Share via

Azure Application Gateway with WAF and Remote Desktop Gateway, SSTP VPN, and basic default website

Alex Carlock 216 Reputation points
2022-01-23T19:08:39.437+00:00

We are hosting a Windows Server 2022 server in Azure that's running Remote Desktop Gateway (RDG) services, Secure Socket Tunneling Protocol (SSTP) VPN, and a basic IIS website. Since all this traffic goes through HTTPS, we have enabled an Application Gateway with Web Application Firewall (WAF) (not V2). When the Firewall is in Detection mode everything is fine. When I flip it to Prevention mode, the website throws a "502 - Web server received an invalid response while acting as a gateway or proxy server." error, SSTP VPN breaks, and RDG can no longer connect.

This is my first time using WAF. Where should I start looking? Has anyone else used Application Gateway with WAF to protect SSTP and/or RDG?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Carlock 216 Reputation points
    2022-02-02T20:06:48.2+00:00

    I opened a case with Microsoft and was told that due to the nature of the packets used for SSTP VPN and RDG this setup is not supported with App gateway with WAF. We decided to tear down the AG with WAF setup and use Application proxy with no pre-authentication.

    3 people found this answer helpful.
  2. SaiKishor-MSFT 17,336 Reputation points
    2022-02-02T08:50:45.94+00:00

    @Alex Carlock Thank you for reaching out to Microsoft Q&A. We apologize for the delay in responding to your issue.

    I understand that when you setup Azure App Gateway with WAF in prevention mode for your Website, it throws a 502 error. As per the document, after configuring an application gateway, one of the errors that you may see is "Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server". This error may happen for the following main reasons:

    • NSG, UDR, or Custom DNS is blocking access to backend pool members.
    • Back-end VMs or instances of virtual machine scale set aren't responding to the default health probe.
    • Invalid or improper configuration of custom health probes.
    • Azure Application Gateway's back-end pool isn't configured or empty.
    • None of the VMs or instances in virtual machine scale set are healthy.
    • Request time-out or connectivity issues with user requests.

    Since this only happens after enabling WAF prevention mode, can you confirm if you can increase the Request time-out value in the Application Gateway HTTP settings and try to see if that helps? Thank you!

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.