MicrosoftDocs
diff --git a/‎articles/active-directory/saas-apps/kerbf5-tutorial.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/saas-apps/kerbf5-tutorial.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/aks/certificate-rotation.md
Lines changed: 7 additions & 1 deletion b/‎articles/aks/certificate-rotation.md
Lines changed: 7 additions & 1 deletion
diff --git a/‎articles/azure-cache-for-redis/cache-configure.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-cache-for-redis/cache-configure.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-cache-for-redis/cache-remove-tls-10-11.md
Lines changed: 9 additions & 1 deletion b/‎articles/azure-cache-for-redis/cache-remove-tls-10-11.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎articles/azure-monitor/app/ip-addresses.md
Lines changed: 2 additions & 2 deletions b/‎articles/azure-monitor/app/ip-addresses.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/azure-monitor/app/profiler-troubleshooting.md
Lines changed: 5 additions & 0 deletions b/‎articles/azure-monitor/app/profiler-troubleshooting.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/azure-monitor/app/snapshot-debugger-troubleshoot.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-monitor/app/snapshot-debugger-troubleshoot.md
Lines changed: 1 addition & 1 deletion
@@ -371,7 +371,7 @@ This adds the new Active Directory server to the Active Directory Servers list.
     >[!Note]
     > You will need the Kerberos Delegation Account to be created and specified. Refer KCD Section (Refer Appendix for Variable References)
 
-    * **Username Source**: session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+    * **Username Source**: session.saml.last.attr.name.http:\//schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
 
     * **User Realm Source**: session.logon.last.domain
 
 
@@ -34,7 +34,13 @@ AKS generates and uses the following certificates, Certificate Authorities, and
 * The `kubectl` client has a certificate for communicating with the AKS cluster.
 
 > [!NOTE]
-> AKS clusters created prior to March 2019 have certificates that expire after two years. Any cluster created after March 2019 or any cluster that has its certificates rotated have certificates that expire after 30 years.
+> AKS clusters created prior to March 2019 have certificates that expire after two years. Any cluster created after March 2019 or any cluster that has its certificates rotated have certificates that expire after 30 years. To verify when your cluster was created, use `kubectl get nodes` to see the *Age* of your node pools.
+> 
+> Additionally, you can check the expiration date of your cluster's certificate. For example, the following command displays the certificate details for the *myAKSCluster* cluster.
+> ```console
+> kubectl config view --raw -o jsonpath='{.clusters[?(@.name == "myAKSCluster")].cluster.certificate-authority-data}' | base64 -d > my-cert.crt
+> openssl x509 -in my-cert.crt -text
+> ```
 
 ## Rotate your cluster certificates
 
 
@@ -116,7 +116,7 @@ The following settings are configured on the **Advanced settings** blade.
 By default, non-SSL access is disabled for new caches. To enable the non-SSL port, click **No** for **Allow access only via SSL** on the **Advanced settings** blade and then click **Save**.
 
 > [!NOTE]
-> SSL access to Azure Cache for Redis supports TLS 1.0 by default. The minimum supported TLS version can be raised up to TLS 1.2 if desired by using the **Minimum TLS version** dropdown on the **Advanced settings** blade and then click **Save**.
+> SSL  access to Azure Cache for Redis supports TLS 1.0, 1.1 and 1.2 currently, but versions 1.0 and 1.1 are being retired soon.  Please read our [Remove TLS 1.0 and 1.1 page](cache-remove-tls-10-11.md) for more details.
 
 ![Azure Cache for Redis Access Ports](./media/cache-configure/redis-cache-access-ports.png)
 
 
@@ -14,7 +14,15 @@ ms.author: yegu
 
 There's an industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later. TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. This [TLS security blog](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/) explains some of these vulnerabilities in more detail.
 
-Although none of these considerations pose an immediate problem, we recommend that you stop using TLS 1.0 and 1.1 soon. Azure Cache for Redis will stop supporting these TLS versions on March 31, 2020. After that date, your application will be required to use TLS 1.2 or later to communicate with your cache.
+As a part of this effort, we'll be making the following changes to Azure Cache for Redis:
+
+* Starting on January 13, 2020 we will configure the default minimum TLS version to be 1.2 for newly created cache instances.  Existing cache instances won't be updated at this point.  You'll be allowed to [change the minimum TLS version](cache-configure.md#access-ports) back to 1.0 or 1.1 for backward compatibility, if needed.  This change can be done through the Azure portal or other management APIs.
+* Starting on March 31, 2020 we'll stop supporting TLS versions 1.0 and 1.1. After this change, your application will be required to use TLS 1.2 or later to communicate with your cache.
+
+Additionally, as a part of this change, we'll be removing support for older, insecure cypher suites.  Our supported cypher suites will be restricted to the following when the cache is configured with a minimum TLS version of 1.2.
+
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
 
 This article provides general guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.
 
