Community
Select to view content in your preferred language

Is CA signed certificate needed for ArcGIS Servers behind third party LB?

317
3
07-03-2025 01:08 AM
EstherSmith_Dev
by
Regular Contributor
‎07-03-2025 01:08 AM

Hi,

We are trying to implement ArcGIS system for a public facing web mapping application. We plan to have a Cloudflare based public DNS e.g. gis.company.com forwarding to an internal Citrix Netscaler based load-balancer which in-turn directs request to one of the three active ArcGIS Server machines in a v11.3 site operating in HTTPS-only mode.

We will have a CA signed certificate for Cloudflare DNS of gis.company.com. Do we need to install certificates in DMZ LB (Netscaler) and ArcGIS Server machines with Subject Alternate Name of gis.company.com included? Or can we keep self-signed certificate on ArcGIS Server and no certificate at all on Netscaler? Both Cloudflare and Netscaler will be configured with SSL pass-through.

 

EstherSmith_Dev_1-1751529848011.png

If we keep self-signed certificates on ArcGIS Server machines, how would it decrypt POST requests data?

The advantage of self-signed certificates on ArcGIS Server is to not having to renew them.

Thanks,

 

 

 

Tags (1)
0 Kudos
3 Replies
CodyPatterson
by MVP Regular Contributor
MVP Regular Contributor
‎07-03-2025 08:28 AM

Hey @EstherSmith_Dev 

I have an extremely similar setup, with our environment being behind a DMZ, then DMZ to the internet.

In your situation, I believe that since it's configured for SSL passthrough, you may not need a CA signed certificate for the load balancer, since it relies on the Cloudflare certificate, my setup doesn't use Cloudflare or SSL passthrough and is different, and detailed below if it helps:

My setup is this: ArcGIS Servers are equipped on their web adaptors with self signed certificate, which only allow authenticated access on the network. The DMZ is configured with a CA signed certificate, which acts as the front-end of the site to the internet. When accessing it on the internet, it only references the CA signed on the publicly exposed DMZ side. The DMZ reaches into the network and understands that it has communication within, and doesn't have an issue with those certificates.

The DMZ should act as a handler for the HTTP requests as long as properly configured, if you're using some type of reverse proxy, the internal FQDNs and traffic will be hidden from the outside.

Domain certificates have also worked in my attempts, this is with 11.2 enterprise so far. I would ensure that whichever certificate you choose has the SAN (Subject Alternative Name) on the certificate as well.

Cody

AndresEcheverri
by
Regular Contributor
‎07-28-2025 10:46 PM

Hi @EstherSmith_Dev 
Do you find more answers to this?. I guess you came across to this issue with CloudFlare Cloudeflare certificate issues with ArcGIS Enterprise 

Thanks,

Andres

0 Kudos
EstherSmith_Dev
by
Regular Contributor
‎08-03-2025 04:35 PM

Hi @AndresEcheverri 

We are not at that stage yet. I just wanted to confirm our proposed set-up will work before we deploy and wanted to know if I need CA signed certs on Netscaler appliance and on ArcGIS Server. We will not have ArcGIS Web Adaptor.

0 Kudos