MicrosoftDocs
diff --git a/‎articles/app-service/app-service-web-configure-tls-mutual-auth.md
Lines changed: 38 additions & 12 deletions b/‎articles/app-service/app-service-web-configure-tls-mutual-auth.md
Lines changed: 38 additions & 12 deletions
diff --git a/‎articles/azure-resource-manager/templates/template-functions-logical.md
Lines changed: 2 additions & 0 deletions b/‎articles/azure-resource-manager/templates/template-functions-logical.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/azure-vmware/azure-vmware-solution-horizon.md
Lines changed: 10 additions & 9 deletions b/‎articles/azure-vmware/azure-vmware-solution-horizon.md
Lines changed: 10 additions & 9 deletions
diff --git a/‎articles/azure-vmware/deploy-vmware-cloud-director-availability-in-azure-vmware-solution.md
Lines changed: 6 additions & 6 deletions b/‎articles/azure-vmware/deploy-vmware-cloud-director-availability-in-azure-vmware-solution.md
Lines changed: 6 additions & 6 deletions
@@ -12,7 +12,7 @@ ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-trac
 ---
 # Configure TLS mutual authentication for Azure App Service
 
-You can restrict access to your Azure App Service app by enabling different types of authentication for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication. This article shows how to set up your app to use client certificate authentication.
+You can restrict access to your Azure App Service app by enabling different types of authentication for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called Transport Layer Security (TLS) mutual authentication or client certificate authentication. This article shows how to set up your app to use client certificate authentication.
 
 > [!NOTE]
 > Your app code is responsible for validating the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app.
@@ -22,27 +22,28 @@ You can restrict access to your Azure App Service app by enabling different type
 [!INCLUDE [Prepare your web app](../../includes/app-service-ssl-prepare-app.md)]
 
 ## Enable client certificates
-
-To set up your app to require client certificates:
-
-1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
-
-1. Select **Client certificate mode** of choice. Select **Save** at the top of the page.
+When you enable client certificate for your app, you should select your choice of client certificate mode. Each mode defines how your app handles incoming client certificates:
 
 |Client certificate modes|Description|
 |-|-|
 |Required|All requests require a client certificate.|
-|Optional|Requests may or may not use a client certificate. Clients will be prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
-|Optional Interactive User|Requests may or may not use a client certificate. Clients will not be prompted for a certificate by default. For example, browser clients will not show a prompt to select a certificate for authentication.|
+|Optional|Requests may or may not use a client certificate and clients are prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
+|Optional Interactive User|Requests may or may not use a client certificate and clients are not prompted for a certificate by default. For example, browser clients won't show a prompt to select a certificate for authentication.|
+
+### [Azure portal](#tab/azureportal)
+To set up your app to require client certificates in Azure portal:
+1. Navigate to your app's management page.
+1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
+1. Select **Client certificate mode** of choice. Select **Save** at the top of the page.
 
 ### [Azure CLI](#tab/azurecli)
-To do the same with Azure CLI, run the following command in the [Cloud Shell](https://shell.azure.com):
+With Azure CLI, run the following command in the [Cloud Shell](https://shell.azure.com):
 
 ```azurecli-interactive
 az webapp update --set clientCertEnabled=true --name <app-name> --resource-group <group-name>
 ```
-### [Bicep](#tab/bicep)
 
+### [Bicep](#tab/bicep)
 For Bicep, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample Bicep snippet is provided for you:
 
 ```bicep
@@ -63,7 +64,6 @@ resource appService 'Microsoft.Web/sites@2020-06-01' = {
 ```
 
