Azure Application Gateway Wildcard listener not resolving to correct URL when specific URL entered in browser without http:// prefix

Question

I'm using azure Application Gateway WAF v2 and and starting to experiment with wildcard listeners.

I have multiple wildcard listeners configured (one per client) with 3 or 4 different URLs per wilcard HTTPS listener. i.e.

 abc.domain.com
 def.domian.com
 ghi.domain.com
 jkl.domain.com

Within each Listener, these domains are all pointed at a single HTTP Setting and Backend Pool which in turn is pointed towards a single Windows Server 2019 VM running IIS.

When I type a single URL into a browser without the https:// prefix (i.e. "abc.domain.com") the browser (Latest Chrome and Edge builds) seems to try and resolve to a funny combination of all URLs within the listener, e.g.:

"abc.domain.com%2Cdef.domian.com%2Cghi.domain.com%2Cjkl.domain.com"

If I type the domain in with* the https:// prefix (i.e. https://abc.domain.com/) then it resolves and works correctly.

Any ideas why this might be? It's not ideal as most clients using the sites we host wont type in the https:// as a matter of course!

Thanks in advance for any help offered!

Answer 1

Please check if cerificate provision as stated below is possible cause.

1. Application Gateway supports both HTTP and HTTPS for routing requests to the back-end servers. If unencrypted communication is not acceptable if you choose http , choose HTTPS. HTTP settings configuration -prorocol

2. We can configure TLS policy to control TLS protocol versions. By default, SSL 2.0 and 3.0 are disabled and are not configurable. SSL termination and End-to-End SSL requires you to configure the protocol as HTTPS and upload a certificate to be used in the listener configuration. If it is a multi-site listener, you can input the host name as well, usually this is the CN(Common Name) of the SSL certificate. : Hosting multiple sites

3. For the Application Gateway and WAF v1 SKU, the TLS policy applies to both frontend and backend traffic. For the WAF v2 SKU, the TLS policy applies only to the frontend traffic and all ciphers are offered to the backend server, which has control to select specific ciphers and TLS version during the handshake.

NOTE:

i. Authentication Certificates have been deprecated requires trusted root certificates for enabling end-to-end configuration in the Application Gateway v2 >SKU.

ii. Application Gateway only communicates with those backend servers that have either allow listed their certificate with the Application Gateway or whose certificates are signed by well-known CA authorities and the certificate's CN matches the host name in the HTTP backend settings. These include the trusted Azure services such as Azure App Service/Web Apps and Azure API Management.

4. Please go through the requirements in section : Enabling end to end TLS on Azure Application Gateway with-the-v2-sku | Microsoft Docs .

Please check the below refrences for detailed information regarding the same.

References:

1. Configure end-to-end TLS encryption using the portal - Azure Application Gateway | Microsoft Docs
2. Enabling end to end TLS on Azure Application Gateway | Microsoft Docs
3. Deploying a Wildcard Azure Application Gateway using Powershell | by Jorrit Meijer | Wortell | Medium
4. AppGateway V2 Certificate issue - Microsoft Q&A