topic Re: Outbound SSL Decryption Capabilities in General Topics

Outbound SSL Decryption Capabilities

RustyPA — Wed, 10 Aug 2016 01:37:12 GMT

I know outbound SSL decryption can work when a client inside the network is accessing a secure website on the internet. But can SSL decryption work when a client on the internal network attempts to make a vpn connection to a vpn server using an SSL VPN connection elsewhere on the public internet? Can SSL decryption intercept that connection and read the contents of the vpn session? Thanks!

Re: Outbound SSL Decryption Capabilities

reaper — Wed, 10 Aug 2016 07:43:42 GMT

Yes this will work if the vpn session falls under these conditions:

- the ssl tunnel must be based on TLS (regular ssl), no ipsec is used

- a client certificate is not required as the firewall is not able to inject a client certificate

Re: Outbound SSL Decryption Capabilities

RustyPA — Wed, 10 Aug 2016 13:47:01 GMT

OK thanks - if both firewalls (the one doing the outbound SSL decryption) and the one on the internet (running the VPN server) were both Palo Alto's - could the one on the internet be configured to require a client certificate, and so prevent outbound SSL decryption from working?