Community

Re: Enterprise deployment with different external/internal domains

741
9
06-13-2023 09:47 AM
vijaybadugu
by
Occasional Contributor II
‎06-13-2023 09:47 AM

I have Question regarding configuration of DMZ with Single machine Deployment, we have been struggling to configure reverse proxy for ArcGIS Enterprise. We recently Upgraded the Enterprise to 11.1. All components are on Same Windows Server (2 WA's, Server, Data store and Portal) Federated IWA. We have Configured the load balancer on DMZ Server and opened the 443 to route the traffic from DMZ . Here is the Our requirement, Suppose User or member accessed the URL from External, It should route from the DMZ (Split DNS). If user accessed from Internal network, it should hit Direct server (IWA) instead of Routing From DMZ. Is this Possible ? If yes, How I need to configure those ? Please help us . 

0 Kudos
9 Replies
LanceCole
by MVP Regular Contributor
MVP Regular Contributor
‎06-13-2023 11:32 AM

@vijaybadugu

I can emphasize your struggles.  

You will want to place the IIS server in your DMZ along with both of your web adapters.  The web adapters will serve as a reverse proxy forwarding portal.external.com to portalserver.internal.domain:7443.  This does require the 443 to be open on your external firewall and 7443 to be open on your internal firewall.  

A split DNS is required where your portal.external.com IP is sent to your DMZ IIS IP via a NAT through your external firewall and internal DNS is sent directly to your DMZ IP for portal.external.com.  Please keep in mind all traffic for your portal web adapter can only utilize one URL - portal.external.com for both internal and external usage.

You will also need a public verifiable CA certificate for your external domain that will be used for your portal.  For example - portal.external.com.  If you have an internal CA you will need to add the authentication roots to the ArcGIS portal and server.  Alternatively, you can copy the self-signed certificates to each system.

One configuration change is needed in Portal Administrator Directory.  Navigate to Home > System > Properties and set {“WebContextURL”:”https://portal.external.com/portal”}

There is a video on YouTube detailing this process but I cannot find the link at the moment.

I highly recommend reaching out to ESRI Support, they have a great team and are very helpful.

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-13-2023 11:46 AM

Thanks for your suggestions on our struggles. I am a developer and not sure about Network side configurations. We configured load balancer and webcontextURL as you mentioned in your post. Whenever we access the site from internal network, it is going to route from the DMZ and it shouldn't. DNS Split does most of the functionality. The problem here is, don't have any documentation or Video to understand and configure which suites for our organization. I have already contacted the ESRI Support team regarding the same, But, They were saying, it is out of scope for them. 

0 Kudos
LanceCole
by MVP Regular Contributor
MVP Regular Contributor
‎06-13-2023 12:31 PM

Take a look at these videos:

https://www.youtube.com/watch?v=wvLlzqa1-BA

https://www.youtube.com/watch?v=lMl4hTX8rGs

0 Kudos
A_Wyn_Jones
by Esri Contributor
Esri Contributor
‎06-14-2023 08:00 AM

Hi Lance,

Not sure if what you typed was a Typo but thought it's worth clarifying your great post.

It's WebContextUrl not "Content"

The documentation for which is here: https://enterprise.arcgis.com/en/portal/latest/administer/windows/using-a-reverse-proxy-server-with-...

 

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."
0 Kudos
LanceCole
by MVP Regular Contributor
MVP Regular Contributor
‎06-14-2023 08:25 AM

Thanks, Typo on my part.  Corrected.

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-13-2023 01:57 PM

I didn't find anything related to DMZ configurations. these videos contains  installation process and configurations. 

0 Kudos
MarcGraham2
by
Occasional Contributor III
‎06-13-2023 07:50 PM

Does this diagram help explain? You need internal and external web adaptors.  These all need to be registered with portal and server using their machine names to allow multiple web adaptors.  You then set the webcontexturls in portal and server to the proper url.

https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-multiple-arcgis-web-adapto...

 

 MarcGraham2_0-1686710873087.png

 

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-14-2023 06:23 AM

We have configured AZURE AD for  authenticate SAML for internal and external. is that best practice to go farward

0 Kudos
MarcGraham2
by
Occasional Contributor III
‎06-14-2023 02:28 PM

Yes that is good practice.

0 Kudos