Updating SSL profile by adding few more ciphers in application gateway.

Nagrath, Richa 21

We want to choose customV2 however, we are getting below alert and post making the changes it does not give results.

What is the correct process of updating SSL profiles pertaining to few listeners in an application gateway.

Choosing a new predefined or customV2 policy improves the SSL security and performance for the entire gateway. The selected policy will thus automatically get applied to both SSL Policy and SSL Profile. You can choose to customize it later within the new policies

Praveen Bandaru 250 Reputation points Microsoft Vendor

2025-01-23T04:53:01.1466667+00:00

Hello Nagrath, Richa
Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand you are working with an Azure Application Gateway and need to configure SSL profiles and policies for specific listeners. When selecting a new predefined or customV2 SSL policy, please ensure you follow the necessary steps to apply it correctly, especially if issues arise where no results are displayed after changes.

Follow the steps outlined below to update the SSL profiles for your listeners:

1.Choose the SSL Policy (CustomV2 or Predefined):

Access the Application Gateway in the Azure portal.

Under "Settings", select SSL policies.

Choose from predefined policies (e.g., TLS 1.2, TLS 1.3) or create a customV2 policy.

If using CustomV2, ensure the SSL settings meet your security requirements.

2.Apply SSL Policy to the Application Gateway:

After selecting the SSL policy, it will be applied to both the SSL Policy and SSL Profile for the gateway.

The SSL profile for the Application Gateway’s listeners will be updated to use this policy.

Note: A warning about automatic updates may appear, indicating changes to the policy will propagate across listeners.

3.Check SSL Profile Settings:

To modify specific SSL settings for individual listeners, select SSL Profiles under the Application Gateway settings.

Ensure each listener points to the correct SSL profile associated with the updated SSL policy.

You can later customize the SSL profile by specifying cipher suites, protocols, or security settings.

4.Apply to Listeners:

Ensure the updated SSL Profile is selected for each listener you want to update.

This might be where issues arise, if the listener isn't using the correct SSL profile or policy, changes won't reflect as expected.

5.Save and Deploy Changes:

After configuring and applying the SSL policy to the appropriate listeners, save your changes.

Deploy the changes and ensure there are no conflicting policies between listeners.

6.Troubleshooting steps: If changes don't show results, try these steps:

Check Listener Configuration: Ensure each listener is correctly configured with the right SSL profile.

Verify SSL Handshake: Use tools like OpenSSL or browser Developer Tools to check if the new SSL policy is being used (look at the certificate and handshake).

Review Application Gateway Logs: Check diagnostic logs for any SSL configuration errors.

Kindly check the below reference documents for more understanding:

Application Gateway TLS policy overview: TLS policy overview for Azure Application Gateway | Microsoft Learn
Configure listener-specific SSL policies on Application Gateway through portal: Configure listener-specific SSL policies on Azure Application Gateway through portal | Microsoft Learn

Note: If you want to deploy using with the PowerShell please follow the below document:
Configure TLS policy using PowerShell - Azure Application Gateway | Microsoft Learn

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Nagrath, Richa 21 Reputation points

2025-01-23T05:37:01.2866667+00:00

Hello Praveen,

We were not looking for steps, however, the query most on the basis of upgrading while you have other policy and listeners are there.
Praveen Bandaru 250 Reputation points Microsoft Vendor

2025-01-24T09:53:45.1233333+00:00

Hello Nagrath, Richa

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards,

Praveen

1 answer

Praveen Bandaru 250 Reputation points Microsoft Vendor

2025-01-23T07:56:52.06+00:00
Hello Nagrath, Richa
Greetings!

Thank you for your response!

If you have an existing listener in your application gateway with a configured SSL policy, you can upgrade the same SSL policies in the associated listener.

There are two methods to update:
Step 1: Change the SSL policy from the listener.

Under the SSL Policy, you can select the change option to modify the SSL policy. You can choose the required cipher ID and save the changes.

Step 2: Change the SSL policies from the SSL settings.

Additionally, ensure that the supported cipher versions are checked, as there are some limitations in the application gateway.

Reference doc: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-listener-specific-ssl-policy#associate-the-ssl-profile-with-a-listener
Reference doc: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview?source=recommendations%22https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fapplication-gateway%2Fapplication-gateway-ssl-policy-overview%3Fsource%3Drecommendations%22#limitations

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Regards,
Praveen
Please sign in to rate this answer.
Praveen Bandaru 250 Reputation points Microsoft Vendor

2025-01-27T19:00:11.2833333+00:00

Hello Nagrath, Richa

Greetings!

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Regards,

Praveen
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Updating SSL profile by adding few more ciphers in application gateway.

1 answer

Your answer