Merge pull request #296715 from MicrosoftDocs/main

3/20/2025 PM Publish

Author: Taojunshen

articles/application-gateway/application-gateway-tls-version-retirement.md

@@ -0,0 +1,77 @@
+---
+title: TLS 1.0 and 1.1 retirement on Azure Application Gateway
+description: Guidance for managing your Application Gateway with the upcoming retirement of TLS 1.0 and 1.1.
+services: application gateway
+author: jaesoni
+ms.service: azure-application-gateway
+ms.topic: concept-article
+ms.date: 03/04/2025
+ms.author: greglin
+---
+
+# Managing your Application Gateway with TLS 1.0 and 1.1 retirement
+
+Starting **31st August 2025**, Azure Application Gateway will no longer support **TLS (Transport Layer Security) versions 1.0 and 1.1**. This change aligns with the [Azure-wide retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) of these TLS versions to enhance the security. As the owner of an Application Gateway resource, you should review both the Frontend clients and Backend servers TLS connections that may be using these older versions.
+
+## Frontend TLS connections
+
+With deprecation of TLS versions 1.0 and 1.1, the **older Predefined TLS policies** and certain cipher suites from the **Custom TLS policy** will be removed.
+
+### Predefined policies for V2 SKUs
+
+The predefined policies 20150501 and 20170401 that support TLS v1.0 and 1.1 will be discontinued and can no longer be associated with an Application Gateway resource after August 2025. It's advised to transition to one of the recommended TLS policies, 20220101 or 20220101S. Alternatively, the 20170401S policy may be used if specific cipher suites are required. 
+
+![A diagram showing predefined policies for V2 SKUs.](media/application-gateway-tls-version-retirement/v2-retiring-tls-policies.png)
+
+### Custom policies for V2 SKUs
+
+Azure Application Gateway V2 SKU offers two types of custom policies: Custom and CustomV2. The retirement of these TLS versions affects only the "Custom" policy. The newer "CustomV2" policy comes with TLS v1.3. Beyond August 2025, the older Custom policy will support only TLS v1.2 and the following cipher suites won't be supported.
+
+| Unsupported cipher suites |
+| ---------- |
+| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
+| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
+| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
+| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
+| TLS_RSA_WITH_3DES_EDE_CBC_SHA |
+| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
+
+### Predefined policies for V1 SKUs
+
+The V1 SKU will only support the 20170401S policy after the older policies with TLS versions 1.0 and 1.1 are discontinued. The newer 20220101 or 20220101S policies won't be available for the soon-to-be-retired V1 SKU.
+
+![A diagram showing predefined policies for V1 SKUs.](media/application-gateway-tls-version-retirement/v1-retiring-tls-policies.png)
+
+### Custom policies for V1 SKUs
+
+Application Gateway V1 SKU only supports the older "Custom" policy. Beyond August 2025, this older Custom policy will support only TLS v1.2 and the following cipher suites won't be supported.
+
+| Unsupported cipher suites |
+| ---------- |
+| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
+| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
+| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
+| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
+| TLS_RSA_WITH_3DES_EDE_CBC_SHA |
+| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
+
+## Backend TLS connections
+
+You don't need to configure anything on your Application Gateway for the backend connection's TLS version as the selection of TLS policy has no control over the backend TLS connections. After retirement, the connections to backend servers will always be with preferred TLS v1.3 and up to TLS v1.2. You must ensure that your servers in the backend pools are compatible with these updated protocol versions. This compatibility avoids any disruptions when establishing a TLS/HTTPS connection with those backend servers.
+
+## Next steps
+
+Learn about [TLS policy types and configurations](application-gateway-ssl-policy-overview.md)
+Visit Azure Updates for [retirement notice](https://azure.microsoft.com/updates?searchterms=application+gateway)

articles/application-gateway/media/application-gateway-tls-version-retirement/v1-retiring-tls-policies.png

