Create TLS Profile elements

TLS Profile elements define the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic.

You can use TLS Profile elements for the following purposes:

  • Enabling TLS-protected audit or log data forwarding to an external syslog server
  • Enabling TLS encryption for LDAP connections between the Secure SD-WAN Engine and external LDAP or Active Directory servers
  • Defining the TLS settings for HTTPS connections for browser-based user authentication
  • Defining the trusted certificate authority for client certificate authentication for browser-based user authentication
  • Authenticating connections between the Secure SD-WAN Engine and the server on which Forcepoint User ID Service has been installed

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Browse to Certificates > Other Elements > TLS Profiles
  3. Right-click TLS Profiles, then select New TLS Profile.
  4. In the Name field, enter a unique name for the TLS Profile.
  5. Click Select next to the TLS Cryptography Suite Set field, then select a TLS Cryptography Suite Set element.
  6. Select the trusted Certificate Authorities.
    • Select Trust Any if you want to allow the use of any valid certificate authority.
    • Select Trust Selected, then click Add to specify the trusted Certificate Authorities.
  7. Configure the other settings as needed.
  8. Click OK.

TLS Profile Properties dialog box

Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.

Option Definition
Name The name of the element.
TLS Cryptography Suite Set The cryptographic suite for TLS connections.
Trusted Certificate Authorities

Specifies which certificate authorities to trust.

  • Trust any
  • Trust selected

Click Add to add an element to the list, or Remove to remove the selected element.

Version The TLS version used.
Use Only Subject Alt Name

(Optional)

Uses only Subject Alternative Name (SAN) certificate matching.
Accept Wildcard Certificate

(Optional)

Allows the use of wildcards in certificate matching.
Check Revocation

(Optional)

Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Delay CRL Fetching For

(Optional, Secure SD-WAN Engine only)

The time interval for the Secure SD-WAN Engine to fetch the CRL. If the CRL expires sooner than the specified interval, the CRL expiration value defines the interval for fetching the CRL.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore OCSP Failures For

(Optional, Secure SD-WAN Engine only)

The number of hours for which the Secure SD-WAN Engine ignores OCSP failures.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore Revocation Check Failures if There Are Connectivity Problems

(Optional, Secure SD-WAN Engine only)

When selected, the Secure SD-WAN Engine ignores all CRL check failures if connectivity problems are detected.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

A comment for your own reference.