What is the effect of “Require Encrypted Web Access” in ArcGIS Server, and how this will affect the Arcgis server’s security?
We would like to know the main effects of the “Require Encrypted Web Access” in Arcgis server, and how this will affect the security?
Best
Majdoleen
Solved! Go to Solution.
I had to dig to find this. I'm unsure the utility of this setting in recect versions of ArcGIS Enterprise where HTTPS can be configured globally for the site.
You can require clients that connect to your ArcGIS Server services use HTTPS for the connection. This will encrypt all communication between the client and the server, so that if someone intercepts the communication during transmission, the data will be encrypted against reading. If you also want to restrict access to the service to certain users, see the section below on Limiting which users can access a service.
The HTTPS requirement is set at the folder level, rather than for individual services. If you only want to require HTTPS for an individual service and not for the entire server or folder, create a new folder and add the service to the new folder.
Note that you must install a SSL certificate on the Web server in order for clients to request resources with HTTPS. For details, see Setting up SSL.
To use Manager to require HTTPS for a folder, follow these steps:
You can also require HTTPS for a folder using ArcCatalog. To do so:
Note that after you require HTTPS for a folder, then any client application must use a URL with https:// in order to use the services in that folder. If a user connects to the server with ArcCatalog and does not use https in the URL, then the folder will not display even if the user otherwise is permitted access to the folder.
Esri Software Security & Privacy
I had to dig to find this. I'm unsure the utility of this setting in recect versions of ArcGIS Enterprise where HTTPS can be configured globally for the site.
You can require clients that connect to your ArcGIS Server services use HTTPS for the connection. This will encrypt all communication between the client and the server, so that if someone intercepts the communication during transmission, the data will be encrypted against reading. If you also want to restrict access to the service to certain users, see the section below on Limiting which users can access a service.
The HTTPS requirement is set at the folder level, rather than for individual services. If you only want to require HTTPS for an individual service and not for the entire server or folder, create a new folder and add the service to the new folder.
Note that you must install a SSL certificate on the Web server in order for clients to request resources with HTTPS. For details, see Setting up SSL.
To use Manager to require HTTPS for a folder, follow these steps:
You can also require HTTPS for a folder using ArcCatalog. To do so:
Note that after you require HTTPS for a folder, then any client application must use a URL with https:// in order to use the services in that folder. If a user connects to the server with ArcCatalog and does not use https in the URL, then the folder will not display even if the user otherwise is permitted access to the folder.
Thank you Randall Williams for your reply, it is very helpful.
So, we can conclude that the main effect of (Require Encrypted Web Access) at the level of the folder in Arcgis server is to disable the http (enforce https) and only work with https, Please have a look on the attach!
Best,
Majdoleen
Why bother guessing when you can just test it. It seems you already have ArcGIS Server deployed, and are experimenting with changing the setting.
Yes, but I'd argue that HTTPS should be ubiquitous across the web.This option may be useful if you're mashing up web services with a group that hasn't enabled HTTPS, but I'd argue that the better solution is for everyone to conform to using HTTPS rather than encouraging dated practices.With that said, Esri isn't the HTTPS police so this option exists.
Thank you for your reply, Randall Williams
Is this option equivalent to the one available in the ArcGIS Server Admin when choosing https option?
Home > security > config > update
The 10.0 help describes this option. It's so old it's not even documented in newer versions:
"Additionally, you can require a Secure Sockets Layer (SSL) connection to services within a folder. To do this, open the folder Properties dialog box in either Manager or ArcCatalog and check the box to Require Encrypted Web Access. See Setting up SSL for additional details on configuring SSL.="
I've logged a request to just remove checkbox from the dialog. Enabling HTTPS on just one folder is not a pattern users follow any more.
So just to be clear on the answer to Jamal's question, is the answer that yes setting https only in the ArcGIS Admin trumps the folder-level setting whether or not to require encrypted access?