Your Carousel server can be configured in different security configurations. Some configurations are best for networks where security is of little importance, while other configurations give Carousel a significant amount of resilience to outside attacks. This page explains settings that affect the security of the player.
Carousel can support Transport Layer Security (TLS) by adding a certificate that will encrypt all of the traffic for your Carousel server. This will work for both web traffic and the traffic for all of your connected players. Follow the process detailed here to ensure your system will work properly: Carousel - How to enable TLS in Carousel 7.3.0.
High Security (Recommended)
When security is a priority we recommend that you setup TLS by adding a certificate to your Carousel server. When you do this you will need to reconfigure all of your players, regardless of the type, to connect over https. Therefore, it is preferred to use this option from the beginning before you have setup any of your players.
Having TLS enabled for you server means that all of the web traffic and player traffic will be encrypted so that anyone watching your network communications will not be able to see what is being communicated to and from your Carousel server.
TLS is available for all portions of the app with Carousel 7.3.0 or later. We also do not support self-signed certificates because in order for players to connect via https with a self-signed certificate it would leave the Carousel server open to a man-in-the-middle attack.
Using a redirect to send people or players who access the Carousel server via http to instead access it via https is a good idea. This will make reconfiguring players less critical and will help anyone that may have old bookmarks pointing to an http URL. This is done in the IIS configuration and is independent of Carousel. Here's a link to a Microsoft article on how it can be accomplished: https://blogs.technet.microsoft.com/dawiese/2016/06/07/redirect-from-http-to-https-using-the-iis-url-rewrite-module/
If you do not require TLS on your server you can just run Carousel without it. Your server will function as normal, however the communications to and from you Carousel server will not be encrypted.
This is potentially not an issue for some customers because if they are proxying Carousel, they can add TLS there. This will mean that traffic to and from the proxy will be encrypted but internal traffic will not be which is not an issue for all companies.