 
@@ -6,7 +6,7 @@ ms.subservice: application-insights
 ms.topic: conceptual
 author: mrbullwinkle
 ms.author: mbullwin
-ms.date: 10/09/2019
+ms.date: 12/19/2019
 
 ---
 
@@ -29,7 +29,7 @@ You need to open some outgoing ports in your server's firewall to allow the Appl
 | Purpose | URL | IP | Ports |
 | --- | --- | --- | --- |
 | Telemetry |dc.services.visualstudio.com<br/>dc.applicationinsights.microsoft.com |40.114.241.141<br/>104.45.136.42<br/>40.84.189.107<br/>168.63.242.221<br/>52.167.221.184<br/>52.169.64.244<br/>40.85.218.175<br/>104.211.92.54<br/>52.175.198.74<br/>51.140.6.23<br/>40.71.12.231<br/>13.69.65.22<br/>13.78.108.165<br/>13.70.72.233<br/>20.44.8.7<br/>13.86.218.248<br/>40.79.138.41<br/>52.231.18.241<br/>13.75.38.7<br/>102.133.155.50<br/>52.162.110.67<br/>191.233.204.248<br/>13.69.66.140<br/>13.77.52.29<br/>51.107.59.180<br/>40.71.12.235 | 443 |
-| Live Metrics Stream (East US) |use.rt.prod.applicationinsights.trafficmanager.net |23.96.28.38<br/>13.92.40.198<br/>52.226.139.56<br/>52.226.140.207 |443 |
+| Live Metrics Stream (East US) |use.rt.prod.applicationinsights.trafficmanager.net |23.96.28.38<br/>13.92.40.198<br/>40.112.49.101<br/>40.117.80.207 |443 |
 | Live Metrics Stream (South Central US) |ussc.rt.prod.applicationinsights.trafficmanager.net |157.55.177.6<br/>104.44.140.84<br/>104.215.81.124<br/>23.100.122.113 |443 |
 | Live Metrics Stream (North Europe) |eun.rt.prod.applicationinsights.trafficmanager.net |40.115.103.168<br/>40.115.104.31<br/>40.87.140.215<br/>40.87.138.220 |443 |
 | Live Metrics Stream (West Europe) |euw.rt.prod.applicationinsights.trafficmanager.net |13.80.134.255<br/>40.68.61.229<br/>23.101.69.223<br/>52.232.106.242 |443 |
 
@@ -161,6 +161,11 @@ To check the settings that were used to configure Azure Diagnostics:
     When the trace is being uploaded, the following message is displayed: *Start to upload trace*. 
 
 
+## Edit network proxy or firewall rules
+
+If your application connects to the Internet via a proxy or a firewall, you may need to edit the rules to allow your application to communicate with the Application Insights Profiler service. The IPs used by Application Insights Profiler are included in the Azure Monitor service tag.
+
+
 [profiler-search-telemetry]:./media/profiler-troubleshooting/Profiler-Search-Telemetry.png
 [profiler-webjob]:./media/profiler-troubleshooting/Profiler-webjob.png
 [profiler-webjob-log]:./media/profiler-troubleshooting/Profiler-webjob-log.png
 
@@ -215,4 +215,4 @@ If you still don't see an exception with that snapshot ID, then the exception te
 
 ## Edit network proxy or firewall rules
 
-If your application connects to the Internet via a proxy or a firewall, you may need to edit the rules to allow your application to communicate with the Snapshot Debugger service. Here is [a list of IP addresses and ports used by the Snapshot Debugger](../../azure-monitor/app/ip-addresses.md#snapshot-debugger).
+If your application connects to the Internet via a proxy or a firewall, you may need to edit the rules to allow your application to communicate with the Snapshot Debugger service. The IPs used by Snapshot Debugger are included in the Azure Monitor service tag.
Original file line number	Diff line number	Diff line change
`@@ -215,4 +215,4 @@ If you still don't see an exception with that snapshot ID, then the exception te`
`215`	`215`
`216`	`216`	`## Edit network proxy or firewall rules`
`217`	`217`
`218`		`-If your application connects to the Internet via a proxy or a firewall, you may need to edit the rules to allow your application to communicate with the Snapshot Debugger service. Here is [a list of IP addresses and ports used by the Snapshot Debugger](../../azure-monitor/app/ip-addresses.md#snapshot-debugger).`
	`218`	`+If your application connects to the Internet via a proxy or a firewall, you may need to edit the rules to allow your application to communicate with the Snapshot Debugger service. The IPs used by Snapshot Debugger are included in the Azure Monitor service tag.`