This topic describes support for TLS Inspection in NSX.

TLS Inspection support includes:

  • Support on tier-1 gateways only.
  • Support for TLS version 1.0 through 1.2 and. TLS 1.2 with Perfect Forward Secrecy (PFS). If version 1.3 is used, the NSX proxy negotiates to an earlier version and establishes a connection.
  • Leverages TLS Server Name Indication (SNI) in TLS client hello to classify the traffic.
  • Visibility into encrypted traffic without offloading while retaining end-to-end encryption.
  • TLS decryption on gateway firewalls to intercept the traffic and decrypt it to feed to the advanced firewall security features.
  • TLS Inspection policies to create a set of rules that describe conditions to match and perform a predefined action.
  • The TLS Inspection policy rules support the bypass, external, and internal decryption action profiles.