End to End to Secure connection in Application Gateway's Backend Fortigate Firewall VM.

Nitin Parmar-Tss consultancy 71 Reputation points
2023-05-22T05:24:06.7766667+00:00

Hi Team,

Following AGW, we intend to set up a FortiGate firewall virtual machine as a backend pool. We have configured 443 backsetting and listerner, but we are getting unhealthy errors in the backend pool. although when we configured the 80 port, it showed success and health? I want to understand: which SSL certificate needs to be generated on the FortiGate firewall end? Currently, we have a wildcard domain SSL certificate, so it can be used to communicate with my FortiGate firewall from the AGW backend as 443? Please guide me.

Our requirement is that when a client hits a request, it reaches the traffic manager and is sent to agw. In the agw backend, it is sent to firewall, and firewall requests are sent to app services. that setup we are going to setup.

sharing the below setting of AGW with errors and letting me know if anything is misconfigured.

User's image

User's image

User's image

User's image

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,088 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
97 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,621 Reputation points Microsoft Employee
    2023-05-22T11:22:35.78+00:00

    Hello @Nitin Parmar-Tss consultancy ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to set up a FortiGate firewall virtual machine as a backend pool of your Application gateway and you've configured port 443 backend setting and listener, but you are getting unhealthy errors in the backend pool. So, you would like to know which SSL certificate needs to be generated on the FortiGate firewall end.

    Root cause of your issue:

    In the v2 SKU, if there's a default probe (no custom probe has been configured and associated), SNI will be set from the host name mentioned in the HTTP settings. Or, if “Pick host name from backend address” is mentioned in the HTTP settings, where the backend address pool contains a valid FQDN, this setting will be applied.

    If there's a custom probe associated with the HTTP settings, SNI will be set from the host name mentioned in the custom probe configuration. Or, if Pick hostname from backend HTTP settings is selected in the custom probe, SNI will be set from the host name mentioned in the HTTP settings.

    If Pick hostname from backend address is set in the HTTP settings, the backend address pool must contain a valid FQDN.

    If you receive this error message, the CN of the backend certificate doesn't match the host name configured in the custom probe, or the HTTP settings if Pick hostname from backend HTTP settings is selected. If you're using a default probe, the host name will be set as 127.0.0.1. If that’s not a desired value, you should create a custom probe and associate it with the HTTP settings.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-certificate-invalid-common-name-cn

    Resolution:

    I see that your backend setting has Pick host name from backend target, but you've added the NIC of your VM and not the FQDN.

    As mentioned above, if Pick hostname from backend address is set in the HTTP settings, the backend address pool must contain a valid FQDN. So, select the backend target type as IP address or FQDN and add a valid FQDN in the target address.

    If the above is not feasible, then verify the CN (Common Name) of the certificate and enter the same in the host name field of the custom probe or in the HTTP settings (if Pick hostname from backend HTTP settings is selected).

    And if the CN of your existing certificate doesn't match the desired host name for your website, you must get a certificate for that domain or enter the correct host name in the custom probe or HTTP setting configuration.

    If you are using a wildcard hostname in your listener like *.trackwizz.app, you must upload a wildcard certificate with CN like *.trackwizz.app.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview#considerations-and-limitations-of-using-wildcard-or-multiple-host-names-in-a-listener

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.