Need help on Exposing ArcGIS Enterprise to the Internet. Best Practices and specific case suggestion.

PanGIS · ‎10-21-2024

Hello,

I need to expose ArcGIS Enterprise in order to add a service in AGOL.

I need to figure out what to ask the IT for.

Current implementation:

ArcGIS Enterprise accessible only internally via "https://nameOfTheMachine.domain....."
Self signed certificate
Web adaptor(s) registered with the machine name.

I've read about many options but I am not sure about what I should do exactly. I am confused.

Open the port on firewall? Which port?
Port forwarding? Which port?
CA certificate? A Domain certificate is enough?

I need to figure out what is the proper way to do this as I've always used Enterprise within my network.

Any documentation or suggestion would be great!

Thank you.

CodyPatterson · ‎10-21-2024

Hey @PanGIS

I was curious if you could go more in depth about the adding of the service to AGOL, would a distributed collaboration not work for your case?

Quite a lot goes into exposing the site to the internet, our current enterprise environment is exposed at the moment for multi-site collaboration, and it was a journey to set up.

For ports, I would follow the standard guide here: https://enterprise.arcgis.com/en/system-requirements/latest/windows/pdf/ports-enterprise-deploy-dgm....

Our setup is currently hosted internally, on an internal subnet, for example: 10.0.1.x subnet, and we have a DMZ setup that is currently on the 10.0.2.x subnet. Inside of this DMZ is an Apache 2.4 reverse proxy, which communicates from our enterprise environment, out to the web. This reverse proxy was placed along side an already public NAT created by our IT for their own site.

The enterprise servers would do fine with a domain certificate, and the reverse proxy will need a CA signed for public access. Best practice would be all have CA.

The reverse proxy would need the ports allowed for communication between the servers, and you will need to ensure that there is proper webhook traffic being allowed through. This is all quite advanced and took around 2 months to set up.

If your company is willing, you should work with ESRI professional services, ESRI does not do this as it is outside their scope of support, but ESRI professional services are made of teams of highly skilled engineers that do this often.

Cody

PanGIS · ‎10-21-2024

Hi @CodyPatterson thank you!

I will reply to the first part of your answer, I need to digest the second one 😅

I didn't think of a distributed collaboration, but could be a game changer for many reason in our small testing environment. The external sharing isn't permanent, but needs to be tested from outside.

Without changing anything of the previous mentioned Enterprise configuration:

I set it up and I can see the layers shared listed in the Host (AGOL), even when I try to add it to a map they are there.

The issue is: the data is not accessible both from within or outside the network.

So there is still something I have to do in the system to make the data available I guess.