Microsoft
MicrosoftIf I've got it right then mTLS is only supported for the communication from an external TLS client to the TLS-terminating Application Gateway - but not for the communication from that Application Gateway to the actual server.
In my opinion that could be a security issue since the server then cannot verify the identity of the "legalized man-in-the middle" (i.e. the Application Gateway); thus, mutual TLS is also required on the 2nd communication link. Without proper identification of the caller which states to be a "legalized man-in-the-middle" the (actual) server should refrain from accepting a forwarded client certificate (and treating it identical to a client certificate which it has validated during a proper TLS handshake, himself).
Or do you have this already on your roadmap?
