Hosting behind Azure Application Gateway

Has anyone gotten the server working behind an Azure Application Gateway? Specifically, is it possible to get this working when using polling tentacles? I believe that this cannot work, since there is no support in the AG for client certificates. Please let me know if it’s possible to get this to work, as I would like to leverage the added security of the gateway in front of the Octopus server.

Hi Ryan,

Thanks for this question, are you able to share a bit more about the topology you intend to use behind the AAG, are you just looking to use the WAF, or are you looking into load balancing?

Not being an expert in AAG, and it sounding as though it doesn’t support client certificates - I suspect you might be right, if SSL termination is something that cannot be disabled? Have you tried it and are running into a specific error?

All the best,

Dear Jim,

We were looking to leverage the WAF functionality for added security. Load balancing is not yet needed.

The AAG does not appear to support client certificates, nor does it support a direct pass-through functionality. It can do end-to-end SSL, but this means basically SSL between client<->AAG and again between AAG<->server. I have not gotten this scenario to work either.

Kind regards,
Ryan Adler

Hi @Ryan_Adler

Thanks for the additional detail, we do support proxying polling tentacles, however this doesn’t quite fit the AAG use case if I understand correctly.

It is also worth mentioning that most tentacle communications aren’t done via HTTP, they use our own communication stack called Halibut which is effectively compressed JSON over TCP with TLS.

I’d love to hear more about the specific WAF features that you are interested in though if you have time to share.

Kind regards,

Dear Jim,

Basically, I am interested in the features as listed here:

and here:

1 Like

I managed to get this working ok…
Please add the NSG rules listed here for app gateway

Inbound internet to app-gateway for specific whitelisted Ip’s not all
Then another rule to from app-gateway subnet or ip to the backend pool server the web subnet source to destination only.
I also allowed an outbound rule from octopus server to my app-gateway subnet 443 only
Use the connection troubleshooter - netwatcher tool to verify the ports are opened source to destination
Make sure the https listener is configured correctly with the cert for the published url
you should be good to go.

Use the image
Took about 5 minutes to cache and browse initially but its all good and working v2 waf 3.2 OWASP

Long Live Automation!!!