Configure TLS inspection for client protection

Client Protection Certificate Authority elements are used to inspect TLS traffic between an internal client and an external server.

When an internal client makes a connection to an external server that uses TLS, the engine generates a substitute certificate that allows it to establish a secure connection with the internal client. The Client Protection Certificate Authority element contains the credentials the engine uses to sign the substitute certificate it generates. If the engine does not use a signing certificate that is already trusted by users’ web browsers when it signs the substitute certificates it generates, users receive warnings about invalid certificates. To avoid these warnings, you must either import a signing certificate that is already trusted, or configure users’ web browsers to trust the engine’s signing certificate.

Note: Traffic that uses TLS might be protected by laws related to the privacy of communications. Decrypting and inspecting this traffic might be illegal in some jurisdictions.