Istio TLS origination with IIS external service. How to disable HTTP/2?

I have an external service that I have set up with a ServiceEntry. I would like to shift TLS origination to envoy to get better metrics on the outbound connection.

When I do this, connections always fail with a 503 error. I did a bunch of digging and the issue I am encountering is very similar to the one mentioned at the end of this thread:

The workaround mentioned does not apply, as I already have client certificates set to ignore on IIS. Is there a way to tell Istio to not attempt HTTP2?

“In a few cases, HTTP/2 can’t be used in combination with other features. In these situations, Windows will fall back to HTTP/1.1 and continue the transaction. This may involve negotiating HTTP/1.1 during the handshake, or sending an error code to the client instructing it to retry over an HTTP/1.1 connection.”

Looks like the same issue here:

And I just encountered it with an Adobe endpoint on the web too, also SOAP.
So, apparently any SOAP / IIS endpoint hates the envoy TLS origination. Any ideas would be great!

Ah. Found this. https://github.com/istio/istio/pull/29529
So, apparently this is already a known issue. Guess i’ll just stop using TLS origination for now…