How to handle port changes between Load Balancer and WebAdaptor/ArcServer

Here's a little better example of what's going on. Traffic is coming through a reverse proxy on port 443. It is being forwarded on to a load balancer using port 443. The load balancer is doing SSL offloading so it is forwarding unencrypted traffic on to the Web Adaptor now at port 80 (It was 6080, but now 80). The WebAdaptor then forwards traffic to the ArcServer on 6080.

Browser  <= 443 =>  Rev Proxy  <= 443 => F5  <= 80 => Web Adaptor <= 6080 => ArcServer

I tried setting the WebContextUrl in the admin to httpS://gisserver.xyz.com/arcgis . It didn't seem to change anything. I'm not sure if it is the X-Forwarded Host Headers either, b/c the url's that it is returning have always been the correct url, just http and wrong ports (http://gisserver.xyz.com/arcgis) instead of http://servername.xyz.com/arcgis. I haven't checked the IIS logs, but shouldn't I be able to find those headers in the log?

Again, it seems like most urls are relative and start with "/arcgis/....". It's just the admin/login piece that returns the full url path "http://gisserver.xyz.com/arcgis/....". Not sure why it even needs to return the full url.

This question is similar: Reverse Proxy - Web Adaptor - ArcGIS Server configuration . The problem here was changing the url without creating a new webadaptor. It seems that the WebContextURL is ignored if you are using a WebAdaptor. Jeff Smith suggested removing the webadaptor fo the WebcontextURL to work or creating a new WebAdaptor.

This issue was logged as an enhancement. What is the status of this? and is my WebContextURL being ignored?

In order to troubleshoot and get a status on any logged enhancement requests, please contact Tech Support and they will be able to assist with both things.

Cheers,

Philip

Already done.... so.....the WebcontextURL. Is it ignored if you are using a WebAdaptor?

Jason, the information you have heard from Support is accurate: the SSL offloading is not supported.

Regarding the WebContextUrl, I'm not sure what version of ArcGIS Server and Web Adaptor you are using but in version 10.3, you shouldn't need it.  If the X-Forwarded-Host header is included from the F5 load balancer to the web adaptor, the fqdn for the Login url should match that header.  The format of the header should be fqdn/webadaptor (ex server.esri.com/arcgis).  The WebContextUrl is only necessary if you remove the web adaptor and redirect directly to the Server from the F5 load balancer.

I'm on 10.2.2. All the WebcontextURL seemed to do is to mess things up.  So, at 10.3, would that X-Forwarded-Host header honor the httpS (and port number) or just server name?

Say my site is:

https://myGISServer.com

and it goes throughh http:////gis/arcgis locally, would the login url be

http://myGISServer.com/arcgis/rest/login   OR

httpS://myGISServer.com/arcgis/rest/login

No, in 10.3 it will be the same as how you are seeing it in 10.2.2.  The protocol defined in the WebContextUrl is not used.  In other words, if your F5 load balancer is doing SSL offloading, the Login url you see on the Rest page will be HTTP, not HTTPS.  If you configure the F5 load balancer to redirect to the web adaptor over HTTPS, the Login url on the Rest page will be HTTPS.

I want to make a correction from my last post.  The 'X-Forwarded-Host' header used from your F5 load balancer just needs to be the fqdn, not fqdn/webadaptor.