If you’re trying to put an application served on IIS (Sharepoint, ADFS Proxy) behind a Reverse Proxy you’ll often encounter issues with SSL Bridging. While the clientside connection works fine, the serverside connection gets a TCP RST from the back-end after SSL ClientHello.

This is a common issue, and typically caused by improper or missing SNI configuration. IIS by default doesn’t offer any “fallback” page and will reset the connection if not using SNI.

Below you can find examples of how to fix this error on common Reverse Proxies.

HAProxy

Add to your backend configuration:

server sharepoint  ssl sni str(sharepoint.company.com)

Apache (mod_proxy)

Add to your VirtualHost configuration if your hostname matches the one your clients will be using:

ProxyPreserveHost on

If the hostname differs:

ServerName sharepoint.company.com
ProxyPreserveHost off

Nginx

If hostname matches the server name:

proxy_ssl_server_name on

If it doesn’t match:

proxy_ssl_server_name off
proxy_ssl_name sharepoint.company.com

F5 BIG-IP LTM

Create a new Server SSL profile under Local Traffic > Profiles > Server SSL and fill in the “Server Name” field. Apply this to the Server SSL profiles on your Virtual Server.