Make Portal for ArcGIS public accessible using IIS reverse proxy server in DMZ

3085
3
Jump to solution
03-12-2018 07:19 AM
JYI
by
Occasional Contributor

We are having issues when trying to configure IIS reverse proxy server in DMZ to make Portal for ArcGIS 10.5.1 public. Portal for ArcGIS has been added to Web Adapter and both Portal and Web Adapter are located on the save server. 

Everything works fine except the following two issues so far:

1. The change password function does not work. After user signs in, click My Profile, EDIT MY PROFILE button -> CHANGE PASSWORD button, the intranet server name is displayed in the url address bar, instead of the public domain name. 

I.e., the address bar shows https://aaawebapp01/arcgis/sharing/oauth2/resetPassword?oauth_state=qYQc9.....,

instead of https://public-url/arcgis/sharing/oauth2/resetPassword?oauth_state=qYQc9......

Of course, with this intranet host name shown, user cannot go on making change to their passwords.

2. After user signs in, if user reloads the signin link: https://public-url/arcgis/home/signin.html,   the following page is shown, where, in the middle of the page, the intranet server name is displayed again:

Could somebody shed lights on the above two issues: how to change IIS rewrite rules to hide the intranet server name in the above two cases and display the public domain name correctly? I notice that one of issues is related to form, and the other one is related to IFrame. The strange thing is that the public domain name is loaded correctly in other parts of the public Portal for ArcGIS. 

There is no reference from ESRI for using IIS reverse proxy server with Portal for ArcGIS. 

Thanks

JYI

0 Kudos
1 Solution

Accepted Solutions
JYI
by
Occasional Contributor

This issue is finally solved.

It is due to the IIS Reverse proxy server settings --- URL rewrite rules.

Use some developer tool to examine the response headers for the Change Password function. Since the response header shows that the Location url contains the intranet host name, instead of the internet-facing domain name, something has to be done on the Location field. It falls in the Scenario 3 in

https://blogs.msdn.microsoft.com/chiranth/2014/06/13/url-rewrite-part-3outbound-rules-rewrite-maps/. After the outbound rule is added, all the above two issues are resolved.

For anyone who is interested in using IIS reverse proxy server with Portal for ArcGIS, there are only one inbound rule and two outbound rules required:

1. Inbound rule, https://www.jetbrains.com/help/hub/Proxy-Configuration.html#IIS_Config is the reference for how to Configure the headers of your proxy server in IIS, and https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-... for the basic rewriting rule.

2. Outbound rule, https://blogs.msdn.microsoft.com/chiranth/2014/06/13/url-rewrite-part-3outbound-rules-rewrite-maps/ to change the location from intranet host name to internet facing host name.

3. Outbound rule, https://blogs.msdn.microsoft.com/friis/2016/08/25/iis-with-url-rewrite-as-a-reverse-proxy-part-2-dea..., to support gzip encoding.

View solution in original post

0 Kudos
3 Replies
JonathanQuinn
Esri Frequent Contributor

You need to set the WebContextURL within the system properties of the Portal to point to the external URL:

Use a reverse proxy server with Portal for ArcGIS—Portal for ArcGIS (10.6) | ArcGIS Enterprise 

0 Kudos
JYI
by
Occasional Contributor

Thanks for the input. We have followed that reference when we setup the IIS reverse proxy server. The more details are listed in another link https://community.esri.com/message/750244-re-exportwebmaptask-errors-out-on-server.

Any more possible fields to look at?

Just a guess: why this intranet host name is suddenly appeared in the middle of nowhere, is it because our intranet server is a workgroup server instead of a domain server, while the Portal Change Password function is looking for a domain name instead of a workgroup name? It is hard to imagine this error is due to some URL rewrite rules......

Thanks again.

0 Kudos
JYI
by
Occasional Contributor

This issue is finally solved.

It is due to the IIS Reverse proxy server settings --- URL rewrite rules.

Use some developer tool to examine the response headers for the Change Password function. Since the response header shows that the Location url contains the intranet host name, instead of the internet-facing domain name, something has to be done on the Location field. It falls in the Scenario 3 in

https://blogs.msdn.microsoft.com/chiranth/2014/06/13/url-rewrite-part-3outbound-rules-rewrite-maps/. After the outbound rule is added, all the above two issues are resolved.

For anyone who is interested in using IIS reverse proxy server with Portal for ArcGIS, there are only one inbound rule and two outbound rules required:

1. Inbound rule, https://www.jetbrains.com/help/hub/Proxy-Configuration.html#IIS_Config is the reference for how to Configure the headers of your proxy server in IIS, and https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-... for the basic rewriting rule.

2. Outbound rule, https://blogs.msdn.microsoft.com/chiranth/2014/06/13/url-rewrite-part-3outbound-rules-rewrite-maps/ to change the location from intranet host name to internet facing host name.

3. Outbound rule, https://blogs.msdn.microsoft.com/friis/2016/08/25/iis-with-url-rewrite-as-a-reverse-proxy-part-2-dea..., to support gzip encoding.

0 Kudos