Best Practice for Setting Up Portal and ArcGIS Server Behind a Reverse Proxy

719
6
06-16-2020 12:02 PM
DeniseBeckham
New Contributor II

   My organization has had ArcGIS Server set up behind a reverse proxy and running properly for years (Before I started working here).  We also have a SQL Server with data that many services on the ArcGIS Server reference.  We have a Geocortex server that consumes most of the services from the ArcGIS Server.  Earlier this year, we tried to set up Portal on the the same machine as Server was already running on.  The main reason we want to set up Portal is so that we can use the Geocortex 5 Series with it.  When we used our internal URL, it seemed to be working fine.  However, when we tried using the external URL, We could not reach Portal.  

   We read through articles and tried several different things, but we couldn't even reach Portal with our internal URLs anymore.  We ended up contacting support and spending hours on the phone with them.  We had been using the same web adapter, so they had us install a separate web adapter.  They also had us try several other things, but nothing worked. 

   After taking a few months break from this, we want to start fresh.  We have the resources to set up all new environments and then migrate our data over from our old servers.  We probably won't have the time to give this a try until July, but I've been looking around for articles about setting up Portal and Server behind a reverse proxy.  I've found articles for each of them, but nothing about how to set them up together.  

   What we really need is a workflow of general steps for the best practice of setting them both up behind a reverse proxy.  Should they be on different servers, or is it ok if they're on the same one?  Does it matter which is installed first?  I don't know if there is a best practice regarding their relationship to the SQL and Geocortex Servers as well? 

Any help would be much appreciated!

Thanks,

Denise

0 Kudos
6 Replies
mdonnelly
Esri Contributor

Hello Denise,

Setting up ArcGIS Enterprise behind a reverse proxy is part of a standard deployment pattern and details on how to do this can be found here:

Configure your portal to use a reverse proxy server—Portal for ArcGIS (10.8) | Documentation for Arc... 

Configure a reverse proxy server with ArcGIS Server—Deploy | Documentation for ArcGIS Enterprise 

Essentially you need to configure the WebContextURL setting in System > Properties. You set WebContextURL to be the alias that you want to use instead of the machine name.

Mark

Regards,
Mark
0 Kudos
DeniseBeckham
New Contributor II

Hello Mark, 

Thank you for your reply.  

I found these articles, and the one for Portal is the one we referenced when we originally tried setting it up.  After thoroughly reading this article and still not being able to get it work ourselves, we contacted support.  They checked the WebContextURL (amongst many other things) and said it looked good.  After a few phone calls with them and several adjustments, we still could not get it to work.  We even had exceptions made in the county-wide firewall, but nothing we did got it working.  

That's why I was wondering if it's better to just install Portal and ArcGIS Server on different machines or if it's ok to have them on the same machine as long as they have their own web adapters.  And if it is better to have them on one machine, would it be better to install Portal before Server? 

Thanks for your time, 

Denise

0 Kudos
mdonnelly
Esri Contributor

Hi Denise,

Portal and ArcGIS Server are happy with either deployment scenario: being on the same machine or on different machines. Order of deployment shouldn't be an issue.

However, given that ArcGIS Server is the workhorse of Enterprise and is constrained to a 4 core license I would generally deploy it on a stand alone vm. This way you are ensure all the machine's resources are dedicated to just ArcGIS Server.

If you want to reduce the number of VMs you have, you could put Portal and Data Store on the same machine as there are no license restrictions for either of them.

I am not expecting the deployment pattern to fix the issues around using your alias however. I wonder if you need to get your IT network team involved to see if the alias is configured as expected. One important thing that needs to be noted is that if you are using a reverse proxy then it must ensure that the x-forward-host header is passed in the response.

Mark

Regards,
Mark
0 Kudos
DeniseBeckham
New Contributor II

Hello Mark and Jonathan, 

The IT Manager was on vacation last week, but I was just able to have a good discussion with him today.  He is the one who did all the actual deployment (and will continue doing all the actual deployment).  It turns out the question I should really be asking is, What is the best practice for deploying Portal in relation to a firewall?  

The way we had it set up before, Portal and its web adaptor were set up behind the firewall.  We tried to access Portal from an external URL that was forwarded through the firewall by the reverse proxy located in the DMZ, to the web adaptor, to Portal (the web adaptor was on the same server as Portal).  However, we ran into issues with Portal needing to use different ports than our firewall allows.  

Reverse Proxy > Firewall > Web Adaptor > Portal

So we want to know if we should just install Portal in the DMZ instead of behind the firewall, or if we only need to install the web adaptor on the DMZ and can keep Portal behind the firewall.  This would eliminate the need for the reverse proxy.

We also have a lot of resources, so we don't care how many VMs it takes for the best setup.

Thanks,

Denise

0 Kudos
mdonnelly
Esri Contributor

Hi Denise,

I would not install Portal inside the DMZ.

Application tier servers should always be behind a firewall.

The following link talks about unfederated ArcGIS Servers but it is still appropriate for Portal as well:

Firewalls and ArcGIS Server—ArcGIS Server Administration (Windows) | Documentation for ArcGIS Enterp... 

Your original architecture was correct. If you are having trouble with using certain port numbers then you can change Web Adaptor to use a non default port:

Use nondefault ports for the portal's ArcGIS Web Adaptor—Portal for ArcGIS (10.8) | Documentation fo... 

Mark

Regards,
Mark
0 Kudos
JonathanQuinn
Esri Frequent Contributor

Can you describe what you mean by "doesn't work"? You mentioned that you couldn't reach the portal; is it a connection refused type error, indicating that the URL has no path to resolve to? Can you provide and example of the web context URL you're using, and a description of your network architecture, (for example, reverse proxy -> web adaptors > portal, or something similar).

0 Kudos