 ### [ARM template](#tab/arm)
-
 For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample ARM template snippet is provided for you:
 
 ```ARM
@@ -93,6 +93,9 @@ For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`,
 
 When you enable mutual auth for your application, all paths under the root of your app require a client certificate for access. To remove this requirement for certain paths, define exclusion paths as part of your application configuration.
 
+> [!NOTE]
+> Using any client certificate exclusion path triggers TLS renegotiation for incoming requests to the app.
+
 1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
 
 1. Next to **Certificate exclusion paths**, select the edit icon.
@@ -105,6 +108,29 @@ In the following screenshot, any path for your app that starts with `/public` do
 
 ![Certificate Exclusion Paths][exclusion-paths]
 
+## Client certificate and TLS renegotiation
+App Service requires TLS renegotiation to read a request before knowing whether to prompt for a client certificate. Any of the following settings triggers TLS renegotiation:
+1. Using "Optional Interactive User" client certificate mode.
+1. Using [client certificate exclusion path](#exclude-paths-from-requiring-authentication).
+
+> [!NOTE]
+> TLS 1.3 and HTTP 2.0 don't support TLS renegotiation. These protocols will not work if your app is configured with client certificate settings that use TLS renegotiation.
+
+To disable TLS renegotiation and to have the app negotiate client certificates during TLS handshake, you must configure your app with *all* these settings:
+1. Set client certificate mode to "Required" or "Optional"
+2. Remove all client certificate exclusion paths
+
+### Uploading large files with TLS renegotiation
+Client certificate configurations that use TLS renegotiation cannot support incoming requests with large files greater than 100 kb due to buffer size limitations. In this scenario, any POST or PUT requests over 100 kb will fail with a 403 error. This limit isn't configurable and can't be increased.
+
+To address the 100 kb limit, consider these alternative solutions:
+
+1. Update your app's client certificate configurations with _all_ these settings:
+    - Set client certificate mode to either "Required" or "Optional"
+    - Remove all client certificate exclusion paths
+1. Send a HEAD request before the PUT/POST request. The HEAD request handles the client certificate.
+1. Add the header `Expect: 100-Continue` to your request. This causes the client to wait until the server responds with a `100 Continue` before sending the request body, which bypasses the buffers.
+
 ## Access client certificate
 
 In App Service, TLS termination of the request happens at the frontend load balancer. When App Service forwards the request to your app code with [client certificates enabled](#enable-client-certificates), it injects an `X-ARR-ClientCert` request header with the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.
 
@@ -144,6 +144,8 @@ Returns second parameter when first parameter is **True**; otherwise, returns th
 
 When the condition is **True**, only the true value is evaluated. When the condition is **False**, only the false value is evaluated. With the `if` function, you can include expressions that are only conditionally valid. For example, you can reference a resource that exists under one condition but not under the other condition. An example of conditionally evaluating expressions is shown in the following section.
 
+Note that the above **only** applies when the condition can be evaluated at template start, for example you cannot use a `reference()`  in the condition.
+
 ### Examples
 
 The following example shows how to use the `if` function.
 
@@ -3,7 +3,7 @@ title: Deploy Horizon on Azure VMware Solution
 description: Learn how to deploy VMware Horizon on Azure VMware Solution.
 ms.topic: how-to
 ms.service: azure-vmware
-ms.date: 4/1/2024
+ms.date: 01/09/2025
 ms.custom: engagement-fy23
 ---
 
@@ -12,27 +12,27 @@ ms.custom: engagement-fy23
 >[!NOTE]
 >This document focuses on the VMware Horizon product, formerly known as Horizon 7. Horizon is a different solution than Horizon Cloud on Azure, although there are some shared components. Key advantages of the Azure VMware Solution include both a more straightforward sizing method and the integration of Software-Defined Data Center (SDDC) private cloud management into the Azure portal.
 
-[VMware Horizon](https://www.vmware.com/products/horizon.html)®, a virtual desktop and applications platform, runs in the data center and provides simple and centralized management. It delivers virtual desktops and applications on any device, anywhere. Horizon lets you create, and broker connections to Windows and Linux virtual desktops, Remote Desktop Server (RDS) hosted applications, desktops, and physical machines.
