FAQ: How is ArcGIS Enterprise and its associated software components, ArcGIS Server and Portal for ArcGIS, affected by disabling TLS 1.0 and 1.1?
How is ArcGIS Enterprise and its associated software components, ArcGIS Server and Portal for ArcGIS, affected by disabling TLS 1.0 and 1.1?
To align with industry best practices for security and data integrity, Esri is disabling support for TLS versions 1.0 and 1.1 in ArcGIS Online and enforcing TLS 1.2. Once this change is made, client applications that do not support TLS 1.2 will be unable to interact with ArcGIS Online. This article outlines what the disabling of these earlier security protocol versions means for users of ArcGIS Enterprise and the associated software components, ArcGIS Server and Portal for ArcGIS.
How will ArcGIS Enterprise software components be affected?
ArcGIS Enterprise deployments that do not support the use of the TLS 1.2 protocol are affected, as attempts to connect to ArcGIS Online through TLS 1.0 and 1.1 fail. Impacted workflows related to ArcGIS Server and Portal for ArcGIS include:
ArcGIS Server workflows:
- Using ArcGIS Server print services to print any ArcGIS Online content or basemaps (a typical symptom is that basemaps fail to export after this change goes into effect)
- Custom-built geoprocessing services that engage with ArcGIS Online content
- Registering items in ArcGIS Online via the ArcGIS Server Manager interface in ArcGIS Server versions 10.3 and earlier
Portal for ArcGIS workflows:
- Accessing secured ArcGIS Online content via items registered in Portal for ArcGIS, including hosted layers, base maps, and the ArcGIS Living Atlas of the World content
- Configuring and using ArcGIS Online utility services in Portal for ArcGIS. This includes geosearch, geocoding, routing, and other utility services
How do I know if my ArcGIS Enterprise deployment is affected?
There are two main factors that determine whether an environment is affected – the software version of the ArcGIS Enterprise components, and the operating system on which the ArcGIS Enterprise components are installed. The version of Internet Explorer installed on the server can also affect the behavior of the system and can impact the ArcGIS Server workflows defined above. A flowchart is attached that shows the affected environments and the recommended action items, as described below.
Portal for ArcGIS
Versions of Portal for ArcGIS 10.4 and earlier are affected, as these versions contain internal components that can only communicate over the TLS 1.0 protocol. Portal for ArcGIS 10.4.1 and higher are unaffected.
Whether ArcGIS Server workflows are affected depends on the underlying operating system support. See below for details regarding installations on Windows Server.
What Operating Systems support TLS 1.2?
Windows Server 2008
Installations of ArcGIS Server running on Windows Server 2008 are affected, as this operating system does not support TLS 1.2.
While there exists a Microsoft patch that adds basic TLS 1.2 support for Windows Server 2008, this patch is insufficient to add the full TLS 1.2 support required by this change.
Windows Server 2008 R2 and above
Windows Server 2008 R2 and above, including Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, contain the necessary protocol support to connect using TLS 1.2.
For Windows Server 2008 R2 and Windows Server 2012, it may be necessary to explicitly enable support for TLS 1.2 for the ArcGIS Server account. The system defaults are affected by the version of Internet Explorer installed on the server. If Internet Explorer 11 has been installed, the system settings are updated to enable TLS 1.2 by default. If Internet Explorer 11 is not installed on the server, it may be necessary to explicitly enable support for TLS 1.2 for the ArcGIS Server account.
ArcGIS Server running on Linux contains support for TLS 1.2 across all supported versions.
What do I do if my ArcGIS Enterprise deployment is affected?
Portal for ArcGIS
If you have deployed Portal for ArcGIS 10.4 or earlier, and your workflows are affected by disabling TLS 1.0 and TLS 1.1, Esri’s recommendation is to upgrade to a version that supports communication over TLS 1.2. All versions of Portal for ArcGIS 10.4.1 and higher fully support TLS 1.2. Esri recommends that customers upgrade to the latest release, if possible.
ArcGIS Server workflows may be impacted at any version. This is due to a combination of the operating system that ArcGIS Server is installed on, as well as the Internet Options used by the ArcGIS Server account.
If ArcGIS Server is running on Windows Server 2008, it is necessary to upgrade to a later version of Windows Server to resolve this issue.
Customers with ArcGIS Server running on Windows Server 2008 R2 or Windows Server 2012 may need to additionally enable TLS 1.2 for the ArcGIS Server account.
If Internet Explorer 11 has been installed, the system settings are updated to enable TLS 1.2 by default. If Internet Explorer 11 is not installed on the server, it may be necessary to explicitly enable support for TLS 1.2 for the ArcGIS Server account in the Internet Options panel.
There is no impact and no additional required configuration for ArcGIS Server deployments running on Windows Server 2012 R2 and Windows Server 2016.
If you have followed the above recommendations and still encounter issues with communicating to ArcGIS Online through ArcGIS Enterprise components, please contact Esri Technical Support for further investigation.
Note: See the Esri Support TLS Page for instructions on how to use TLS 1.2 with other Esri products.