Disable TLS 1.0 and TLS 1.1 in MobileWeb Connector

As of Totalview version 2022 SP1, the MobileWeb connector still supports TLS version 1.0 and 1.1.

This guide shows how customers can disable this behaviour.

The long term solution, which will be available in an upcoming Totalview release, will be to change the implementation so that MobileWeb connector uses the same configuration as the Operating System.

So if certain versions of TLS are disabled in the Operating System, then they will also be disabled in MobileWeb.

The short term fix, which is documented below, is to set up an IIS Reverse Proxy in front of WCF, so that all HTTPS (TLS) will be handled by Internet Information Server (IIS).

Then it will be the Windows SChannel configuration that controlls which protocols and encryption ciphers are offered to clients.

One way of disabling TLS 1.0 and TLS 1.1 in Windows Server 2019 is documented by Microsoft on 1.0 - Disable earlier versions of TLS in Windows Schannel.

More options are shown on this page Managing SSL/TLS Protocols and Cipher Suites for AD FS.

Other editions of Windows Server might require different procedure. See the Operating System documentation on how this can be done.

Install and configure Internet Information Server (IIS) with Reverse Proxy

  • Install IIS (Web Server)

    • Include:

      • Application Development

      • .NET Extensibility 4.8

      • ASP.NET 4.8

      • ISAP Extensions

      • ISAP Filters

      • Server Side Includes

      • WebSocket

  • Install URL Rewrite 2.1 module on the IIS

  • Install Application Request Routing 3.0 (ARR) on the IIS

NB! Remember to enable Proxy on AAR (Click on Server -> Application Request Routing -> Server Proxy Settings (right bar) -> [x] Enable proxy -> Apply

Change MobileWeb Configuration

In Totalview Admin, change MobileWeb connector to listen on address localhost:8034.

Stop the connector. Run Install/Upgrade and start the connector again. It should not be necessary to edit the config file afterwards, as it can run in an insecure configuration, when it’s behind a reverse proxy.

Port 8034 should not be accessible from public internet.

Configure IIS Reverse Proxy

Create IIS site with binding on port 8033 - it should be HTTPS and use a valid certificate.

Under IIS site configuration, open URL Rewrite.

Create new rule that is of type Reverse Proxy.

Set server to be localhost:8034. And set check in checkbox Enable SSL Offloading.

Verification

Open browser from public internet to address where MobileWeb connector previously was listening and verify that it works to open https://CUSTOMER_URL:8033/rest/registerversion.