This may be an issue with how we’re using NetScaler to filter out the /login sub-page to make sure it’s not exposed to the world (since there’s currently no way to disable it and it doesn’t have any kind of rate-limiting feature or way to restrict its access to only specific networks/hosts. See Disable form based auth? for more details on that topic, if you want.
Due to how the NetScaler does this filtering (it needs to do SSL offloading), I think the results from SSL Labs are essentially the NetScaler and NOT the Kestrel server, which would explain my differing results (internal vs. external testing) on which protocols are allowed. I’m working with the NetScaler admin to see if I’m right.
Edit: The NetScaler admin confirmed my suspicion and is working with me to fix the findings.