Add an incoming or outgoing connection for which to use TLS

Steps

  1. Navigate to the page Settings > Inbound/Outbound > Enforced TLS Connections.
  2. Click Add.
    The Add Incoming Connection page displays.
  3. In the text field Name, enter a name for your enforced TLS connection.
  4. From the pull-down menu Priority order, select a priority order for the connection.
  5. Specify the security level for the connection based on your connection type and deployment model:

    • Inbound connections — available security level: Encrypt.

      • Applies to both on-premises and hybrid deployments.
      • Encrypt+CN, Verify, and Verify+CN are not supported for inbound connections.

    • Outbound connections — available security levels: Encrypt, Encrypt+CN, Verify, and Verify+CN.

      • On-premises: all four security levels are supported with no change.
      • Hybrid: Encrypt and Encrypt+CN are supported. Verify and Verify+CN are deprecated from May 18, 2026 and will be automatically downgraded to Encrypt and Encrypt+CN respectively.
    Important: To use the Verify and Verify+CN options for on-prem outbound connections, you must have imported a trusted CA certificate. See Managing Transport Layer Security (TLS) certificates.
    Note:

    Verify and Verify+CN are deprecated for hybrid outbound connections from May 18, 2026, following the industry-wide deprecation of the TLS Web Client Authentication EKU in publicly trusted SSL/TLS certificates. Any existing hybrid connections using Verify or Verify+CN will be automatically downgraded to Encrypt or Encrypt+CN respectively on that date. To maintain a comparable level of connection authenticity, it is advised to enable Strict Outbound Message Authenticity Checks.

    This change applies to hybrid deployments only. On-premises connections are not affected.

  6. Select one of the following connection encryption strength options:
    • Medium, which involves the use of cipher suites that use 128-bit encryption
    • High, which includes most cipher suites with key lengths larger than 128 bits
  7. Define the IP address or domain group subject to forced TLS connection; select one of the following options:
    • Any (for all connections)

      This option applies to any connection, regardless of IP or domain address.

    • IP address group

      Select an existing IP address group in the pull-down menu or create a new group using Add New IP Group.

    • Domain address group

      Select an existing domain address group in the pull-down menu or create a new group using Add New Domain Group.

  8. Click OK.
    The settings are saved.