VMware recommends that you configure your system to use encrypted connections wherever possible.
Brokers should be able to communicate with cleartext as well as encryption in both SM_INCOMING_PROTOCOL and SM_OUTGOING_PROTOCOL if a client only supports cleartext. This is required in this configuration since the Broker acts as both a client and a server, and must be able to communicate with every component in the system. Brokers do not need to support cleartext if all clients can make encrypted connections.
If a Domain Manager must connect to a client that only supports cleartext, then set SM_OUTGOING_PROTOCOL to cleartext as well as encryption.
Configure adapters with SM_OUTGOING_PROTOCOL set to require encryption. Only adapters that register with the Broker (--name option) can accept incoming connections. If you have adapters that accept incoming connections, setting SM_INCOMING_PROTOCOL to require encryption is appropriate.
Also, if the adapter must connect, or be connected, to clients that support only cleartext, then add the cleartext option to the appropriate variable.
Configure any components that must run on networks outside the management domain with both SM_INCOMING_PROTOCOL and SM_OUTGOING_PROTOCOL set to encryption. Depending on the level of encryption, this will prevent snooping or man-in-the-middle attackers. You will not be able to connect directly to such a component by using a console.