The TLS / SSL version used in connecting HTTPS sites depends on whether HTTPS Decryption is enabled or not.

• When HTTPS Decryption policy is enabled:

  IWSVA mediates the TLS/SSL connection between the client browser and the destination HTTPS site. Therefore, IWSVA decides the TLS/SSL version used to connect the destination HTTPS site according to the settings in HTTP > HTTPS Decryption > Settings > SSL Method.

  You can set it to Connect https server with the same SSL version from client or Customize SSL setting.

  When you set it to Connect https server with the same SSL version from client, IWSVA treats the HTTPS connection as a connection failure if the TLS / SSL version between the client browser and IWSVA and the one between IWSVA and the destination HTTPS server are different.

  The failure usually occurs when a downstream proxy of IWSVA or the destination HTTPS server allow a lower version of TLS / SSL.

  Set "Customize SSL setting" to prevent the failure. For more details, you may refer to KB article: Unable to display certain HTTPS websites in Firefox and Chrome when connecting through InterScan Web Security Virtual Appliance (IWSVA).

• When HTTPS Decryption policy is NOT applied:

  IWSVA does NOT mediate the TLS / SSL connection between the client browser and the destination HTTPS site. Therefore, the client browser decides the TLS / SSL version used to connect to it.