TLS inspection is a process by which the negotiation of an encrypted connection to some internet service is intercepted by a network security device which performs what is functionally an authorized man in the middle attack to allow decryption of the secure connection and inspection of the encrypted data. This is a feature offered by many network security providers and proxy services to allow what would otherwise be encrypted data to be scanned for malware and other content.

When attempting to do TLS inspection on the communication between Messaging Gateway and the Broadcom datacenter a number of issues will arise including but not limited to the following:

• Failure to update anti-spam rules
• Failure to update malware definitions
• Inability to register a new license or SMG scanner
• Inability to provision a customer specific spam submitter id

The Messaging Gateway uses a TLS client certificate which is privately signed and implements a highly restrictive certificate trust list when negotiating encrypted connections with the Broadcom data center to ensure that spam and malware detection definitions are not modified in transit. Similarly, this restrictive certificate trust list is used to ensure that connections to current and future cloud based APIs are authenticated and unmodified.

Messaging Gateway has no supported means by which a certificate for TLS inspection can be added to the certificate trust list used for authentication of connections to the Broadcom data center. TLS inspection of antispam and malware definition downloads and other secure communication allows for modification of rules, definitions, and engine updates that would potentially compromise Messaging Gateway's ability to provide its core email security functions.

No personally identifiable information (PII) in included in any TLS secured communication between the Messaging Gateway and the Broadcom data center and all telemetry data is anonymized.