configuring ArcGIS Server to host services that are made available publicly

5357
17
02-05-2016 08:46 AM
RandallClark2
Occasional Contributor II

Hi GeoNet,

We are working on creating a web map that will be used with outside consultants, in order to do this we need to open up our services to the public through the company firewall, to do this i need to go talk to IT but i am concerned that i am not going to be able to explain myself in a way that makes sense to IT as to what we need to do and i am not really sure what we need to do/

Im currently going through the ArcGIS server documentation but figured i would ask here to.

Thanks

0 Kudos
17 Replies
JoeHershman
MVP Regular Contributor

There is really not an easy answer because it all depends on how your IT has things setup.

If your want to share things publicly you should look at using WebAdapter.  This will allow requests to come in on port 80 which is usually more acceptable to IT.  I would then suggest they create a subdomain (e.g., ags.yourcompany.com) which points to the WebAdapter machine and open up port 80.

That makes stuff accessible at: http://ags.yourcompany.com/arcgis/rest/services/

To go direct to the AGS machine you would need to open port 6080, the rest is basically the same

If you need to use SSL that gets into some other things

Thanks,
-Joe
RandallClark2
Occasional Contributor II

Hi Joe

We are using WebAdapter so i have the http://webadaptor.domain.com/arcgis/rest/services in place and i have right ports open on my webserver machine and AGS machine so i am covered there but i really trying to figure out to approach IT to say i need get access to my AGS server when i not on the network...

wait maybe thats what i need to tell them.

I need access to my AGS when not connected to the network. that seem correct?

0 Kudos
RandallWilliams
Esri Regular Contributor

Yup! You basically need to make your GIS Server publicly accessible. Your needs may vary, but one of the simplest implementations involves placing a web adaptor in your screened subnet (often referred to as a DMZ), which is a spot in your network between your public facing router and your internal facing router. Then, on the internal facing router, expose ports 6080 and 6443 and register the web adaptor with the GIS Server. Users on the outside will reach your web adaptor through the public router interface, and the web adaptor will reach the GIS server through the internal facing router. When configuring the web adaptor for public access, leaving the option to access administrative options is best practice. Derek's posted some useful information describing different scenarios below. A more secure (and my personal favorite) option is to leverage a reverse proxy.

RandallClark2
Occasional Contributor II

>expose ports 6080 and 6443

Is that just opening up the ports on the windows firewall on the server that the web adapter is installed on?

0 Kudos
MichaelRobb
Occasional Contributor III

besides the flood of doc readings you have presented to you..

Nether 6080 or 6443 should be exposed externally.  It should be your web adaptor of 80 or 443 (ssl) that should be exposed running on IIS (for example)...

From your Web Server... between Web Adaptor and ArcGIS Server would be 6080 or 6443 (ssl).

all REST and SOAP services should go through the web adaptor.. not direct to ArcGIS Server.

Your external traffic would hit up something like this: (example based on web adaptor name being 'arcgis')

http://gis.yourcompany.com/arcgis/rest/services/[servicefolder]/[servicename]/MapServer

you would not be doing

http://gis.yourcompany.com:6080/arcgis/rest/services....

RandallClark2
Occasional Contributor II

Yean  the documenation is helping but sometimes its feels like i am going down a rabbit hole...

Anyways currently  i have my web adaptor install on my webserver, under the windows firewall setting i have an exception set up allowing communication on ports 80, 98, 4000-4004, 6006, 6080, 6099, 6443, which are all the ports the AGS needs, but do i need them open on this machine? or is there something i am missing?

And how do i expose one port externally and one port internally?

0 Kudos
MichaelRobb
Occasional Contributor III

The web adaptor runs in IIS.  default is arcgis. and would be placed under the Sites>>Default Web SIte  IIS would use 80 or 443 from the outside into that machine.  This is done by using Bindings to bind which port to the Web Site, along with the Pool. note that 443 requires adding a cert.  You need to be familiar with Internet Information Services (windows product) and use IIS Manager.

All those ports you mentioned, are needed on the ArcGIS Server machine, NOT the web server machine where the adaptor runs on.

When you installed the web adaptor, you would have then applied the 6080 or 6443 LINK to the web adaptor to arcgis server...

thus, the web server just needs to be able to SEE the machine where ArcGIS Server is hosted. (FQDN).

You should not be opening any of those ports on the web application server, where the Web adaptor is hosted.

ArcGIS Server needs those ports opened, only on the machine that AGS is installed on.  If the web adaptor just happens to be installed on the same machine... so be it.. but it doesnt change anything.

You dont need to open 6443 if you are not running HTTPS (SSL).  this is set on arcgis server end -under /admin.  Has this not been architected to understand what is all needed? (there is a lot involved here).

Im a bit nervous on what is being done here... would make any sysadmin or network guy scream! (Poking holes in the firewall = more screaming)

It also seems like you have not done any architecture planning either...which would make the business scream!

RandallClark2
Occasional Contributor II

>Im a bit nervous on what is being done here.

Fair enough.

I am bit nervous myself and plus im dreading the part where i start playing around with Portal but if this is not trial by fire i dont know what is.

Sadly the lovely ESRI class, ArcGIS for Server: Site Configuration and Administration, which while helpful was less the adequate to prepare me for this, hence my combing the documentation and posting on the forums.

>All those ports you mentioned, are needed on the ArcGIS Server machine...

Thanks for clarifying that, i closed all the ports except 80 on the web server machine

>You dont need to open 6443 if you are not running HTTPS (SSL)

Good to know, i closed that port down too but i do believe that i will need it open and have to switch from http to https.

>Has this not been architected to understand what is all needed?

Yes and no, we have been fine just using server to host service that are accessible on our domain but now we are looking at making the services available off our domain

So really what i am trying to figure out is how to have a conversation with IT about this so i can articulate what needs to be done, not try to do my self.

And i think i have my request allready "Hey we are working on building  a web map that needs to be be accessible to an outside client can you help me set up AGS so that it accessible" ​ so now its almost as much for my understanding as anything.

Thank you for you help

0 Kudos
MichaelRobb
Occasional Contributor III

Ok, makes sense...

Anything to help! 

0 Kudos