TLS Inspection detects and prevents advanced threats in your network over encrypted TLS channels. This topic includes concepts associated with TLS Inspection features.
- TLS initiates a TLS session over an established TCP session between the client and the server (aka a three-way handshake).
- The client sends a Client Hello that includes the supported TLS version and cipher and the Server Name Indication (SNI) extension. SNI in the TLS Client Hello is what TLS Inspection uses to classify the traffic using the context profile to use the internal, external, or bypass decryption profiles.
- The server responds with the server certificate for authentication and identification and a Server Hello with the version and cipher proposed by the client.
- Once the client validates the certificate and verifies the final version and cipher, it generates a symmetric session key and sends it to the server.
- To initiate the secure TLS tunnel which exchanges application data over the encrypted TLS channel, the server validates the session key and sends the finished message.
By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer.
TLS Decryption Types
- Internal TLS Decryption - for traffic going to an Enterprise internal service where you own the service, certificate, and the private key. This is also called TLS reverse-proxy or inbound decryption.
- External TLS Decryption - for traffic going to an external service (Internet) where the Enterprise does not own the service, its certificate, and the private key. This is also called TLS forward proxy or outbound decryption.
|TLS client hello SNI matches the TLS Inspection policy context profile.
|NSX intercepts the TLS session from the client and initiates a new session to the intended server.
|NSX enforces TLS version and cipher (which is configurable). .
|The server responds to the client with a TLS certificate
|NSX validates the server certificate using the trusted CA bundle and generates a proxy CA certificate dynamically and presents that to the client.
The following diagram and table explain how NSX TLS Internal decryption works with NSX.
|TLS client hello SNI matches the TLS Inspection policy context profile configured for internal domain.
|NSX intercepts the TLS session from the client and initiates a new session to intended server.
|NSX enforces TLS version/cipher (configurable).
|Server responds with certificate as part of TLS handshake (validation optional).
|NSX presents the certificate of the server, which was uploaded as part of the configuration, to the client.