Hide REST Service Directory for external users?

457
3
07-26-2019 03:40 PM
NeelKumar
New Contributor III

Is there a way to block access to the rest services directory at the web adapter level for external users? We do not want to simply disable the rest services directory altogether as we still need access for internal users. Currently if someone knows our rest service url they can access our unsecured rest services. We are looking for a way to either block or redirect them. This is for ArcGIS Enterprise 10.7.1

3 Replies
LanceCole
MVP Regular Contributor

Neel, 

Are your internal users only accessing the data from your internal network?  If so, you can move your web adapter to an internal ip/FQDN and not publicly expose the service.  If users need to access the data from out side the internal network you can use a VPN connection to your internal network or require authentication to access your externally facing web adapter.

You can also have two web adapters, one for internal users with REST service directory disabled and a second for internal users with the directory active.

NeelKumar
New Contributor III

Thanks! I think using an internal IP might work for us. Otherwise, how could we set up the web adapter to require authentication before showing any services? Is something like this possible? Currently we're using windows authentication to see our private rest services but our public ones are accessible right off the bat. 

0 Kudos
LanceCole
MVP Regular Contributor

For our public facing data, that does not require a logon, we use ArcGIS Online to host this data.  This minimizes exposure of our network for security reasons.  We have installed a "public" Web Adapter in our DMZ that points back to our enterprise deployment but are not utilizing this connection at this time.  We also have a second Web Adapter in our DMZ that utilizes SAML for external users authentication that allows access to other resources than those offered on our public site.  Internal users access our Portal via another Web Adapter hosted on an internal webserver that is not exposed externally.

You can place as many web adapters as you need each using various levels of access all pointing to the same data.

0 Kudos