@@ -95,6 +95,8 @@
     href: ssl-certificate-management.md
   - name: Security baseline
     href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
+  - name: TLS 1.0 and 1.1 retirement
+    href: application-gateway-tls-version-retirement.md
   - name: Network security blog
     href: https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog
 - name: Deploy

articles/application-gateway/media/application-gateway-tls-version-retirement/v2-retiring-tls-policies.png

@@ -4,8 +4,6 @@ description: This article contains important reference material you need when yo
 ms.date: 05/13/2024
 ms.custom: horz-monitor, ignite-2024
 ms.topic: reference
-author: rboucher
-ms.author: robb
 ---
 
 # Azure Cache for Redis monitoring data reference

articles/application-gateway/toc.yml

@@ -4,9 +4,6 @@ description: Start here to learn how to monitor Azure Cache for Redis.
 ms.date: 03/21/2024
 ms.custom: horz-monitor
 ms.topic: conceptual
-author: robb
-ms.author: robb
-
 ---
 
 # Monitor Azure Cache for Redis

articles/azure-cache-for-redis/monitor-cache-reference.md

@@ -325,7 +325,7 @@ call.on('mutedByOthers', () => {
 
 ### Event: `callerInfoChanged`
 
-The `callerInfoChanged` event happens when caller information was updated.
+The `callerInfoChanged` event happens when caller information was updated. This occurs when a caller changes their display name.
 
 **How might your application react to the event?**
 Application can update caller information.
@@ -340,7 +340,7 @@ call.on('callerInfoChanged', () => {
 
 ### Event: `transferorInfoChanged`
 
-The `transferorInfoChanged` event happens when transferor information was updated.
+The `transferorInfoChanged` event happens when transferor information was updated. This occurs when a transferor changes their display name.
 
 **How might your application react to the event?**
 Application can update transferor information.

articles/azure-cache-for-redis/monitor-cache.md

@@ -148,8 +148,7 @@ transfer.on('stateChanged', () => {
 ```
 
 ### Initial Caller and Transferor information
-In case of call transfer or forward scenario incoming call object contains information about initial caller and transferor agents.
-Transferor agent could be Azure Communication Calling user or Teams user or Voice Application (Call Queue and etc.)
+When forwarding or transferring a call, `transferInfo` is populated with information about the prior call state. This includes `callerInfo` which describes the initial caller and `transferorInfo` which describes the entity transferring or forwarding the call. For example, if an ACS user places a call to a Teams call queue which then distributes the call to a M365 user, the `callerInfo` would specify the ACS user and the `transferorInfo` would specify the Teams call queue. Callers and transferors have the ability to update their displayName, and if this occurs the callerInfoChanged or transferorInfoChanged events will fire. For more information on change events see [Event: callerInfoChanged](../../events.md?pivots=platform-web#event-callerinfochanged) and [Event: transferorInfoChanged](../../events.md?pivots=platform-web#event-transferorinfochanged). This applies to all calls and for any identity (BYOI or M365).
 ```js
 const incomingCallHandler = async (args: { incomingCall: IncomingCall }) => {
     const incomingCall = args.incomingCall;

articles/communication-services/how-tos/calling-sdk/includes/events/events-web.md

@@ -1,8 +1,6 @@
 ---
 title: Connect Azure Communications Gateway to Operator Connect or Teams Phone Mobile
 description:  After deploying Azure Communications Gateway, you can configure it to connect to the Operator Connect and Teams Phone Mobile environments.
-author: GemmaWakeford
-ms.author: gwakeford
 ms.service: azure-communications-gateway
 ms.topic: integration
 ms.date: 03/22/2024

articles/communication-services/how-tos/calling-sdk/includes/transfer-calls/transfer-calls-web.md

@@ -1,8 +1,6 @@
 ---
 title: Connect Azure Communications Gateway to Microsoft Teams Direct Routing
 description:  After deploying Azure Communications Gateway, you can configure it to connect to the Microsoft Phone System for Microsoft Teams Direct Routing.
-author: GemmaWakeford
-ms.author: gwakeford
 ms.service: azure-communications-gateway
 ms.topic: integration
 ms.date: 03/22/2024