scroll down to the bottom of the Settings section. If TLS is not enabled, select the checkboxes next to Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.
In the Windows menu search box, type Internet options. Under Best match, click Internet Options. In the Internet Properties window, on the Advanced tab, scroll down to the Security section. Check the User TLS 1.2 checkbox.
SSL is technology your applications or browsers may have used to create a secure, encrypted communication channel over any network. However, SSL is an older technology that contains some security flaws. Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities.
In the Azure portal, from the left menu, select App Services > <app-name>. On your app's navigation menu, select Certificates. In the Managed certificates pane, select Add certificate. Select the custom domain for the free certificate, and then select Validate.
Open the Azure Portal and go to Function App.Choose the Function App you wish to edit.Under Settings, select Configuration, then the General Settings tab.Set HTTPS Only to on.
Under Synchronisation Service Manager > Connectors select your domain connector > Properties. Under "Connect to Active Directory Forest" you have an options button, untick "Sign & Encrypt LDAP traffic" and select "Enable SSL for the Connection".
Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy
Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
