This topic describes support for TLS Inspection in NSX.

TLS Inspection support includes:

  • Support on tier-1 gateways only.
  • Prior to NSX 4.2, support for TLS version 1.0, 1.1, and 1.2 with TLS1.2 with Perfect Forward Secrecy (PFS) was in place. If version TLS1.3 is used, the NSX proxy negotiates to an earlier version and establishes a connection.
  • Starting in NSX 4.1.2, TLS1.0 is deactivated by default. Changes can be made to activate this version, if needed. Refer to Update API Service Configuration of the NSX Manager Cluster.
  • Leverages TLS Server Name Indication (SNI) in TLS client hello to classify the traffic.
  • Visibility into encrypted traffic without offloading while retaining end-to-end encryption.
  • TLS decryption on gateway firewalls to intercept the traffic and decrypt it to feed to the advanced firewall security features.
  • TLS Inspection policies to create a set of rules that describe conditions to match and perform a predefined action.
  • The TLS Inspection policy rules support the bypass, external, and internal decryption action profiles.