Community

Disable to access ArcGIS Server Manager externally

1897
4
Jump to solution
03-29-2017 08:56 AM
Chang-HengYang
by
New Contributor III
‎03-29-2017 08:56 AM

The background of my server

I installed the ArcGIS server 10.3.1 (No Web Adaptor installed)

I have Windows 2012 Server x64 with SQL Server 2012 R2.

I'm also using IIS 8 as a web server on the same machine.

I am wondering if I could disable the external access to the link for the ArcGIS Server Manager.

For example, assuming the link is "http://gisserver.domain.com:6080/arcgis/manager/". Could I know if there is a way to disable/block the external users to access to the link?

Many thanks,

Changheng

0 Kudos
1 Solution

Accepted Solutions
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎03-29-2017 01:27 PM

Installing the web adaptor will allow you to disable admin access. Or conversely you could configure ARR on IIS to make it work as a reverse proxy and set your directives to not point to the manager context, but if you're going that route anyway it's considerably easier to just install the web adaptor.

View solution in original post

4 Replies
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎03-29-2017 01:27 PM

Installing the web adaptor will allow you to disable admin access. Or conversely you could configure ARR on IIS to make it work as a reverse proxy and set your directives to not point to the manager context, but if you're going that route anyway it's considerably easier to just install the web adaptor.

Chang-HengYang
by
New Contributor III
‎04-06-2017 07:57 PM

Hi Randall,

I followed your instructions. The port 6080 was hidden. The rest service directory is created ("stateparkmap.okstate.edu/ousgeog/rest/") with the active windows authentication. However, the public still can access the default rest directory (stateparkmap.okstate.edu:6080/arcgis/rest) without any username and password inputs. In addition, I have created the inbound rule to allow the port 6080/6443 in the server firewall. Could you tell me how I only allow the directory work ("stateparkmap.okstate.edu/ousgeog/rest/")?

Thanks,

Hank

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎04-07-2017 08:18 AM

Typically, the architecture looks like this:

database---GIS Server  || firewall || ---web server (IIS) ---public WWW

The web adaptor connects to the GIS Server via port 6080 (http) or 6443 (https). In order for the communication success, ports 6080/6443 are opened on the firewall.

In your case, it appears that the GIS Server is installed on the web server with your IIS instance. Is that correct? If so, you can use the Windows firewall to firewall off ports 6080 and 6443 from external traffic (or only allow traffic from the web adaptor to come through those ports)

Since you're using Windows Auth, you should strongly consider configuring your web adaptor to communicate with your GIS Server on port 6443, obtain a certificate from a Certificate Authority, and enable HTTPS/SSL at the web tier.

Otherwise the credentials supplied to access your GIS Server site can easily be sniffed on the wire.