This topic describes support for TLS Inspection in NSX.

TLS Inspection support includes:

  • Support on tier-1 gateways only.
  • Support for TLS version 1.0, 1.1, and 1.2 with TLS 1.2 with Perfect Forward Secrecy (PFS). If version 1.3 is used, the NSX proxy negotiates to an earlier version and establishes a connection.
  • Leverages TLS Server Name Indication (SNI) in TLS client hello to classify the traffic.
  • Visibility into encrypted traffic without offloading while retaining end-to-end encryption.
  • TLS decryption on gateway firewalls to intercept the traffic and decrypt it to feed to the advanced firewall security features.
  • TLS Inspection policies to create a set of rules that describe conditions to match and perform a predefined action.
  • The TLS Inspection policy rules support the bypass, external, and internal decryption action profiles.