Activating TLS inspection

To activate TLS inspection, you must configure client or server protection on the engine and define the inspected traffic in Access rules. You might also need to create a custom HTTPS Service element.

In the Engine Editor, you specify the Client Protection Certificate Authority element for client protection, or the TLS Credentials element for server protection. Depending on the options you specify, you can configure only client protection, only server protection, or both client and server protection.

CAUTION:

Uploading TLS Credentials or a Client Protection Certificate Authority elements to the engine might enable decryption of TLS traffic that is not excluded from TLS inspection. The following configurations might enable decryption of TLS traffic:

  • Adding a Network Application that allows or requires the use of TLS to an Access rule
  • Selecting the Enforced option for Log Application Information in the Access rules
  • Enabling Deep Inspection in an Access rule if the Service cell contains a Network Application or a Service that does not include a Protocol Agent
If the default HTTPS (with decryption) Service element meets your needs, you can use the default HTTPS (with decryption) Service element in the Access rules without modification. You must create a custom HTTPS Service in the following cases:
  • To enable decryption for HTTPS traffic that uses a different port
  • To select a different HTTPS Inspection Exceptions element
  • To log the URLs in matching traffic
  • To change any of the other settings in the Service Properties

The Access rules define which traffic is decrypted and inspected. Access rules that enable Deep Inspection and use a custom HTTPS Service or the default HTTPS (with decryption) Service element select specific traffic for decryption and inspection. To enable the decryption and inspection of all TLS traffic, you enable Deep Inspection in an Access rule with the Service cell of the rule set to ANY. Traffic that matches the Access rule is decrypted and inspected in the same way as unencrypted HTTP traffic according to the Inspection rules.

Activating TLS inspection consists of the following steps:
  1. Activate client protection or server protection and upload certificates to the engine.
  2. (Optional) Define a custom HTTPS Service element and enable TLS Inspection in the Protocol Parameters.
  3. Create Access rules to select specific traffic for decryption and inspection or enable decryption and inspection of all TLS traffic.