https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2178#M1614 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>We are implementing NAT for ActiveSync and we would like to decrypt SSL, my question is if SSL inbound inspection model with mobile device and ActiveSync requires a Root or client certificates?</P></BODY></HTML> Tue, 10 Dec 2013 17:06:58 GMT Gerogef 2013-12-10T17:06:58Z https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2178#M1614 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>We are implementing NAT for ActiveSync and we would like to decrypt SSL, my question is if SSL inbound inspection model with mobile device and ActiveSync requires a Root or client certificates?</P></BODY></HTML> Tue, 10 Dec 2013 17:06:58 GMT https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2178#M1614 Gerogef 2013-12-10T17:06:58Z https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2179#M1615 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/23855">Gerogef</A>,</P><P></P><P>You would only require web-server's certificate to be loaded on PAN because for inbound decryption the firewall does not act as a proxy for the SSL session, so there is only one session between the client and the web server.&nbsp; This configuration is similar to taking a capture of the SSL session and then manually decrypting it with the certificate's private key.&nbsp; The firewall simply decrypts each packet and performs decryption, then the original packet received is transmitted to the host.</P><P></P><P>As PAN firewall need a copy of the internal server certificate and key, you can refer to the following document:</P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="1223" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1223#comment-1093">https://live.paloaltonetworks.com/docs/DOC-1223#comment-1093</A></P><P></P><P>Here is a good document that explains the difference between SSL-forward-proxy and SSL inbound inspection</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6051">Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode</A></P><P></P><P>Hope that helps!</P><P></P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Tue, 10 Dec 2013 17:47:42 GMT https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2179#M1615 kadak 2013-12-10T17:47:42Z https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2180#M1616 <HTML><HEAD></HEAD><BODY><P>got it!</P><P></P><P>another question: does NAT known how to handle SSL inbound decryption?</P></BODY></HTML> Tue, 10 Dec 2013 20:19:12 GMT https://live.paloaltonetworks.com/t5/general-topics/does-ssl-inbound-decryption-requires-client-side-certificates/m-p/2180#M1616 Gerogef 2013-12-10T20:19:12Z