Essentials Security does not protect a site's information while it is being transmitted across a network. In particular:
When a user signs in, the user name and password are not encrypted.
Feature data is not encrypted between the viewer and server.
The authentication token that a viewer presents to gain access to a site is not encrypted between the viewer and server.
For this reason, we recommend that you enforce the use of Secure Socket Layer (SSL) for communications with Essentials. When the Security feature's Enforce SSL setting is turned on, viewers must use the HTTPS protocol to access sites. By default, SSL is enforced for all secured operations and requests.
The Identity Server security provider has a Require SSL setting in the Post Installer. The Require SSL setting enforces the use of SSL for communications with Identity Server. See Change the Web Component Configuration for Identity Server.
Transport Layer Security (TLS) is the stronger successor to Secure Sockets Layer (SSL) encryption. TLS is handled by Windows and the .NET Framework. In Essentials, TLS and SSL are both referred to as SSL.
If you use SSL encryption to secure Geocortex web applications, we recommend that you use a version that is newer than SSL 3.0. SSL 3.0 contains a known security vulnerability. Some web platforms and browsers have SSL 3.0 turned off by default or do not support SSL 3.0 at all. Depending on the security policy of your server, Essentials may not be able to consume services that use SSL 3.0. Similarly, depending on the security policy of your end user's web browsers, they may not be able to consume applications and services that use SSL 3.0.
Firefox and Chrome do not support SSL 3.0. Internet Explorer 11 has SSL 3.0 turned off by default.
Connection problems can occur when a server communicates with another server that has more restrictive TLS requirements. For example, a server that hosts Essentials may fail to communicate with an ArcGIS Server that requires TLS 1.2, when the Essentials server does not. If the server that hosts Essentials is kept up-to-date with Windows updates and has .NET Framework 4.6 or newer, you should not encounter this problem. If your server is up-to-date but you still encounter this problem, contact your support channel.
We recommend using TLS 1.1 and 1.2, which are the Windows system default settings in most cases. If your system defaults are less secure, we recommend modifying them to use TLS 1.1 and 1.2. If there is a compelling reason to not modify the system defaults, it is possible to configure Essentials to use specific protocols other than the system defaults.
To force Essentials to use specific security protocols:
As an administrator, open the Essentials REST
Web.configfile in a text editor.
By default, this file is located at:
C:\Program Files (x86)\Latitude Geographics\Geocortex Essentials\Default\REST Elements\REST\Web.config
<appSettings>element add the following:
<add key="gcx.securityProtocol" value="Tls11,Tls12" />
value, specify a comma-separated list of the security protocols you want to use. For more details, see Microsoft's SecurityProtocolType documentation.
Save the file.
Repeat the procedure above for the Essentials Manager
By default, this file is located at:
C:\Program Files (x86)\Latitude Geographics\Geocortex Essentials\Default\REST Elements\Manager\Web.config
By default, SSL is enforced. This means that sites can only be accessed using HTTPS. When the Security feature's Enforce SSL setting is turned off, sites can be accessed using HTTP.
Turning off SSL enforcement is not recommended.
To change SSL enforcement:
Manager, click the Security & Data tab, expand the Security area in the side panel, and then click Settings.
To enforce SSL encryption between the viewer and server, select the Enforce SSL checkbox.
To allow unencrypted communications between the viewer and server, clear the Enforce SSL checkbox.
Click Apply Details.