TLS inspection

Transport Layer Security (TLS) is the industry standard protocol for transmitting data securely over the internet. It is based on a system of trusted certificates issued by certificate authorities (CAs) and recognized by servers. TLS decryption allows Forcepoint Private Access to inspect the payload element of traffic routed through the service.

When you enable TLS decryption for your policies, end-user traffic directed to the service is decrypted so that the traffic payload can be inspected. Traffic is re-encrypted before being sent to its destination.

If TLS decryption is enabled for your policy, you must download and install the Forcepoint root certificate on end user client machines whose traffic will be serviced by the policy. This is a CA certificate that is used to authenticate TLS-encrypted traffic, enabling the service to decrypt the traffic for inspection, and to display block pages (if appropriate) for HTTPS applications and websites.

Download the certificate from the following URL: Forcepoint Private Access root certificate authority

Note: Cloud Security Gateway customers can download the Forcepoint root certificate from the Cloud Security Gateway portal. Go to Web > Policies > [policy name] > Web Categories to download the certificate. Note that if you have already installed the root certificate to enable Cloud Security Gateway SSL decryption, the same root certificate is used to enable Private Access traffic decryption.