We use a reverse proxy to allow web traffic through a port that is uncommon and this is the only port that is allowed to communicate through the firewall from the DMZ to internal servers like the IIS Server. Our IIS and SQL and three ArcGIS Servers are internal and the only thing thing that is outside the DMZ is our Apache webserver that acts as our reverse proxy. Web traffic come through as a standard url like https://www.google.com/arcgis or https://www.google.com/arcgis2 but based on the url it is redirected to the particular ArcGIS Server (i.e. https://www.google.com/arcgis2 traffic goes to http://server2:port####/arcgis2/) but the web user never sees that url with the undisclosed port number. IIS and our ArcGIS web adaptor are setup to use this undisclosed port. Using a reverse proxy was esris recommendation years ago before the web adaptor app cam e out, but we continue to use this as it has worked so well for us for many years.
Thank you for the information. That's a very interesting avenue. I am not sure what would be the implication of the web adaptor in this kind of settings. Also, do you know if Portal is compatible with such reverse proxy?