This topic provides the steps to configure an external decryption action profile manually.


  • Have the correct user role and permissions to set up TLS Inspection.
  • Have a Trusted Proxy CA and Untrusted Proxy CA certificate imported or ready to be imported or have the related information to generate a certificate.


  1. With admin privileges, login into NSX Manager.
  2. Navigate to Security > TLS Inspection > Profiles.
  3. Click Add Decryption Action Profile > External Decryption.
  4. Enter a name for the new profile.
  5. (Optional) Select a profile setting: Balanced (default), High Fidelity, High Security, or use Custom to change the sub-settings.
    Profile Setting Description
    Invalid Certificates: Allow or Block & Log Set rules to allow or block traffic when an invalid certificate is presented by server. If Allow is selected and the server presents with an expired or untrusted certificate, this choice allows the connection to proceed by sending an untrusted proxy certificate to the client.
    Decryption Failure: Bypass & Log or Block & Log Sets what to do when there is decryption failure which could be due to mTLS (mutual TLS) or certificate pinning in use. If Bypass & Log is selected, then NSX caches this domain, and all subsequent connections to the domain are bypassed.
    Crypto Enforcement: Transparent or Enforce Sets the minimum and maximum TLS versions and cipher suites for the client and server. You can bypass this using the Transparent option
  6. (Optional) Modify Idle connection timeout. This is the time in seconds the server can remain idle after establishing a TCP connection. Default is 5400 seconds. Keep this timeout lower than the gateway firewall idle timeout settings.
  7. (Optional) Select Trusted CA settings to select Trusted CA Bundle, CRLs, and the OCSP stapling option.
    Option Description
    Trusted CA Bundle Validates the certificate that the external service presents to NSX. You can use the default trusted CA bundle or import a new CA bundle, then choose multiple bundles per profile if needed. This bundle is not automatically updated, so you must update it as necessary. For more details, see Import or Update a Trusted CA Bundle under Certificate Management.
    CRLs NSX also includes a CRL (Certificate revocation list) to validate the server presented certificate. You can use the default CRL or import a new CRL, then choose multiple CRLs per profile if needed. This CRL is not automatically updated, so you must update it as necessary. For more details, see Importing and Retrieving CRLs under Certificate Management.
    Require OCSP Stapling To enforce OSCP stapling for the presented server certificate. In OCSP stapling, the server that owns the certificate queries OCSP responder and includes the received OCSP timestamped and signed response as CertificateStatusRequest extension along with its certificate. If the server has a chained certificate, then the server must do OCSP Stapling for all the intermediate CA certs as well.
  8. To import or generate a trusted or untrusted proxy CA, select the Proxy CA dropdown, select the Trusted Proxy CA or the Untrusted Proxy CA tab, then do one of the following:
    • Select Import > CA Certificate.
    • Select Generate > Self Signed CA Certificate.

      Enter the required details and click Save. For details about importing proxy CAs, see Importing and Replacing Certificates.

  9. To save the profile, which can then be used for TLS inspection policies, select Save.


You are now able to use the decryption action profile to set up external decryption rules on your tier-1 gateways.

What to do next

Create TLS Inspection external decryption policies and rules.