Enterprise Security allowedProxyHost Portal Admin 10.6.1

887
4
06-13-2019 06:11 PM
ClintonBallandis1
Occasional Contributor

Hi all,

I have an external facing Portal (10.6.1). I'm working through and configuring the ArcGIS Enterprise security recommendations. I'm wanting to get get some clarification on what I should be entering into the Portal Admin Directory for the allowedProxyHosts.

From what I understand these should external domains that the portal can access content from? You have to add a new domain for every external server that you want to consume resources from. This protects your Portal from being used for Malicious attacks?   

So for the example highlighted  "(.*).arcgis.com" if I added this to my allowdProxyHosts my Portal will be allowed to get resources from any machine with a domain ending in .arcgis.com?

If I wanted to get resources from https://xyz.com I would add this as well ? 

Do the domains need prefaced with https:// ? 

Any help would be appreciated.

Thanks,

Clinton

0 Kudos
4 Replies
RandallWilliams
Esri Regular Contributor

Hi Clinton,

You should add the domain for ArcGIS Server machines to which you're creating items with stored credentials, hosts that provide OCG services, hosts that don't support CORS. If you have none of those, a dummy entry will work fine - like your domain.

You can see if a server supports CORS by reviewing the access-control-allow-origin header in the browser debugger for a web request to that resource.

DavidHoy
Esri Contributor

Randall Williams

if the Server Site is federated with the Portal using an AdminURL via an internal Load Balancer - do you need to add the Load Balancer URL instead of the individual Servers' URLs?

RandallWilliams
Esri Regular Contributor

I'm pretty sure that the federated endpoints are automatically added to the allowed proxy hosts list. Requests to servers that are not allowed receive a http 403 response.  

ZianChoy
Occasional Contributor

Unfortunately, Portal is too clever for a simple dummy entry. I tried:

"allowedProxyHosts":""

And restarted the Portal for ArcGIS Service. Afterwards, the Security Configuration web page in the Portal Administrator Directory no longer shows the allowedProxyHosts property at all.

I'm guessing that the dummy entry should be a domain that we control. For example, the dummy entry for Randall Williams's development server might be:

"allowedProxyHosts":"nonexistentsubdomain.esri.com"

0 Kudos