Network Implementation Guide › Decoding SSL Communications › Setting Up SSL Decode › Including or Excluding IP Ranges from SSL Decoding

Including or Excluding IP Ranges from SSL Decoding

Included IP Ranges and Ports

You must configure the NBA to decode SSL traffic using specific IP ranges and ports. You specify these IP ranges and ports when you set up your network filters. Any SSL traffic using other IP addresses or ports is not decoded.

We recommend that you target SSL decoding at IP address ranges and ports where you expect to see SSL traffic that can be decrypted. Typically, client computers use port 80/443 for HTTPS and port 25/465/587 for SMTPS, so you need to target these address IP ranges and ports.

You may also want to specify IP addresses or port numbers where SSL traffic is not typically expected but where you need to detect any SSL traffic that does occur.

Excluded IP Ranges and Ports

After choosing which IP ranges and ports you want to monitor for SSL traffic, you can exclude certain addresses or ports from decoding. For example, if you have included SSL traffic from IP range 10.20.0.0/16, you can exclude SSL traffic from a specific address within this range, such as 10.20.0.12.

Exclusions from SSL decoding are necessary when:

• You do not need to analyze the network traffic as a source of potential data loss.
• The NBA cannot decode a particular protocol, so there is no benefit in flagging it for decryption.
• The SSL connection uses client certificates and server certificates. The NBA does not decrypt this traffic.
• The SSL connection uses no certificates at all. The NBA does not decrypt this traffic.
• The NBA master certificate cannot be installed in the client to allow it to trust SSL sessions terminating at the NBA.

Excluded Domains

You can also specify exclusions based on DNS names. If an SSL connection is made to a server with a matching domain name, the connection is not decoded.

More information:

Include IP Ranges

Exclude an IP Range

Exclude a Domain

Exclusion Caching Controls