Table of contents
Topics on this page

Configure TLS inspection for Azure

Use the following steps to configure TLS using the Azure platform.

  1. Configure the appropriate IAM role for the policy. Refer to Key Vault roles.

  2. Configure an Azure Key Vault. Learn more.

  3. Go to Policy > TLS Inspection and click Configure TLS Inspection to enter the configuration wizard.

From the Configure TLS Inspection wizard:

  1. Select the managed virtual appliance on which you want to enable decryption and inbound TLS traffic inspection. Click Provide Server


    NOTE

    You can enable TLS inspection on up to four managed virtual appliances, but only one at a time. If you require more than four appliances with this functionality, open a support report. If the version of the appliance you select does not support multiple-appliance TLS configuration, the wizard will notify you and prevent you from moving forward with that selection.


  2. You can configure multiple server proxies, but only one at a time. If you require more than 100 proxies, open a support report. In the Server IP field, enter the IP address of the server to be protected. To retrieve this IP address, refer to Retrieve private IP address information for a VM. Click Provide Public Certificate.

  3. In the Certificate field, enter the URI to the Azure Key Vault (this URI is one of the properties displayed after you created your Azure Key Vault; for example, https://<your-unique-keyvault-name>.vault.azure.net/), or specify the reference link for the public certificate identifier (for example, https://<your-unique-keyvault-name>/certificates/your-certificate-name). Click Confirm and Deploy.

  4. Review your configuration and click Deploy and Close to start inspecting encrypted traffic.

  5. Go to Policy > TLS Inspection and confirm that the TLS Inspection field displays Inspecting. For more information on the inspection status, click anywhere on the row to expand it and trace the source of any issues:

    • Issue found – Indicates that encrypted and nonencrypted traffic continue to be inspected despite one or more configuration issues, such as an expired certificate. As a best practice, ensure all your cryptographic assets are present, valid, and current.
    • Not inspecting – Indicates that encrypted and nonencrypted traffic are not being inspected because your virtual appliance might be in fallback mode (either user-initiated or automatic), or your proxy server might be missing or disabled (because of missing cryptographic assets, for example).
    • Unknown – Indicates that your virtual appliance is not communicating with your proxy server for an unknown reason. Before a complete status of inspection can be provided, you must resolve this communication issue. Verify that your proxy server is not missing or disabled, and that the virtual appliance is not in fallback mode.

Note: After a TLS inspection policy has been configured on a virtual appliance, you cannot edit the TLS policy. Your TLS settings remain in effect until you completely delete the policy. If you want to change your TLS inspection strategy, delete the existing policy by clicking the delete icon and create a new one.