ArcGIS Monitor enforces the use of the HTTPS protocol by default, creating a secure communication channel for web traffic. Accessing Monitor through HTTPS ensures network confidentiality and integrity.
The use of HTTPS protects against man-in-the-middle attacks, in which a malicious agent intercepts unsecured communications over a network and poses as the legitimate source of the communications to both the client and the server.
Communication over HTTPS is established through the use of digital certificates. Certificates are signed by a certificate authority (CA) to ensure trust between the client and the server. Monitor has its own internal certificate authority and comes with a default self-signed certificate, but it's recommended that you configure a certificate signed by an external CA. This is because most browsers warn or discourage you from using self-signed certificates, meaning you have to suppress the warnings if you are using one. Your IT administrator should be able to provide you with certificates signed by an external CA.
Change your HTTP protocol settings
In some cases, Monitor administrators will want to relax the default restriction of HTTP communication. In almost all cases, this is to allow communication over both HTTP and HTTPS. To change HTTP communication settings, complete these steps:
- Access Monitor, if necessary.
The Home page appears.
- Click Administration.
The Administration page appears.
- Click Edit next to HTTP Communication Settings on the Administration page.
The HTTP Communication Settings dialog box appears.
- Click the HTTP Protocols drop-down arrow and change the protocol setting as necessary.
- Click Save and Restart.
The HTTP communication settings are saved, and the server is restarted.
HTTP Strict Transport Security
If you want to enforce strict use of HTTPS in your Monitor deployment, you can enable HTTP Strict Transport Security (HSTS) headers. When enabled, Monitor sends a Strict-Transport-Security header with all responses it returns; this header tells the recipient browser to strictly use HTTPS requests for a duration of time defined by the header (set to one year). HSTS is turned off by default but reinforces the use of HTTPS protocol.
Supported TLS versions
Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a network. Monitor supports TLS versions 1.3 and 1.2.