KPERS
asked on
In IIS redirect browser clients that do not support TLS 1.2 to another site
I looking into disabling TLS 1.0 and 1.1 on our public IIS web servers but want a way to warn users that are running browser clients that don't support TLS 1.2. I was hoping IIS would have a way to redirect these users to another site hosted on a server that did support lower TLS versions that the site they were trying to go to has a few minimal requirements. I am not sure if this is possible though since the server should refuse the connection before it has a chance to redirect the client.
If that is the case and there is no way to do this directly on the IIS server hosting the site then are there any revers proxy solutions or WAF like solutions that could provide this kind of service?
If that is the case and there is no way to do this directly on the IIS server hosting the site then are there any revers proxy solutions or WAF like solutions that could provide this kind of service?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dan to answer your question I was not intending to support these older clients and operating systems but wanted a way better way to handle non-compatible clients by either sending them to a separate page informing them of the situation and way to get in compliance so they then would be able to then access the intended page if that was possible. Worse case I would like to be able to put up a warning banner on the actual site letting them know they are out of compliance and warn them they will not be able to connect after a specific date and provide them a link to the same page I spoke of before but still give them access to the main site for a few months.
The banner of course will have to be a developer solution but was hoping I could create a rule in IIS or using a proxy solution like btan recommended to just send the client to a helper page util they are in compliance.
I did check and there are a decent amount of users sill coming in on IE8 so flat out disabling this with no alternate option will be our last option.
The banner of course will have to be a developer solution but was hoping I could create a rule in IIS or using a proxy solution like btan recommended to just send the client to a helper page util they are in compliance.
I did check and there are a decent amount of users sill coming in on IE8 so flat out disabling this with no alternate option will be our last option.
You could do some check in code, but you would have to have a server where the older protocols are enabled, check the incoming protocol level and redirect to the appropriate destination server.
But I have a few questions...
1. What older OS/Browser combination are you attempting to support
2. Have you analyzed your http logs to see what browsers and OSes are hitting your site?
Dan