Securing ArcGIS Server communication
By default, ArcGIS Server uses HTTP protocol for all communication. Since passwords sent over HTTP can be intercepted and stolen, Esri-built client applications that can connect to ArcGIS Server encrypt the user name and password using the RSA public-key cryptography algorithm before transmitting the credentials over the network. These applications include ArcMap, ArcGIS Server Manager, the Services Directory, and the ArcGIS Server Administrator Directory.
User credentials encrypted using the out-of-the-box RSA algorithm provide a reasonable level of security within a small or restricted local area network (LAN). However, when deploying an enterprise-wide ArcGIS Server deployment or a system that contains sensitive proprietary data, it is recommended to use SSL to ensure secure transmission of user credentials. To enable SSL for ArcGIS Server, see Enabling SSL on ArcGIS Server.
When SSL has been enabled, accessing ArcGIS Server URLs through HTTPS ensures network confidentiality and integrity. In high-security environments, any regular HTTP access to ArcGIS Server should be disabled. For instructions on how to do this, see Disabling HTTP access to ArcGIS Server.
Supported SSL and TLS versions
ArcGIS Server supports Secure Sockets Layer (SSL) version 3.0 and Transport Layer Security (TLS) versions 1.0, 1.1, and 1.2.