Disable TLS 1.0 and TLS 1.1 in MobileWeb Connector¶
As of Totalview version 2022 SP1, the MobileWeb connector still supports TLS version 1.0 and 1.1.
This guide shows how customers can disable this behaviour.
The long term solution, which will be available in an upcoming Totalview release, will be to change the implementation so that MobileWeb connector uses the same configuration as the Operating System.
So if certain versions of TLS are disabled in the Operating System, then they will also be disabled in MobileWeb.
The short term fix, which is documented below, is to set up an IIS Reverse Proxy in front of WCF, so that all HTTPS (TLS) will be handled by Internet Information Server (IIS).
Then it will be the Windows SChannel configuration that controlls which protocols and encryption ciphers are offered to clients.
One way of disabling TLS 1.0 and TLS 1.1 in Windows Server 2019 is documented by Microsoft on 1.0 - Disable earlier versions of TLS in Windows Schannel.
More options are shown on this page Managing SSL/TLS Protocols and Cipher Suites for AD FS.
Other editions of Windows Server might require different procedure. See the Operating System documentation on how this can be done.
Install and configure Internet Information Server (IIS) with Reverse Proxy¶
Install IIS (Web Server)
Include:
Application Development
.NET Extensibility 4.8
ASP.NET 4.8
ISAP Extensions
ISAP Filters
Server Side Includes
WebSocket
Install URL Rewrite 2.1 module on the IIS
Install Application Request Routing 3.0 (ARR) on the IIS
NB! Remember to enable Proxy on AAR (Click on Server -> Application Request Routing -> Server Proxy Settings (right bar) -> [x] Enable proxy -> Apply
Change MobileWeb Configuration¶
In Totalview Admin, change MobileWeb connector to listen on address localhost:8034.
Stop the connector. Run Install/Upgrade and start the connector again. It should not be necessary to edit the config file afterwards, as it can run in an insecure configuration, when it’s behind a reverse proxy.
Port 8034 should not be accessible from public internet.
Configure IIS Reverse Proxy¶
Create IIS site with binding on port 8033 - it should be HTTPS and use a valid certificate.
Under IIS site configuration, open URL Rewrite.
Create new rule that is of type Reverse Proxy.
Set server to be localhost:8034. And set check in checkbox Enable SSL Offloading.
Verification¶
Open browser from public internet to address where MobileWeb connector previously was listening and verify that it works to open https://CUSTOMER_URL:8033/rest/registerversion.