I'm deploying ArcGIS for Server 10.3.1 in a secure Enterprise environment. A recent scan showed we had the RC4 cipher enabled, and being used on Port 6443. We use the Web Adaptor, and the firewall blocks all in/out 6443 traffic, but my life would become substantially easier from a documentation and risk acceptance standpoint if I could configure the server to use TLS with 3DES or another stronger cipher. Is it possible to configure this somewhere in the ArcGIS settings?
I tried flat-out disabling RC4 before, and it broke the server. I began to get SCHANNEL errors saying I didn't have a cipher available to establish the connection.
This can be accomplished with registry settings, but I prefer a tool "IISCrypto" which give you a nice GUI to not only turn protocols on or off, but specify the order of the ciphers as well. Is your certificate using SHA-2?
We too have this same issue with 10.3.1. We will be bypassing 10.4 for 10.5 later this year, and I do not see how changing registry settings or playing with third party software for IIS will fix this problem since it's coming from ArcGIS Server's web server Tomcat. Instead, the fix I found was to modify the configuration for the Tomcat server. Refer also to HOW TO -- Disable weak ciphers in Tomcat 7 & 8 - Powered by Kayako Help Desk Software for more information on the parameters mentioned below.
Here are my instructions for Windows:
1) Make a backup copy of <ArcGIS_Server_Install_Directory>\framework\runtime\tomcat\conf\server.xml
2) Run Notepad as Administrator
3) Open <ArcGIS_Server_Install_Directory>\framework\runtime\tomcat\conf\server.xml
4) Near the bottom of the file, look for the line that starts with <Connector...
5) At the end of the line, between the last quotation mark and the slash, add a space, and then add the following text (you can see it's very long and will cause the lines to wrap, but that's ok):
6) Save the file and restart ArcGIS Server