Is it safe to expose ArcGIS License Manger to the web?

1877
8
Jump to solution
07-27-2021 01:02 PM
Joshua-Young
Occasional Contributor III

A little background first. I have an ArcGIS Enterprise 10.8.1 deployment that is accessible over the internet through a web adaptor. A problem that we have had for years is that our portal is accessible via the internet but whenever any of my users opens ArcGIS Pro off network they get an error that the ArcGIS License Manager (ALM) is not accessible, which is expected because the ports for ALM are blocked from the internet by the firewall.

Is it safe to expose the ALM to the internet so remote workers have access to ArcGIS Pro without having to use a VPN?  If I get my system admin to expose the ALM port to the internet, will anybody who finds the port be able to access our licenses managed through ALM?

Does Esri have a way or documentation on how to proxy the ALM connection? Could ArcGIS Pro use a standard URL that is provided by a proxy to request a license. Then have the proxy connect to ALM get the license and have the proxy pass that back to ArcGIS Pro. I wish Esri would just add that functionality to ArcGIS Portal so that ArcGIS Pro, Drone2Map, etc. just make one call to ArcGIS Portal and ArcGIS Portal handles both authenticating the user and passing the license from ALM to ArcGIS Pro.

"Not all those who wander are lost" ~ Tolkien
0 Kudos
1 Solution

Accepted Solutions
ReeseFacendini
Esri Regular Contributor

My apologies for not catching up quickly enough to the point you were making.  Back to your initial post about if it's safe or not; in order to have the licenses accessible to users outside the network, the LM port would need to be open to the internet.  While no one would be able to take a license without being authenticated through Enterprise, it would disrupt the security posture of your Enterprise system and potentially allow hackers to slam the LM port with excessive requests and bring the system to a halt.  It's recommended to move the named user licenses to ArcGIS Online, in order to more securely license Pro for end users both inside and outside the network.

View solution in original post

0 Kudos
8 Replies
ReeseFacendini
Esri Regular Contributor

Do users currently connect to a license server, or sign into Enterprise to license ArcGIS Pro?

0 Kudos
Joshua-Young
Occasional Contributor III

They sign into Enterprise to license ArcGIS Pro. My understanding is ArcGIS Pro makes one connection to Enterprise to handle the authentication of the named user and check to see if they are allotted an ArcGIS Pro license. Then, if authentication is successful, ArcGIS Pro makes a separate connection to License Manager to get the license.

I am trying to find out how to safely let remote workers use ArcGIS Pro licensed through Enterprise without requiring a VPN connection to our network. However, I do not want to expose my License Manager to the internet if that means anyone who finds the open port can use our licenses.

"Not all those who wander are lost" ~ Tolkien
0 Kudos
ReeseFacendini
Esri Regular Contributor

If your Enterprise deployment is public facing, licensing Pro should be no different than how users do it currently over VPN.  Enterprise handles the connections back to the License Manager / Server, so there wouldn't be a need to directly expose that service to the internet.

0 Kudos
Joshua-Young
Occasional Contributor III

If a remote worker is not on our local network and not using a VPN, when they try to use ArcGIS Pro they get the Enterprise sign in page and after signing in they get an error message saying the License Manager could not be reached.

It was once explained to me that is because ArcGIS Pro attempts to make a separate connection to the License Manager and it is looking for the PortNumber@FQDN of License Manager that is provided by Enterprise. That makes sense because as soon as I use a VPN to connect to our network ArcGIS Pro gets the license and works, but if I disconnect the VPN I loose the license and get the warning that I have 60 minutes to save my work before ArcGIS Pro closes. Reconnect with the VPN and ArcGIS Pro is happy again.

If there is a way to have Enterprise be the proxy to the License Manager for ArcGIS Pro I would appreciate knowing how to set that up. We are running Enterprise 10.8.1, License Manager 2020.1, and ArcGIS Pro 2.7. Tomorrow I will be upgrading everything to the latest version so we will be on Enterprise 10.9, License Manager 2021.0, and ArcGIS Pro 2.8. Will that make a difference?

"Not all those who wander are lost" ~ Tolkien
0 Kudos
ReeseFacendini
Esri Regular Contributor

My apologies for not catching up quickly enough to the point you were making.  Back to your initial post about if it's safe or not; in order to have the licenses accessible to users outside the network, the LM port would need to be open to the internet.  While no one would be able to take a license without being authenticated through Enterprise, it would disrupt the security posture of your Enterprise system and potentially allow hackers to slam the LM port with excessive requests and bring the system to a halt.  It's recommended to move the named user licenses to ArcGIS Online, in order to more securely license Pro for end users both inside and outside the network.

0 Kudos
Joshua-Young
Occasional Contributor III

Thank you for the recommendation and I'll mark it as the solution, but that is not a great solution for us. One of our reasons for going with Enterprise years ago was to take advantage of LDAP integration for user sign ins to keep things as simple for our users as possible. I understand ArcGIS Online now has SAML support, but we do not have support on our end.

Are there any plans to have Enterprise act as the proxy between License Manager and ArcGIS Pro? It seems to me that would make more sense than the current method since Enterprise is already talking to License Manager to allow admins to assign ArcGIS Pro licenses through the Enterprise web UI.

Another option could be to provide a "web adaptor" for License Manager to hide the internal port and host name and provide other security features required for an internet exposed service.

Thank you for taking the time to chat with me about this.

"Not all those who wander are lost" ~ Tolkien
0 Kudos
ReeseFacendini
Esri Regular Contributor

What about having users check out a license while connected to VPN, in order to use Pro "offline"?  Within License Manager you can set the borrow length (in days), and this would allow you to retain your AD authentication as well.

0 Kudos
Joshua-Young
Occasional Contributor III

Thank you for the suggestion. I have also tried converting some of our named user ArcGIS Pro licenses to single use and applying them to individual devices for some of my users that are off network the most. I hope someday ArcGIS Pro licensing with Enterprise can work like it does with ArcGIS Online.

"Not all those who wander are lost" ~ Tolkien
0 Kudos