Can Azure Traffic Manager redirect clients based on SSL version?

2
votes

I want all clients to be able to access my server regardless of how old or unpatched they are.

This means I need to support ancient versions of SSL. I want these users to access sales and marketing material on my site, However, I don't want those versions to special pages.

This configuration is necessary because I want to support HSTS, but client's won't conditionally honor an HSTS header based on TLS version or cipher.

That means the load balancer (Netscaler equivalent) needs to redirect based on cipher or protocol version.

How can I ensure Traffic Manager (or any other relevant aspect to Azure) satisfies this need

2
azuretls1.2hstsazure-traffic-managerazure-application-gateway

2 Answers

3
votes

Azure Traffic Manager does nothing like what you're asking. There are only three LB modes:

  • Priority (primary/failover)
  • Weighted (distributed)
  • Performance (closest to end user)

If you want to do the type of load-balancing you're referring to, you'd need to have your own set of VMs doing exactly that (and how you do that is really up to you).

More details on Traffic Manager routing is here.

1
votes

Traffic Manager is a DNS only solution. It doesn't terminate connections.

Look at Azure Application Gateway for a Layer 7 load balancer:
https://azure.microsoft.com/en-us/documentation/articles/application-gateway-introduction/

I'm unsure if it can match on TLS protocol version but you can give it a go.