Multi-Server DMZ Setup

CodyPatterson · ‎08-25-2023

Hey guys, got quite the question for the community and I apologize if this is in the wrong spot.

Recently, I was promoted to GIS Administrator and I was tasked with designing an ArcGIS Enterprise setup that hosts Portal, Server, Workflow Manager, Jupyter Notebooks, and a MySQL Server for the database. The Server would be Federated with the Portal.

The catch is, I would like a DMZ to be present in order for authenticated users not on the intranet to connect in, along with potential stakeholders to be able to view maps and layers. We previously used a VPN, but we'd like to move away from that.

I have created many theoretical diagrams listing what I would like, but my main questions are:

What needs to be in the DMZ? I'm aware of all port numbers and firewall exceptions depending on what would need to be enabled on the firewall, but a little vague on this.

Since Notebooks, Workflow Manager, and MySQL are all separate servers, would it be better to host this on the intranet and use a reverse proxy to connect through?

If there were a reverse proxy, would I be able to connect it directly to the ArcGIS Server in the intranet, and would that be able to communicate with the other servers inside?

Definitely a little nervous coming into this, but I'm willing to learn, the resources that I've seen do not mention a federated server on the firewall diagrams, and no diagrams I have seen detail the interaction between Notebooks for example with a DMZ and the placement of servers.

I would appreciate any suggestions or resources greatly.

Thank you in advance!

MichaelJenkins · ‎08-29-2023

Yes and yes. We've set up Azure AD for authentication to the Portal.

Notebook Server fits well into this configuration. It is just another server that federates to the Portal. You just have to make sure the Web Adaptor server can access all the necessary ports for the various servers. You can set the firewall rules to specifically allow communications between the web adaptor server and the main port for each of the various servers. Then, since all the servers are inside the firewall, they can talk to each other as needed without any other special configurations.

Just open ports:

7443 to the Portal server

6443 to each GIS server (regardless of role, GIS, Image, etc)

11443 to the Notebook server

I'm attaching a diagram to illustrate. In my org we are required to use a WAF (web application firewall) and we use F5. If you don't require that you can ignore that part of my diagram and apply the external DNS entry and SSL cert directly to the web adaptor server.

GISP

View solution in original post

ArchitSrivastava · ‎08-27-2023

Hello @CodyPatterson,

There are several approaches we can take here. However, I would like to bring a bit of attention to the point and I assume that if you are using other ArcGIS Server roles, they would also be federated with Portal for ArcGIS making the Portal for ArcGIS authentication a single entry point for access for any component within the enterprise

There are several approaches we can take for the scenario you mentioned one could be configuring a "Reverse Proxy" and then configuring Portal to use the reverse proxy by following the below documentation:

Integrate your portal with a reverse proxy or load balancer

You can install your Portal Web Adaptor on a designated Web Server in the DMZ that handles routing requests back to your portal internally. The Web Server would be identified by the reverse proxy alias (typically a DNS), and you can configure the Web Adaptor as you normally would with a Web Adaptor installation that leverages a DNS.

This means that when configuring it you need to make sure you use the ntranet URL in the Web Adaptor configuration page as opposed to the default localhost (i.e. the URL for configuration would be https://webAdaptorHost.domain.com/webAdaptorName/webadaptor)

A very important thing to understand before delving into this process is that it affects your portal's WebContext, so it would be recommended to set that up before installing the applications, and especially before federating any ArcGIS Servers to the Portal.

I would also recommend to review the document above as it considers the process with greater detail. Additionally, make sure you plan how it would be set up in your own environment as some environment-specific variations implemented by your own IT might require a different level of implementation.

Additionally, a good document to start can also be the one mentioned below but you would have to tweak a few things as per requirement in your scenario:

Deployment Patterns for Exposing ArcGIS Enterprise Secured Services to External Users

You can utilize these a basis to start with and further tweak the diagrams you have been building.

Hoe I was able to get you a starting point. Hope it helps!

-Archit

CodyPatterson · ‎08-27-2023

Hey Archit,

This is great information, thank you so much for the provided resources and documents. I investigated the one you mentioned at the end of the post and I built on that for my initial diagram.

My initial thought was to pass through the firewall, then to reverse proxy to portal, and then finally through portal to server and all other server items such as Notebooks and Workflow Manager. I believe that's what you mentioned as well with the first link.

I'll look more into WebContext and get myself familiar with how that is setup, but I believe that this will be a great starting point, would you recommend that all services are held within the intranet and then accessed through reverse proxy to web adapters hosted on the intranet as well?

Thank you again for the great information!

ArchitSrivastava · ‎08-28-2023

Hello @CodyPatterson ,

I am glad I was able to get you a starting point.

I think if the services are to kept in the intranet itself i.e. no outside access from internal components or any outside components cannot access internal component that would require more considerations to taken into account.

If you can confirm that you are thinking about configuring ArcGIS Enterprise in an environment where there is no internet connection or internet access is prohibited by your organization, I can share more links with considerations.

As per my understanding, it would be good to have the reverse proxy as the front end of the configuration and then Web Adaptors and then other components but do consider that it's a lot of rerouting, configuration and a lot of components need to work in cohesiveness to achieve this.

Hope it helps!

-Archit

CodyPatterson · ‎08-29-2023

Thank you for the response Archit,

In this case, the environment would have internet access within the organization, so it's a slightly different circumstance.

I've seen most agree with your last statement about the reverse proxy front end and then into Web Adapters, so I will be looking into those in great detail.

I appreciate your knowledgeable responses!

MichaelJenkins · ‎08-28-2023

Hi Cody. We have Enterprise set up in a very similar way to what you are describing in your OP. We put all of the web adaptors on one web server in the DMZ and all the other servers for the multi-machine site are inside our firewall. No VPN required for regular web access, but it is required for actually remoting into the servers for maintenance and updates.

Having all of the web adaptors on one server is nice because you have the same root URL for all of the Enterprise component servers, and only one SSL cert is needed for all of them.

GISP

CodyPatterson · ‎08-29-2023

Hey Michael,

Thank you for the response, I have a strong feeling this may be the route that we decide to take so this is a very helpful response.

Do you happen to have an IDP that authenticates external users?

Also, would the Notebooks server for example be able to communicate to external users through this Web Adaptor if it is directly connected to an ArcGIS Server that's connected by Web Adaptor?

Thank you again!

MichaelJenkins · ‎08-29-2023

Yes and yes. We've set up Azure AD for authentication to the Portal.

Notebook Server fits well into this configuration. It is just another server that federates to the Portal. You just have to make sure the Web Adaptor server can access all the necessary ports for the various servers. You can set the firewall rules to specifically allow communications between the web adaptor server and the main port for each of the various servers. Then, since all the servers are inside the firewall, they can talk to each other as needed without any other special configurations.

Just open ports:

7443 to the Portal server

6443 to each GIS server (regardless of role, GIS, Image, etc)

11443 to the Notebook server

I'm attaching a diagram to illustrate. In my org we are required to use a WAF (web application firewall) and we use F5. If you don't require that you can ignore that part of my diagram and apply the external DNS entry and SSL cert directly to the web adaptor server.

GISP

CodyPatterson · ‎08-30-2023

Hey Michael,

Thank you again for the great information, this is very insightful and helpful!

I'll work on getting this setup, but for now I'd say this satisfies all my questions!