Portal Setup, HTTP/HTTPS and HTTPS Only

3678
7
Jump to solution
10-31-2016 03:37 PM
PaulDavidson1
Regular Contributor

I recently removed the HTTPS Only setting from our Development Portal's Security Setting:

I needed to play with some data from our local city GIS and it's only published with HTTP.

Some issues have occurred that I'm trying to understand.

When I did this, I started pulling 403 Forbidden Access issues when I went to http://myFQDN/portal/home/...

I realized the issue here is that my web adaptor is setup for HTTPS and I'm going through the WA.

But when I try to access via the 7080 port:

http://myFQDN:7080/arcgis/home/organization.html

the browser immediately jumps to the https address associated with the web adaptor.

Is this a function of the Portal setup files?

Or is this a Browser issue?  I'm using IE11, Win 7 and I've cleared the cache multiple times.

Is there a Portal cache that needs clearing?

Is the proper thing to do here to setup another web adaptor for the HTTP only mode?

Will that then allow you to access Portal via HTTPS or HTTP via the web adaptor?

I assume I just have to have a separate name for each WA as well as separate port addressing.

Except, it occurs to me that Portal is not like AGS, you cannot install multiple WAs for Portal.

Edit: I did this try this and it failed.

Seems like once you setup a secure Web Adaptor, you're committed to that setup or do I go back to that original WA and modify it's configuration.

I certainly seems that removing https only is not as simple as just unchecking the above box.

 

This is a DEV Portal so I can try various configurations but I'd prefer to avoid total voodoo programming and have an inkling of what I'm doing and how it will come together.

0 Kudos
1 Solution

Accepted Solutions
JonathanQuinn
Esri Frequent Contributor

Portal does support http and https when the option for Allow access over SSL only is disabled.  It requires https to always be available for the sign in pages.  Paul, if you were to create a new virtual directory within IIS and navigate to it over http and https, do both work?  I'm wondering if this is a problem in IIS, rather than the Web Adaptor.  Can you provide the exact code for the 403?  For example, 403.4, 403.5, etc, (list of them can be found here, I apologize for the wikipedia source).

View solution in original post

0 Kudos
7 Replies
khairulamri
Occasional Contributor

Hi Paul, 

Just shared my understanding:

HTTPS : everything on portal page will be https, portal always communicate with the others using https. you can't add data that used http as url.

HTTP and HTTPS : only confidential pages will be used https by default (login page, signup, my organization, profile). however you can use both http and https for every pages. for example:

if you setup as http and https, your map viewer by default will be http://domainname/arcgis/home/webmap/viewer.html however its still work if you changed to https://domainname/arcgis/home/webmap/viewer.html.

if your data published using http, make sure your mapviewer is http instead of https.

for error 403, would you share what your webserver and how you setup your webadaptor ?

Regards,

Amri

0 Kudos
PaulDavidson1
Regular Contributor

Amri: the WA is set to port 7443.  I believe if you plan on using https and a web adaptor, you have to do that.

If you try to go through the WA in this case with just http, it will give you the 403 error.

Thanks

0 Kudos
GISSupport3
Regular Contributor

Someone may have set your webserver to automatically redirect http to https to reduce confusion when users can't connect (previously) with http.

0 Kudos
PaulDavidson1
Regular Contributor

Not unless Portal does that for you behind the scenes.  I control the server.

I'll guess I'll have to look at some of the IIS settings. 

I believe what is happening is that the WA is setup for https and that's what is causing the redirect.

The piece I'm missing is how do you setup for https & http on Portal.

The WA is given a port to work through, to enable https, you give it 7443. 

Or am I missing something here?

0 Kudos
JonathanQuinn
Esri Frequent Contributor

Portal does support http and https when the option for Allow access over SSL only is disabled.  It requires https to always be available for the sign in pages.  Paul, if you were to create a new virtual directory within IIS and navigate to it over http and https, do both work?  I'm wondering if this is a problem in IIS, rather than the Web Adaptor.  Can you provide the exact code for the 403?  For example, 403.4, 403.5, etc, (list of them can be found here, I apologize for the wikipedia source).

0 Kudos
PaulDavidson1
Regular Contributor

Hey Jonathan:

Unfortunately, I'm not receiving any other than a generic 403 error.

I have not found the time yet to try to see if this IIS driven. (or hook up Fiddler to see the traffic) but I did look at the built in IE F12 tools and all I'm seeing there is just 403.

I'll try to create a new virtual directory and see what happens.

Edit:  So, yes Jonathan, I believe you are correct, this is an IIS issue. 

When going to a new site as http, I get a 403.4 error.

Both the default web site and the two WA sites (Portal and Server) have Require SSL set in IIS.

What I don't recall, is if I did this or if it is done automatically during the installation.

I believe it happens during the IIS setup in the Chef cookbooks but I could have just as easily done it by hand.

Or does it get set when you bind the CA Cert to the website?

Removing the "Require SSL" in IIS (Default, Portal and Server) fixes the issue and once again allows for an HTTP/HTTPS portal.

Thanks! 

One question: if I re-enable "Allow access to the portal through HTTPS only." via My Organization>Edit Settings>Security

Do I need to reset "Require SSL" in IIS?

My recollection is that this was needed originally to make things work correctly with HTTPS only?

I checked and just checking that box in Portal does not set the flag in IIS.

I guess the question is, when is this setting in IIS required?

Will that override the settings in Portal and AGS?

I would think so, if going through the WA.

0 Kudos
JonathanQuinn
Esri Frequent Contributor

Thanks for the update.  If you want to enable HTTPS only, you don't need to set Require SSL to true, Portal will handle making sure the protocol is https.  Requiring https only in IIS enforces it at the web tier while the "Allow access to the portal through HTTPS only" in Portal sets it at the application level.  It's up to you whether you want to require https at the web tier level; it won't affect how Portal functions as long as you also require https in Portal.

0 Kudos