Application Gateway accepts requests from web app, but not legacy desktop application

JBeaskey84 1 Reputation point
2020-12-21T15:17:37.067+00:00

Our team is hosting a legacy application on an Azure VM that sits behind an Application Gateway. Traffic is locked down to TLS (via a certificate on the Application Gateway). We're attempting to hit the application from a web browser and from a client application sitting on our desktop. The desktop application is configured to communicate using TLS.

When we make the call from a web browser (Chrome, in this case), the Application Gateway successfully processes the request and forwards it on to the web server. However, when the call comes in from the desktop application, the Application Gateway rejects it.

After analyzing multiple Wireshark captures, we've noticed that after the initial ACK exchange, the desktop application sends a "Client Hello" message. The Application Gateway immediately replies with a series of Connection Resets until the whole exchange is just shut down. The Wireshark captures do indicate that the desktop application is sending its initial communication over TLS.

Has anyone encountered a similar scenario or have any suggestions? While troubleshooting, we ended up placing the certificate directly on the Azure VM and using a load balancer to direct traffic to it. This allowed the desktop client to successfully access the application.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
954 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. TravisCragg-MSFT 5,676 Reputation points Microsoft Employee
    2020-12-23T02:42:07.207+00:00

    The Client Hello is typically where Cipher Suites and TLS versions are shared. I would check to see if your custom application is using a compatible TLS version & Cipher with your Application Gateway.

    This is especially true for a legacy application and an Application Gateway with a strict custom TLS policy.

    0 comments No comments