The customer informs that they want to deploy SSL interception in Span mode. After we ask McAfee engineer, they tell that SSL intercept cannot use in Span mode.
So, the customer try to test this by setup span port in coreswitch.
And set port 1A-1B in Sensor as Inline Deployment, so they plug span port from coreswitch to port 1A and plug port 1B to some server that installed packet sniffer program. Then they try to configure SSL intercept with this deployment. And they tell that " It's work!".
So, I have a question that "Is it possible to do like this ?" and If it can do, is there any limitations ?
As far as I know SSL in SPAN mode is supported, that's why it worked in your customer!
Limitations are related with hardware in first place: SSL decryption is not supported by I‑1200, I‑1400, M‑1250, M‑1450, and N‑series Sensors. In second hand these are SSL functionalities that are not supported:
• iPlanet Web servers
• Diffie‑Hellman ciphers (McAfee recommends that you disable acceptance of Diffie‑Hellman requests
on the SSL Web server to ensure that Network Security Platform is able to decrypt the traffic)
• Compression in the SSL records (a negotiable option in SSLv3 and TLS)
• PCT (Microsoft's extension to SSLv2)
For further details please check IPS Administration Guide - Page 540.