Change SSL policy on a production server

%3CLINGO-SUB%20id%3D%22lingo-sub-2097331%22%20slang%3D%22en-US%22%3EChange%20SSL%20policy%20on%20a%20production%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097331%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20using%20the%20Application%20Gateway%20(WAF%20V2)%20on%26nbsp%3B%20a%20service%20on%20production.%3C%2FP%3E%3CP%3EIt%20has%20TLS1.0%20and%20TLS1.1%20that%20I%20want%20to%20disable%20and%20just%20keep%20TLS1.2.%3C%2FP%3E%3CP%3EBy%20doing%20the%20changes%20it%20will%20stop%20the%20network%20access%20to%20my%20servers%3F%3C%2FP%3E%3CP%3EIf%20so%2C%20how%20long%20it%20takes%20the%20change%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EKen%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2097653%22%20slang%3D%22en-US%22%3ERe%3A%20Change%20SSL%20policy%20on%20a%20production%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097653%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F942808%22%20target%3D%22_blank%22%3E%40OgawaKen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20update%20the%20TLS%20version%20used%20for%20your%20application%20first%20.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20create%20a%20TLS%20policy%20exluding%20older%20versions%20while%20your%20application%20have%20not%20been%20updated%20to%20use%20the%20latest%20one%20you%20will%20have%20connection%20erros%20for%20sure%20.%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20an%20article%20below%20to%20track%20the%20use%20of%20tls%20version%20to%20be%20sure%20older%20ones%20are%20not%20used%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.net%2F2017%2F11%2F14%2Ffind-if-you-are-using-only-tls-1-2-protocol-with-log-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.net%2F2017%2F11%2F14%2Ffind-if-you-are-using-only-tls-1-2-protocol-with-log-analytics%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I'm using the Application Gateway (WAF V2) on  a service on production.

It has TLS1.0 and TLS1.1 that I want to disable and just keep TLS1.2.

By doing the changes it will stop the network access to my servers?

If so, how long it takes the change?

 

Regards,

Ken

 

 

 

5 Replies

@OgawaKen 

 

Hi 

You need to update the TLS version used for your application first . 

If you create a TLS policy exluding older versions while your application have not been updated to use the latest one you will have connection erros for sure . 

There is an article below to track the use of tls version to be sure older ones are not used 

https://cloudadministrator.net/2017/11/14/find-if-you-are-using-only-tls-1-2-protocol-with-log-analy...

 

@ibrahimambodji 

Thank you for your replay. I think I should explained better my message.

 

So it's basically User -> (Internet) -> AGW -> Servers

Now between "User -> (Internet) -> AGW" it uses TLS1.0, 1.1 and 1.2.

In a near future I want to change it to just TLS 1.2 (TLS1.3 also if available)

 

I think modifying this it wouldn't affect "AGW -> Servers" TLS connection, right?

 

Regards

@OgawaKen 

 

Yes there is no impact since TLS encryption for communication between the client and the application gateway is different from TLS encryption for communication between the application gateway and the back-end servers.

 

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powers...

@ibrahimambodjiSo I wonder when I press Save on "Change SSL policy" (as the image attached on this message) the AGW will stop for some seconds or the service will continue without any stop.

Regards

@OgawaKen 

 

Hi normally downtime is not expected but the changes should take few minutes to  be applied . 

I would suggest to use  Preprod or Dev environment to  test changes before production.