This topic describes support for TLS Inspection in NSX-T Data Center.

TLS Inspection support includes:

• Support on tier-1 gateways only.
• TLS version 1.0 through 1.2 are supported. TLS 1.2 with Perfect Forward Secrecy (PFS) is supported. If version 1.3 is used, NSX proxy negotiates to an earlier version and establishes a connection.
• Leveraging TLS Server Name Indication (SNI) in TLS client hello to classify the traffic.
• Visibility into encrypted traffic without offloading while retaining end-to-end encryption.
• TLS decryption on gateway firewalls to intercept the traffic and decrypt it to feed to the advanced firewall security features.
• TLS Inspection policies to create a set of rules that describe conditions to match and perform a predefined action.
• TLS Inspection policy rules support bypass, external and internal decryption action profiles.