By default, ArcGIS Server enforces use of the HTTPS protocol, creating a secure communication channel for web traffic. Accessing ArcGIS Server URLs through HTTPS ensures network confidentiality and integrity. Since passwords sent over HTTP can be intercepted and stolen, Esri applications that can connect to ArcGIS Server encrypt the user name and password using the RSA public-key cryptography algorithm before transmitting the credentials over the network.
The use of HTTPS protects against man-in-the-middle attacks, in which a malicious agent intercepts unsecured communications over a network and poses as the legitimate source of the communications to both the client and the server.
Communication over HTTPS is established through the use of digital certificates. Certificates are signed by a certificate authority (CA) to ensure trust between the client and the server. ArcGIS Server has its own internal certificate authority and comes with a default self-signed certificate, but it's recommended that you configure a certificate signed by an external CA. This is because most browsers warn or discourage you from using self-signed certificates, meaning you have to suppress the warnings if you are using one. Your IT administrator should be able to provide you with certificates signed by an external CA.
ArcGIS Online enforces HTTPS Only and the HSTS protocol. If any of the services in your ArcGIS Server site are used in ArcGIS Online, ensure your server site is set to enforce HTTPS Only and HSTS as well.
See About server certificates for more information on certificates and full steps for various certificate configurations with ArcGIS Server.
ArcGIS Server does not support SSL-offloading through a reverse proxy/load balancer. If your configuration uses a reverse proxy, it must redirect to either the ArcGIS Web Adaptor or directly to ArcGIS Server over HTTPS.
Change your HTTP protocol settings
In some cases, ArcGIS Server administrators will want to relax the default restriction of HTTP communication. In almost all cases, this is to allow communication over both HTTP and HTTPS. You can do so using the ArcGIS Server Administrator Directory.
- Log in to the directory as an administrator.
The URL is formatted https://server.domain.com:6443/arcgis/admin.
- Browse to security > config > update.
- Open the Protocol drop-down menu and select your desired protocol.
Only in very rare scenarios will an administrator set the site protocol to HTTP Only. If you are not certain about your reasons for doing so, set the protocol as either HTTP and HTTPS or HTTPS Only.
- Click Update to confirm.
This restarts the server.
Enable HTTP Strict Transport Security
If you want to enforce very strict use of HTTPS in your ArcGIS Server site, you can enable HTTP Strict Transport Security (HSTS) headers. When enabled, the server sends a Strict-Transport-Security header with all responses it returns; this header tells the recipient browser to strictly use HTTPS requests to the server for a subsequent duration defined by the header (set to one year by default). HSTS is disabled by default but reinforces the use of HTTPS Only protocol.
To learn more, see Enforce strict HTTPS communication.
Supported TLS versions
Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a network. ArcGIS Server supports TLS version 1.2 by default. You can also enable versions 1.0 and 1.1 of the TLS protocol. See Restrict TLS protocols and cipher suites for more information.
Beginning at 10.3, Secure Sockets Layer (SSL) support was dropped due to the SSL 3.0 POODLE vulnerability.