How to enforce TLS inbound from and outbound to a specific external domain