Creating SSL/TLS Exceptions for SMA Traffic
The recommended solution for configuring a SSL inspection between the KACE SMA and KACE SMA agents is to create an exception rule for connections to the appliance initiated by agents. The rule should allow for the traffic to pass through without ssl certificate manipulation. Depending on the the features of security device the rule can be created with either or both of the following definitions.
Incoming Connection Destination
An exception based on inbound connection to the KACE Systems Management Appliance can be used to identify and allow all TLS connections being made to the appliance.
Incoming Connection SNI
An exception based on the SNI (System Name Indication) can be used to allow TLS connections that are being made specifically from the KACE SMA Agent to the appliance. The benefit of this type rule is that general ssl traffic directed at the appliance can continue to be intercepted and inspected by the security device while allowing KACE SMA Agent traffic to proceed without being tampered with. This type of rule can be combined with the destination rule above and should be configured to allow traffic with an SNI defined as "konea".