I am researching how to convert a Intranet (internal) web map application to a Internet (external) web map. The data is private. Theoretically, I want the user to be able to access it outside of the internal network. I may be able to copy the Web viewer and paste it to a HTTP. If the user has to access if via a 'Sign In,' then this approach will work. I cannot use ArcGIS Online. I do not have ArcGIS for Portal. I have ArcGIS for Server 10.1.
Looking for options via ArcGIS for Server, Sign In, or another approach?
To answer your question you have to consider two aspects with your IT Staff.
First at all you have to work with the GIS Server (ArcGIS for Server). If you want to load your on-premise data from outside the company network you have to publish your GIS server to Internet with it's corresponding security access. You can do this using ArcGIS for Server Web Adaptor or set up a Reverse Proxy in the DMZ
Same thing you have to do with your web map application, you have to publish the IIS or Apache Host Server to internet and make sure that the web map services configured in the app points to the internet GIS server
For more information check this article from Esri documentation Firewalls and ArcGIS Server—Documentation (10.3 and 10.3.1) | ArcGIS for Server
Greetings and good luck
Esri System Designer Associate 10.2
It sounds like you want to secure your ArcGIS Server resources, making them accessible to certain users with perms across the Internet.
In follow-up to Leandro's recommendation, check-out the following link:
You may want to also look carefully at restricting access to web services:
Here's some info on using tokens:
Good luck - there's a lot to this! You might find more help in the AGS server forum. You should be OK with just version 10.1. We skipped over that version actually, but what we did in 10.0 compared 10.2 really hasn't changed. You'll find documentation in the AGS Help, more than looking through the API documentation.
You'll need to set up https and a proxy because now you're dealing with passwords and security.
You will need to modify both your map service and your application. In ArcGIS Manager, you'll see a place to specify users and roles. Think of roles as groups that users can belong to. I've set up a generic role and user before and had multiple users all authenticate with this generic user. This may or may not be an acceptable solution for you.
Once you have the user/roles set up, go the services and use the 'lock' to secure the service to a particular user. Now you won't be able to see this service at the rest endpoint without credentials.
In the API, look at IdentityManager. Once you have a proxy, only https request in your code, adding IdentityManager will automatically trigger a login. The user can enter the credentials set up in the steps above. IdentityManager only locks layers, not the whole application. The map still initializes, just stopping when it encounters a secured layer. The user can't proceed with loading the rest of the map until they've authenticated.
It gets more complicated from there. Some people don't want the map to start loading at all without some sort of authentication. We use active directory and there's a whole other level of settings that have to be put in place if you want to have their existing OS account manage whether or not they can access a map.
You have a lot of reading ahead of you - this isn't the easiest thing to wrap your head around.
Any more suggestions greatly appreciated.
I'm in a large IT shop, so I'm not allowed to make changes to the AGS configuration, so I can't advise you with any kind of detail in this area. You can test this whole configuration with a test service and small application that just contains the bare bones as your starting point.
We originally thought we could come up with just one methodology for securing maps, but there are some many considerations when we have to deal with both internal only and 'secure but public' maps. We've set up active directory groups when we needed to limit to just a small group, but also opened a few things up to 'any AD account' which gives wide open access to anyone who has one. That's basically what you need for an internal only map.