Configuring A Decryption Rule

Similar to the way you configure cloud access rules, you configure HTTPS decryption policies to decrypt content based on selected URL categories. For example, you can configure an HTTPS decryption rule to decrypt encrypted content from websites in the Business categories.

When you add or edit a decryption rule from the Decryption Rules screen, a new screen opens, where you can specify the settings for the rule.

  1. Configure the basic rule information:



    Rule name

    Specify a unique name for the decryption rule.


    (Optional) Meaningful description to easily identify the decryption rule.


    Click On or Off to enable or disable the decryption rule.

    If you no longer need a decryption rule, delete it, instead of setting Enable to Off.

  2. In the Gateways section, select the gateways that the decryption rule applies to. You can select all gateways, specific ones from the list of gateways configured on the Gateways screen, or roaming users as necessary.
  3. In the URL Categories section, select the URL categories that the decryption rule applies to.

    (Optional) Click Add Customized URL Category to specify new URL categories that are not part of the Trend Micro predefined URL categories. For more information, see Configuring A Customized URL Category.

  4. In the Certificate section, select a cross-signed certificate or click Reset to use the default CA certificate provided by TMWS as the client certificate for HTTPS connections between client browsers and TMWS.

    For certificate security considerations, TMWS implements separate root CA certificates for the cloud proxy and the on-premises gateway to use or cross-sign. If you are using the cloud proxy and the on-premises gateway, make sure to configure both settings.

    For more information, see Cross-signing the CA Certificate for TMWS Cloud Proxy and Cross-signing the CA Certificate for TMWS On-Premises.


    Make sure that the validity period of the certificate is more than two years from when you select and upload the certificate.

    In addition to the cross-signed CA certificate and the default CA certificate, you can also use your company's own CA certificate for HTTPS decryption through the command line. This applies only to TMWS on-premises.

    For more information, see Using Your Company CA Certificate for TMWS On-Premises.

  5. Click Save.