How do you maintain secure services with web adaptor installed?

2796
7
10-01-2015 08:07 AM
CassidyKillian
Occasional Contributor II

When you expose your REST endpoint through a web adaptor installation, if you want to keep some services secure/internal do you have to publish them to a different folder? 

We do not want everyone to see all of the services that we have published to our default REST endpoint which is the case how we have it installed now.  Do we need to re-configure our installation or just publish to different folders?

0 Kudos
7 Replies
JacobBoyle
Occasional Contributor III

That's the easiest way I've found to set ArcGIS Server up, with public shared folders and private shared folders.

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

I actually have folders for the public/unsecure services too, and don't publish anything to the root.  This way you can control the public services easier too, if you need turn off public access for a while.  I create a _public and a _secure for each Division/project.

I also suggest setting up two web adaptor, one for public and one for secure.  If you need to expose you secure services outside you network, you can use a proxy.  I highly recommend getting the SSL cert so you can use https:

Also, if you want to block you REST endpoint from being seen at all outside you network, you can turn that option off for the web adaptor access (can still access with server name), but that can cause headaches for your development too (not a technical headache, just because it blocks the web adaptor view from you too). But again, if folders are secure, the rest endpoint will not show the secure folders unless the user logs in, which is another reason you want to have HTTPS/SSL.

Depending on your version of the software, this all varies slightly.

Cassidy Killian:

... Do we need to re-configure our installation or just publish to different folders?

I haven't found anyway to move services...they usually have to be recreated, but if you have caches, they can be move to match the new folder name so you do not need to recreate those.

0 Kudos
CassidyKillian
Occasional Contributor II

Thanks for the reply!  When you say you do not publish to the root, are the folders you publish to still sub-folders within your root or did you somehow set up connections to folders in a different location?

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

All my folders are under the root, I just don't put anything directly into the root.  This is my structure (when I am logged in so I can see my secure folders too).  Notice that I am looking at the root in the clip, and no services are listed.  I hope that clarifies it a bit.

That is how I decided to set it up and at least so far at least, it has been working for us.

0 Kudos
PatrickHjelte
New Contributor

Hi Rebecca,

How you can limit web adaptor to access a specific folder? e.g. a specific public folder

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

Jawad,

The link Domenico provided is worth a read on using the mixed environment.

Jawad Youssef wrote:

How you can limit web adaptor to access a specific folder? e.g. a specific public folder

If a folder, and the services contained within, are "public", I'm not sure that you can hide it from other web adaptors on the same server.  The only option I believe to hide public folders would be to completely disabld the Services directory (thru the http://servername:6080/arcgis/admin   or https://servername:6443/arcgis/admin)   edit to disable.  But that prevents viewing any of the folders (as far as I know)

However, you can secure folders or just certain services within a folder to hide without logging in or passing credentials of some kind.  The access, you can use a proxy to prevent logging in.

I'm not sure if that answered you question or not, and there may be someone else that knows of another work around.

0 Kudos