How to properly setup Azure Application Gateway

Elbert 0 Reputation points
2023-11-23T07:54:17.26+00:00

Hi! My client and I deployed 3 Qlik Systems in Azure Cloud lately. We also utilized Application Gateway tier WAF V2 which seems to be giving a lot of problems.

The Azure deployment is supposed to be Intranet only (no internet access). However, the Application Gateway was setup with WAF v2 tier with frontend IP for both public and private. But the Listeners are setup for Private IP. (Design by my client.)

The client requirement is end-to-end TLS. The way the SSL Cert was setup is CN=<the FQDN of the Qlik System>; SAN=<the FQDN of the Application Gateway (DNS)>, <FQDN of the Qlik System>, <hostname of the Qlik System>. The SSL Cert is bind to the Qlik System and .PFX Cert to Listener certificate.

Listener: is Multi Site (single for UAT) with Host Name = <the FQDN of the Application Gateway>.

Backend Setting: HTTPS Protocol, root cert (.cer); Override with new hostname is set to: Yes; Override with specific domain name-host name: = <the FQDN of the Application Gateway>.

Backend Pool: Target type = Virtual Machine.

Is this the proper way to configure the Application Gateway? Seems to be a workaround.

The thing is 1 Qlik System (Qlik Sense) is working but the other (NPrinting) is not working. The Application Gateway setup are identical on both Qlik systems. (I can both access the Qlik Systems directly via HTTPS without issue.)

I'm not even sure when I setup SAML Authentication with Azure AD if will work on this Application Gatewat setup.

Please if anyone can comment if the configuation will work. I read that on Application Gateway WAF V2, only Public IP Listener is possible at the moment.

Thank you and regards,

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,007 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,371 Reputation points Microsoft Employee
    2023-11-23T10:39:17.0566667+00:00

    Hello @Elbert ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how to properly setup Azure Application Gateway with end-to-end SSL and multi-site listener for private access only.

    Application Gateway v2 currently supports private IP frontend configuration only (no public IP) via public preview.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal

    However, Preview features are not recommended for production.

    For current general availability support, Application Gateway v2 supports the following combinations:

    • Private IP and public IP
    • Public IP only

    And looks like you are using the first method of both Private IP and public IP with no listeners for the public frontend IP address and this is the correct configuration setup.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#how-do-i-use-application-gateway-v2-with-only-a-private-frontend-ip-address

    https://learn.microsoft.com/en-us/azure/application-gateway/configuration-frontend-ip

    Now, coming to the end-to-end SSL configuration, I would like to share some points below:

    • Certificates signed by well-known CA authorities whose CN matches the host name in the HTTP backend settings don't require any additional step for end-to-end TLS to work.
    • In addition to the root certificate match, Application Gateway v2 also validates if the Host setting specified in the backend http setting matches that of the common name (CN) presented by the backend server’s TLS/SSL certificate. When trying to establish a TLS connection to the backend, Application Gateway v2 sets the Server Name Indication (SNI) extension to the Host specified in the backend http setting.

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-tls-with-the-v2-sku

    https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#common-name-cn-doesnt-match

    For more information, refer: https://learn.microsoft.com/en-us/answers/questions/1166561/azure-application-gateway-502-bad-gateway-error

    Looking at your configuration, I see you have set "Override with new hostname" in the backend setting and are using the FQDN of the Application Gateway. In this case, the certificate should have a common name (CN) as the FQDN of the Application Gateway.

    May I know what is the FQDN of the Application gateway that you are using? Is it a custom domain that you are using?

    Also, what do you see in your Application gateway backend health?

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#how-to-check-backend-health

    Now that we are configuring SAML Authentication with Azure AD. My question is, should all the SAML URLs for saml configuration like Identifier, Reply URL, Sign on URL should now use the FQDN of the Application Gateway?

    I believe so, though I'm not 100% sure about your setup and don't have expertise on Qlik Sense authentication configuration. I'm sharing a few docs that might help here:

    https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-application-gateway-waf

    https://learn.microsoft.com/en-us/entra/identity/saas-apps/qliksense-enterprise-tutorial

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments