Can not access my ArcGIS server externally

4629
11
02-23-2017 02:48 PM
Chang-HengYang
New Contributor III

I am trying to access my GIS server outside the server itself. But, I have trouble and tried to solve this problem by different solutions. 

The background of my server

I have Windows 2012 Server x64 with SQL Server 2012.

I'm also using IIS 8 as a web server on the same machine.

I've installed ArcGIS for Server 10.3.1 and only used the "register folder" to store feature class in the file geodatabase.  

I do not use the Web Adaptor. The Authentication Tier (security) inside the ArcGIS manager is "GIS Server" 

I can access the url ("http://stateparkmap.okstate.edu:6080/arcgis/rest/services") inside the server. However, I can not access the url externally by browsers (IE, Chrome and Firefox) either by wifi or ethernet. In addition, I have disabled the proxy for these browsers. The message show "resource is online but is not responding to connection" on IE or "Failed to load resource: net::ERR_CONNECTION_TIMED_OUT" on Chrome. 

I have installed the DNS server to bind the ip address with the domain (stateparkmap.okstate.edu). In addiiton, I can access to the http://stateparkmap.okstate.edu/index.html outside the server.

Could you share your precious opinions for this problem?

Thanks,

Hank

 

0 Kudos
11 Replies
RebeccaStrauch__GISP
MVP Esteemed Contributor

Drop the ":6080"  which is for internal purposes, that is directly to the machine.  For IIS, it should us port 80 which is assumed typically (for non secure).  But I see if I put in

http://stateparkmap.okstate.edu/arcgis/rest/services

it prompts for a log in, so you really want to get https put in place (and SSL cert). which uses 6443 internally, and 443 in IIS.

Chang-HengYang
New Contributor III

Hi Rebecca,

I appreciate your opinions. I followed your instructions and accessed the website (http://stateparkmap.okstate.edu/arcgis/rest/services). Then I used my username and password. The message was shown on the screen "404 - File or directory not found." Do I need to install the server files into the Application (binding with "http://stateparkmap.okstate.edu") folder rather than the default path"C:\Program Files\".

The physical path for the Application is in the D:\App_Test. 

 

Could anyone provide your insights?

Thanks,

Hank

0 Kudos
JonathanQuinn
Esri Frequent Contributor

Do you have the web adaptor installed?  If so, have you installed it in the Default Web Site or your new web site?  Your Default Web Site is stopped so if you're using the Web Adaptor you'll need to check where you installed it and reinstall it in your stateparkmap.okstate.edu website if it's not installed there.

0 Kudos
Chang-HengYang
New Contributor III

Hi Jonathan,

I appreciate your opinions. I do not install the web adaptor. My default web site is stopped. 

Thanks,

Hank

0 Kudos
JonathanQuinn
Esri Frequent Contributor

In addition to Rebecca Strauch, GISP‌ comments on dropping 6080, (you likely don't expose 6080 outside of your network), it appears that you have Windows Authentication enabled on the web site, given the 401 that's returned when reaching your services URL.  Even going as far back as simply the hostname and domain returns the 401, (http://stateparkmap.okstate.edu), again, indicating you have Windows Authentication enabled on the web site.  If you plan to provide people external to your network access to your services, you should not enable Windows Authentication on the external endpoints.  If you want IWA internally, register another web adaptor and configure it with IWA.

ScottFierro2
Regular Contributor

So I agree with both Rebecca Strauch, GISP‌ and Jonathan Quinn‌ I am trying to wrap my head around where the real issue lies but it feels like IIS.

You said you can get to http://stateparkmap.okstate.edu:6080/arcgis/rest/services which means your name is being resolved correctly otherwise you'd fail and only have access over http://<ServerName>:6080/arcgis/rest/services However as they mentioned 6080 is your internal exposed port for direct connections.

Accessing either  http://stateparkmap.okstate.edu/index.html or http://stateparkmap.okstate.edu/arcgis/rest/services both trigger the IWA login prompts.

So starting with IIS and working backwards if you go into IIS for stateparkmap.okstate.edu and go into your Authentication it would need to look like this (which is what Jonathan Quinn‌) is referencing

It seems as though your current configuration has "Windows Authentication" set as "Enabled"

If for some reason once you ensure this is how the site is configured the next thing to try would be on the right side of IIS for the site you can browse so if you choose " Browse localhost on *:80 (http)" what are you getting?

Chang-HengYang
New Contributor III

Hi Scott,

I appreciate your all precious opinions. My original setting for the Window Authentication was Enabled. But now is "Disabled". The setting for the Anonymous Authentication is "Enabled" and "Application pool identity".

The permission for the Application (App_Test) was also shown below. I also set the permission for the IIS_IUERS (But not including "Everyone").

In addition, I could see the content in the index.html when clicking the "*:80 (http)".

However, I still can not access the rest server site externally(http://stateparkmap.okstate.edu/arcgis/rest/services ).

Thanks,

Hank

0 Kudos
JonathanQuinn
Esri Frequent Contributor

So it appears that IIS is working on HTTP and HTTPS without any authentication challenges, which was the first hurdle.  Now you need to decide what you want in the front of the Server.  The Web Adaptor is essentially a reverse proxy/load balancer.  This sends traffic from 80/443 to 6080/6443.  You can also use your own reverse proxy to send traffic from 80/443 to 6080/6443.  Currently, it doesn't seem like you have anything in place to connect your front end web server to your back end ArcGIS Server.  You've also exposed the Server directories, (it appears some install files and directories), to the public.  This is a pretty big problem.  I strongly suggest you disable directory browsing on the  

stateparkmap.okstate.edu Web Site, delete the ArcGISServer directory from your inetpub folder, and work with your IT staff on best practices for web servers.

RebeccaStrauch__GISP
MVP Esteemed Contributor

I would have to agree with Jonathan Quinn statement:

I strongly suggest you disable directory browsing on the  

stateparkmap.okstate.edu Web Site, delete the ArcGISServer directory from your inetpub folder, and work with your IT staff on best practices for web servers.

or contact esri tech support.  They could help more with the specifics of you setup.

When hitting your http://stateparkmap.okstate.edu/arcgis/rest/services   site, the first time I was prompted for the authentication (with http, i.e. not a secure connection) and I cancelled.