+[VMware Horizon](https://www.omnissa.com/products/horizon-8/)®, a virtual desktop and applications platform, runs in the data center and provides simple and centralized management. It delivers virtual desktops and applications on any device, anywhere. Horizon lets you create, and broker connections to Windows and Linux virtual desktops, Remote Desktop Server (RDS) hosted applications, desktops, and physical machines.
 
 Here, we focus specifically on deploying Horizon on Azure VMware Solution. For general information on VMware Horizon, refer to the Horizon production documentation:
 
-* [What is VMware Horizon?](https://www.vmware.com/products/horizon.html)
+* [What is VMware Horizon?](https://www.omnissa.com/products/horizon-8/)
 
-* [Learn more about VMware Horizon](https://docs.vmware.com/en/VMware-Horizon/index.html)
+* [Learn more about VMware Horizon](https://docs.omnissa.com/category/Horizon_8)
 
-* [Horizon Reference Architecture](https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture)
+* [Horizon Reference Architecture](https://techzone.omnissa.com/reference-architecture)
 
 With Horizon's introduction on Azure VMware Solution, there are now two Virtual Desktop Infrastructure (VDI) solutions on the Azure platform:
 
 * VMware Horizon on Azure VMware Solution
 
 * VMware Horizon Cloud (Desktop-as-a-Service Model)
 
-Horizon 2006 and later versions on the Horizon 8 release line supports both on-premises and Azure VMware Solution deployment. There are a few Horizon features that are supported on-premises but not on Azure VMware Solution. Other products in the Horizon ecosystem are also supported. For more information, see [feature parity and interoperability](https://kb.vmware.com/s/article/80850).
+Horizon 2006 and later versions on the Horizon 8 release line supports both on-premises and Azure VMware Solution deployment. There are a few Horizon features that are supported on-premises but not on Azure VMware Solution. Other products in the Horizon ecosystem are also supported. For more information, see [feature parity and interoperability](https://kb.omnissa.com/s/article/80850).
 
 ## Deploy Horizon in a hybrid cloud
 
-You can deploy Horizon in a hybrid cloud environment by using Horizon Cloud Pod Architecture (CPA) to interconnect on-premises and Azure data centers. CPA scales up your deployment, builds a hybrid cloud, and provides redundancy for Business Continuity and Disaster Recovery.  For more information, see [Expanding Existing Horizon 7 Environments](https://techzone.vmware.com/resource/business-continuity-vmware-horizon#_Toc41650874).
+You can deploy Horizon in a hybrid cloud environment by using Horizon Cloud Pod Architecture (CPA) to interconnect on-premises and Azure data centers. CPA scales up your deployment, builds a hybrid cloud, and provides redundancy for Business Continuity and Disaster Recovery.  For more information, see [Expanding Existing Horizon 7 Environments](https://techzone.omnissa.com/resource/horizon-8-azure-vmware-solution-architecture#cloud-pod-architecture).
 
 >[!IMPORTANT]
 >CPA is not a stretched deployment; each Horizon pod is distinct, and all Connection Servers that belong to each of the individual pods are required to be located in a single location and run on the same broadcast domain from a network perspective.
@@ -210,7 +210,8 @@ Work with your VMware EUC sales team to determine the Horizon licensing cost bas
 
 ### Azure Instance Types
 
-To understand the Azure virtual machine sizes that are required for the Horizon Infrastructure, see [Horizon Installation on Azure VMware Solution](https://techzone.vmware.com/resource/horizon-on-azure-vmware-solution-configuration#horizon-installation-on-azure-vmware-solution).
+To understand the Azure virtual machine sizes that are required for the Horizon Infrastructure, see [Horizon Installation on Azure VMware Solution](https://techzone.omnissa.com/resource/horizon-8-azure-vmware-solution-configuration#instance-types-for-federated-deployment).
 
 ## References
-[System Requirements For Horizon Agent for Linux](https://docs.vmware.com/en/VMware-Horizon/2012/linux-desktops-setup/GUID-E268BDBF-1D89-492B-8563-88936FD6607A.html)
+[System Requirements For Horizon Agent for Linux](https://docs.omnissa.com/bundle/Desktops-and-Applications-in-HorizonV2406/page/SystemRequirementsforHorizonAgentforLinux.html)
+[Horizon 8 on Azure VMware Solution Architecture](https://techzone.omnissa.com/resource/horizon-8-azure-vmware-solution-architecture)
@@ -4,14 +4,14 @@ description: Learn how to install and configure VMware Cloud Director Availabili
 author: suzuber
 ms.topic: how-to
 ms.service: azure-vmware
-ms.date: 4/15/2024
+ms.date: 01/09/2025
