This topic describes support for TLS Inspection in NSX-T Data Center.

TLS Inspection support includes:

  • Support on tier-1 gateways only.
  • TLS version 1.0 through 1.2 are supported. TLS 1.2 with Perfect Forward Secrecy (PFS) is supported. If version 1.3 is used, NSX proxy negotiates to an earlier version and establishes a connection.
  • Leveraging TLS Server Name Indication (SNI) in TLS client hello to classify the traffic.
  • Visibility into encrypted traffic without offloading while retaining end-to-end encryption.
  • TLS decryption on gateway firewalls to intercept the traffic and decrypt it to feed to the advanced firewall security features.
  • TLS Inspection policies to create a set of rules that describe conditions to match and perform a predefined action.
  • TLS Inspection policy rules support bypass, external and internal decryption action profiles.