Hi all,
I have an external facing Portal (10.6.1). I'm working through and configuring the ArcGIS Enterprise security recommendations. I'm wanting to get get some clarification on what I should be entering into the Portal Admin Directory for the allowedProxyHosts.
From what I understand these should external domains that the portal can access content from? You have to add a new domain for every external server that you want to consume resources from. This protects your Portal from being used for Malicious attacks?
So for the example highlighted "(.*).arcgis.com" if I added this to my allowdProxyHosts my Portal will be allowed to get resources from any machine with a domain ending in .arcgis.com?
If I wanted to get resources from https://xyz.com I would add this as well ?
Do the domains need prefaced with https:// ?
Any help would be appreciated.
Thanks,
Clinton
Hi Clinton,
You should add the domain for ArcGIS Server machines to which you're creating items with stored credentials, hosts that provide OCG services, hosts that don't support CORS. If you have none of those, a dummy entry will work fine - like your domain.
You can see if a server supports CORS by reviewing the access-control-allow-origin header in the browser debugger for a web request to that resource.
if the Server Site is federated with the Portal using an AdminURL via an internal Load Balancer - do you need to add the Load Balancer URL instead of the individual Servers' URLs?
I'm pretty sure that the federated endpoints are automatically added to the allowed proxy hosts list. Requests to servers that are not allowed receive a http 403 response.
Unfortunately, Portal is too clever for a simple dummy entry. I tried:
"allowedProxyHosts":""
And restarted the Portal for ArcGIS Service. Afterwards, the Security Configuration web page in the Portal Administrator Directory no longer shows the allowedProxyHosts property at all.
I'm guessing that the dummy entry should be a domain that we control. For example, the dummy entry for Randall Williams's development server might be:
"allowedProxyHosts":"nonexistentsubdomain.esri.com"