 --- 
 
 # Deploy VMware Cloud Director Availability in Azure VMware Solution
 
 In this article, learn how to deploy VMware Cloud Director Availability in Azure VMware Solution.
 
-Customers can use [VMware Cloud Director Availability](https://docs.vmware.com/en/VMware-Cloud-Director-Availability/index.html), a Disaster Recovery as a Service (DRaaS) solution, to protect and migrate workloads both to and from the VMware Cloud Director service associated with Azure VMware Solution. The native integration of VMware Cloud Director Availability with VMware Cloud Director and VMware Cloud Director service (CDS) enables provider and their tenants to efficiently manage migration and disaster recovery for workloads through the VMware Cloud Director Availability provider and tenant portal. 
+Customers can use [VMware Cloud Director Availability](https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/what-is-vcda.html), a Disaster Recovery as a Service (DRaaS) solution, to protect and migrate workloads both to and from the VMware Cloud Director service associated with Azure VMware Solution. The native integration of VMware Cloud Director Availability with VMware Cloud Director and VMware Cloud Director service (CDS) enables provider and their tenants to efficiently manage migration and disaster recovery for workloads through the VMware Cloud Director Availability provider and tenant portal. 
 
 ## VMware Cloud Director Availability scenarios on Azure VMware Solution
 
@@ -98,13 +98,13 @@ The following image shows the Run commands that are available under **VMware.VCD
 
 :::image type="content" source="media/deploy-vmware-cloud-director-availability/vmware-cloud-director-availability-run-command.png" alt-text="Screenshot shows multiple VMware Cloud Director Availability Run commands available within the VMware Cloud Director Availability Run command package."lightbox="media/deploy-vmware-cloud-director-availability/vmware-cloud-director-availability-run-command.png"::: 
 
-Refer to [VMware Cloud Director Availability in Azure VMware Solution](https://docs.vmware.com/en/VMware-Cloud-Director-Availability/4.7/VMware-Cloud-Director-Availability-in-AVS/GUID-2BF88B54-5775-4414-8213-D3B41BCDE3EB.html) for detailed instructions on utilizing the Run commands to effectively install and manage VMware Cloud Director Availability within your Azure solution private cloud. 
+Refer to [VMware Cloud Director Availability in Azure VMware Solution](https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/availability-in-avs-4-7.html) for detailed instructions on utilizing the Run commands to effectively install and manage VMware Cloud Director Availability within your Azure solution private cloud. 
 
 ## FAQs
 
 ### How do I install and configure VMware Cloud Director Availability in Azure VMware Solution and what are the prerequisites? 
 
-Deploy VMware Cloud Director Availability using Run commands to enable classic engines and to access Disaster Recovery functionality. See prerequisites and procedures in [Run command in Azure VMware Solution](https://docs.vmware.com/en/VMware-Cloud-Director-Availability/4.7/VMware-Cloud-Director-Availability-in-AVS/GUID-6D0E6E0B-74BC-4669-9A26-5ACC46B2B296.html).
+Deploy VMware Cloud Director Availability using Run commands to enable classic engines and to access Disaster Recovery functionality. See prerequisites and procedures in [Run command in Azure VMware Solution](https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/availability-in-avs-4-7/availability-run-commands-in-avs.html).
 
 ### How is VMware Cloud Director Availability supported?
 
@@ -120,8 +120,8 @@ You can use Run Command **Install-VCDAReplicator** to install and configure new
 
 ### How can I upgrade VMware Cloud Director availability?
 
-VMware Cloud Director Availability can be upgraded using [Appliances upgrade sequence and prerequisites](https://docs.vmware.com/en/VMware-Cloud-Director-Availability/4.7/VMware-Cloud-Director-Availability-Install-Config-Upgrade-Cloud/GUID-51B25D13-8224-43F1-AE54-65EDDA9E5FAD.html).
+VMware Cloud Director Availability can be upgraded using [Appliances upgrade sequence and prerequisites](https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/cloud-availability-install-config-and-upgrade-guide-4-7/upgrading-in-the-cloud-director-site/vcav-upgrade-sequence.html).
 
 ## Next steps
 
-Learn more about VMware Cloud Director Availability Run commands in Azure VMware Solution, [VMware Cloud Director availability](https://docs.vmware.com/en/VMware-Cloud-Director-Availability/index.html).
+Learn more about VMware Cloud Director Availability Run commands in Azure VMware Solution, [VMware Cloud Director availability](https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/what-is-vcda.html).