We are migrating our Webseal up to Azure behind an application gateway and It seems Azure's application gateway does not support ssl passthrough Application Gateway Configuration - passthrough to server

Stack Overflow		remove preview
apple-touch-icon@2.png?v=73d79a89bded" width="200" height="200"> Application Gateway Configuration - passthrough to server Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share your research! Asking for help, clarification, or responding to other answers. Making statements based on opinion; back them up with references or personal experience. To learn more, see our tips on writing great answers. View this on Stack Overflow >

Are you aware of any workarounds (rewriting headers etc) that would accommodate this design?

------------------------------
Nick Moore
------------------------------

Hi Nick,

If the Azure application gateway doesn't support pass-through of TLS traffic then you won't be able to have end-to-end TLS going that route.

If the reason that you need to support end-to-end TLS is that you're doing client certificate authentication, or that your security policy requires end-to-end encryption, then I'm not sure I can help other than to suggest that perhaps there are other ways to get traffic into Azure other than the application gateway.  Perhaps there's a way to have a layer 3 load-balancer instead?

If you don't mind having the communication between the application gateway and WebSEAL be non-TLS, you can set up WebSEAL to enable HTTP and listen on port 80.  Then you need to set the following parameters to tell it that, although traffic is being received as non-secure on port 80, end user devices are actually connecting on a secure port ("SSL offload"):

web-http-port = 443
web-http-protocol = https
web-https-port = 443
web-https-protocol = https

There are comments around these parameters in the configuration file which give more information.

Hopefully this helps.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri October 02, 2020 12:00 PM
From: Nick Moore
Subject: Azure Application Gateway and Webseal SSL Termination

We are migrating our Webseal up to Azure behind an application gateway and It seems Azure's application gateway does not support ssl passthrough Application Gateway Configuration - passthrough to server

Stack Overflow		remove preview
apple-touch-icon@2.png?v=73d79a89bded" width="200" height="200"> Application Gateway Configuration - passthrough to server Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share your research! Asking for help, clarification, or responding to other answers. Making statements based on opinion; back them up with references or personal experience. To learn more, see our tips on writing great answers. View this on Stack Overflow >

Are you aware of any workarounds (rewriting headers etc) that would accommodate this design?

------------------------------
Nick Moore
------------------------------

Answering the question for purpose of providing right answer for others who are trying to seek solution to similar situation / problem.

1) Azure app gateway does support End to End TLS , which is SSL pass through functionality wth the difference being: incoming traffic decrypting and re-encrypting till backend VMs. This usually ticks all security and compliance check boxes and is accepted standard in cloud .

2) HTTP header rewrite can be achieved using rewrite action and rewrite condition at app gateway by setting up rewrite configuration . 

3) An azure application gateway deployed strategically between external user or external sites and Applications in Azure VM . A forward listener in Azure app gateway is required to create a Load Balancer URL or  application DNS name where SSL traffic can land and any rules can be applied. A backend Listener is required where any backend HTTP Rewrite rules can be applied.

4) IBM Webseal server should be placed in between backend listener and backend application VMs . All incoming traffic to azure app gateway is terminated and re-encrypted till backend application VMs. 

5) Installation of organization's public CA certificate is required to be installed in App Gateway Frontend Listener. Backend app server's signed certificate is required to be installed in backend listener.

6) The app gateway and IBM Webseal can be further protected by applying NSG rules .which re-encrypts the traffic 

------------------------------
Sanjay Anand
------------------------------

Original Message:
Sent: Mon October 05, 2020 10:49 AM
From: Jon Harry
Subject: Azure Application Gateway and Webseal SSL Termination

Hi Nick,

If the Azure application gateway doesn't support pass-through of TLS traffic then you won't be able to have end-to-end TLS going that route.

If the reason that you need to support end-to-end TLS is that you're doing client certificate authentication, or that your security policy requires end-to-end encryption, then I'm not sure I can help other than to suggest that perhaps there are other ways to get traffic into Azure other than the application gateway.  Perhaps there's a way to have a layer 3 load-balancer instead?

If you don't mind having the communication between the application gateway and WebSEAL be non-TLS, you can set up WebSEAL to enable HTTP and listen on port 80.  Then you need to set the following parameters to tell it that, although traffic is being received as non-secure on port 80, end user devices are actually connecting on a secure port ("SSL offload"):

web-http-port = 443
web-http-protocol = https
web-https-port = 443
web-https-protocol = https

There are comments around these parameters in the configuration file which give more information.

Hopefully this helps.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri October 02, 2020 12:00 PM
From: Nick Moore
Subject: Azure Application Gateway and Webseal SSL Termination

We are migrating our Webseal up to Azure behind an application gateway and It seems Azure's application gateway does not support ssl passthrough Application Gateway Configuration - passthrough to server

Stack Overflow		remove preview
apple-touch-icon@2.png?v=73d79a89bded" width="200" height="200"> Application Gateway Configuration - passthrough to server Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share your research! Asking for help, clarification, or responding to other answers. Making statements based on opinion; back them up with references or personal experience. To learn more, see our tips on writing great answers. View this on Stack Overflow >

Are you aware of any workarounds (rewriting headers etc) that would accommodate this design?

------------------------------
Nick Moore
------------------------------