I have Question regarding configuration of DMZ with Single machine Deployment, we have been struggling to configure reverse proxy for ArcGIS Enterprise. We recently Upgraded the Enterprise to 11.1. All components are on Same Windows Server (2 WA's, Server, Data store and Portal) Federated IWA. We have Configured the load balancer on DMZ Server and opened the 443 to route the traffic from DMZ . Here is the Our requirement, Suppose User or member accessed the URL from External, It should route from the DMZ (Split DNS). If user accessed from Internal network, it should hit Direct server (IWA) instead of Routing From DMZ. Is this Possible ? If yes, How I need to configure those ? Please help us .
I can emphasize your struggles.
You will want to place the IIS server in your DMZ along with both of your web adapters. The web adapters will serve as a reverse proxy forwarding portal.external.com to portalserver.internal.domain:7443. This does require the 443 to be open on your external firewall and 7443 to be open on your internal firewall.
A split DNS is required where your portal.external.com IP is sent to your DMZ IIS IP via a NAT through your external firewall and internal DNS is sent directly to your DMZ IP for portal.external.com. Please keep in mind all traffic for your portal web adapter can only utilize one URL - portal.external.com for both internal and external usage.
You will also need a public verifiable CA certificate for your external domain that will be used for your portal. For example - portal.external.com. If you have an internal CA you will need to add the authentication roots to the ArcGIS portal and server. Alternatively, you can copy the self-signed certificates to each system.
One configuration change is needed in Portal Administrator Directory. Navigate to Home > System > Properties and set {“WebContextURL”:”https://portal.external.com/portal”}
There is a video on YouTube detailing this process but I cannot find the link at the moment.
I highly recommend reaching out to ESRI Support, they have a great team and are very helpful.
Thanks for your suggestions on our struggles. I am a developer and not sure about Network side configurations. We configured load balancer and webcontextURL as you mentioned in your post. Whenever we access the site from internal network, it is going to route from the DMZ and it shouldn't. DNS Split does most of the functionality. The problem here is, don't have any documentation or Video to understand and configure which suites for our organization. I have already contacted the ESRI Support team regarding the same, But, They were saying, it is out of scope for them.
Take a look at these videos:
Hi Lance,
Not sure if what you typed was a Typo but thought it's worth clarifying your great post.
It's WebContextUrl not "Content"
The documentation for which is here: https://enterprise.arcgis.com/en/portal/latest/administer/windows/using-a-reverse-proxy-server-with-...
Thanks, Typo on my part. Corrected.
I didn't find anything related to DMZ configurations. these videos contains installation process and configurations.
Does this diagram help explain? You need internal and external web adaptors. These all need to be registered with portal and server using their machine names to allow multiple web adaptors. You then set the webcontexturls in portal and server to the proper url.
We have configured AZURE AD for authenticate SAML for internal and external. is that best practice to go farward
Yes that is good practice.