Block access to the portaladmin directory on external facing Portal

3871
8
Jump to solution
06-27-2019 06:48 PM
ClintonBallandis1
Occasional Contributor

Hi,

I have an external facing Portal at version 10.6.1. The Portal webapator is sitting in our DMZ. The following security presentation (https://downloads.esri.com/resources/enterprisegis/UC_Web_GIS_Security_Strategy.pdf ) by randall_williams-esristaff recommends that the portaladmin interface isn't exposed to the public.

To restrict access to the portaladmin I had a firewall rule added that prevents anyone outside our orgainsation hitting  urls ending with portaladmin e.g https://xyz.com/arcgis/portaladim.

I thought this would have worked however when I look at fiddler it appears that Portal makes a call to the portaladmin to check if a token is required? 

https://xyz.com/arcgis/portaladmin?f=json&ts=1561679026551 

When external users try to get to the portal they are getting an internal server Error 500 and are redirected to a create or join portal page because of the above request being blocked by the firewall rule ?. 

GET https://xyz.com/arcgis/portaladmin?f=json&ts=1561506980599 500 (Internal Server Error).

Question

 

How can I block access to the Portal Admin directory while still allowing External users to login successfully ? or am I missing something here? 

Any help appreciated.

Thanks,

Clinton

1 Solution

Accepted Solutions
DavidHoy
Esri Contributor

Lots of good stuff on this topic in this article by Noah Meyer

Deployment Patterns for Exposing ArcGIS Enterprise... - Esri Community

including the link to the Customer doc on the trust.arcgis.com site
ArcGIS Enterprise Web Application Filter Rules

 

View solution in original post

8 Replies
JonathanQuinn
Esri Notable Contributor

The home application, (https://portal.domain.com/portal/home), will attempt to reach portaladmin to determine whether it should display the create site/join site page, upgrade, or a sign in page. It seems like the home application isn't handling the 500 response code well.

The portaladmin endpoint is also used by the home application to display licensing information, (if you're signed in as an administrator), so that's why there's no concept of "disabling admin access" as there is for Server Web Adaptor or Server deployments.

The first point obviously causes a problem for non-admins, but the second could be an additional issue for admins. Unfortunately I can't speak to the security aspects of disabling portaladmin access but I think disabling that access is going to be problematic, as the home app does expect certain responses from that endpoint, (whether that's correct or incorrect is another good question).

VishApte
Esri Contributor

Hi Jonathan Quinn

Are the above comments still applicable for ArcGIS Portal 10.8.1. We have a large enterprise client with public facing portal and wishes to block portaladmin access using the load balancer. Is it possible?

Thanks,

Vish

JonathanQuinn
Esri Notable Contributor

No, there haven't been any changes at 10.8.1 to support blocking administrative access to the Portal Administrator directory. I suggest you either create an Idea on the Ideas site, or contact Support to log an enhancement request.

0 Kudos
DavidHoy
Esri Contributor

Vish Apte

In our big NSW site (at 10.7.1), we block administrator access at the external load balancer using a more finely grained set of blacklisted portaladmin paths - current set is:

*/portaladmin/federation*

*/portaladmin/exportSite*

*/portaladmin/importSite*

*/portaladmin/machines*

*/portaladmin/security/config/update*

*/portaladmin/system/webadaptors*

*/portaladmin/security/sslCertificates*

*/portaladmin/security/tokens*

*/portaladmin/system/database*

*/portaladmin/system/indexer*

*/portaladmin/system/properties*

*/portaladmin/security/config/updateIdentityStore*

*/portaladmin/security/config/testIdentityStore*

ClintonBallandis1
Occasional Contributor

Hi Vish,

Randall Williams‌  sent me a list of end points to block that I then had added to our WAF. 

Thanks,

Clinton

DavidHoy
Esri Contributor

Hi Clinton,

does the list from Randall match the one I have provided?

NicolasGIS
Occasional Contributor III

Hello,

@Randall Williams‌ would it be possible to share publicly that list or maybe to make an article about such architecture ?

Thanks

0 Kudos
DavidHoy
Esri Contributor

Lots of good stuff on this topic in this article by Noah Meyer

Deployment Patterns for Exposing ArcGIS Enterprise... - Esri Community

including the link to the Customer doc on the trust.arcgis.com site
ArcGIS Enterprise Web Application Filter Rules