Intranet Web Map to a Internet Web Map?

JamesFitzgerald · ‎10-15-2015

Hello,

I am researching how to convert a Intranet (internal) web map application to a Internet (external) web map. The data is private. Theoretically, I want the user to be able to access it outside of the internal network. I may be able to copy the Web viewer and paste it to a HTTP. If the user has to access if via a 'Sign In,' then this approach will work. I cannot use ArcGIS Online. I do not have ArcGIS for Portal. I have ArcGIS for Server 10.1.

Looking for options via ArcGIS for Server, Sign In, or another approach?

Thanks

Leandro-Zamudio · ‎10-15-2015

Hi James.

To answer your question you have to consider two aspects with your IT Staff.

First at all you have to work with the GIS Server (ArcGIS for Server). If you want to load your on-premise data from outside the company network you have to publish your GIS server to Internet with it's corresponding security access. You can do this using ArcGIS for Server Web Adaptor or set up a Reverse Proxy in the DMZ

Same thing you have to do with your web map application, you have to publish the IIS or Apache Host Server to internet and make sure that the web map services configured in the app points to the internet GIS server

For more information check this article from Esri documentation Firewalls and ArcGIS Server—Documentation (10.3 and 10.3.1) | ArcGIS for Server

Greetings and good luck

Leandro Zamudio

Esri System Designer Associate 10.2

JamesFitzgerald · ‎10-15-2015

Thanks for pointing me into the right direction. I will check it out.

James

ChrisSmith7 · ‎10-15-2015

It sounds like you want to secure your ArcGIS Server resources, making them accessible to certain users with perms across the Internet.

In follow-up to Leandro's recommendation, check-out the following link:

Configuring ArcGIS Server security—Documentation (10.3 and 10.3.1) | ArcGIS for Server

You may want to also look carefully at restricting access to web services:

Restricting access to GIS web services—Documentation (10.3 and 10.3.1) | ArcGIS for Server

Here's some info on using tokens:

Programmatic authentication to ArcGIS Server secured layers via RESTful API - Geographic Information...

JamesFitzgerald · ‎10-16-2015

Thank You, We are using Server for ArcGIS 10.1. Will I still have the capabilities of configuring ArcGIS Server security?

J

TracySchloss · ‎10-16-2015

Good luck - there's a lot to this! You might find more help in the AGS server forum. You should be OK with just version 10.1. We skipped over that version actually, but what we did in 10.0 compared 10.2 really hasn't changed. You'll find documentation in the AGS Help, more than looking through the API documentation.

You'll need to set up https and a proxy because now you're dealing with passwords and security.

You will need to modify both your map service and your application. In ArcGIS Manager, you'll see a place to specify users and roles. Think of roles as groups that users can belong to. I've set up a generic role and user before and had multiple users all authenticate with this generic user. This may or may not be an acceptable solution for you.

Once you have the user/roles set up, go the services and use the 'lock' to secure the service to a particular user. Now you won't be able to see this service at the rest endpoint without credentials.

In the API, look at IdentityManager. Once you have a proxy, only https request in your code, adding IdentityManager will automatically trigger a login. The user can enter the credentials set up in the steps above. IdentityManager only locks layers, not the whole application. The map still initializes, just stopping when it encounters a secured layer. The user can't proceed with loading the rest of the map until they've authenticated.

It gets more complicated from there. Some people don't want the map to start loading at all without some sort of authentication. We use active directory and there's a whole other level of settings that have to be put in place if you want to have their existing OS account manage whether or not they can access a map.

You have a lot of reading ahead of you - this isn't the easiest thing to wrap your head around.

SteveCole · ‎10-16-2015

It may not be but I certainly appreciate your post & overall explanation. Thanks, Tracy!

JamesFitzgerald · ‎10-19-2015

Thank You! So, since I currently do not have access to my company's GIS server but soon will, I have been reading about GIS server security and ArcGIS API for javaScript. It appears I will be able to create a log-in using Identity Manager. The identity manager is notified through the HTTPS feature service secured by way of GIS Server Manager (setting up roles and security) and ArcGIS Web Adapter (reverse proxy). Of course before I write code and point my feature service to the web map. I need to work in Server for ArcGIS Manager. There I will find a couple of options. Furthermore, I understand there are two options in Server for ArcGIS 10.1 Manager...ArcGIS Server authentication (tokens) and Web Server authentication (ArcGIS web adapter). For security purposes, I need the second option Web Server Authentication.

Any more suggestions greatly appreciated.

Thanks

TracySchloss · ‎10-19-2015

I'm in a large IT shop, so I'm not allowed to make changes to the AGS configuration, so I can't advise you with any kind of detail in this area. You can test this whole configuration with a test service and small application that just contains the bare bones as your starting point.

We originally thought we could come up with just one methodology for securing maps, but there are some many considerations when we have to deal with both internal only and 'secure but public' maps. We've set up active directory groups when we needed to limit to just a small group, but also opened a few things up to 'any AD account' which gives wide open access to anyone who has one. That's basically what you need for an internal only map.