Hello,
Its possible configure a reverse proxy in IIS that works fine having one rule for portal (/portal) and another for ArcGIS GIS Server (/server)?
We need that IIS works as a reverse proxy (URL Rewrite is used), and both Portal and Server use different context (https://domain.com/portal > Portal and https://domain.com/server > ArcGIS GIS Server [with full functionality, just as if you were using Web Adaptor]).
In Azure we have something similar (I include the web.config), the difference is the name used, in this case /arcgis is used for both applications (https://domain.com/arcgis/home > Portal and https://domain.com/arcgis/manager - https://domain.com/arcgis/rest/services - https://domain.com/arcgis/admin etc for ArcGIS GIS Server), that configuration works normally; but it is not the required in this case.
This is the environment:
1x ArcGIS Enterprise 10.8.1 on a Windows Server 2019 Standard  (Portal, ArcGIS GIS Server and ArcGIS Data Store) (on the LAN) and 1x server (DMZ) in Windows Server 2019 Standard with IIS 10.0.18362.1 (ports are open etc.).
I have tried several things, some work partially but I have not yet found a configuration where the whole environment works fine.
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="RP-HTTPS-Server" stopProcessing="true">
<match url="^[^/]+/(manager|admin|rest|services|mobile|tokens|login|help)(/?)(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="on" />
<add input="{SERVER_PORT}" pattern="443" />
</conditions>
<serverVariables>
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
<set name="ORIGINAL_URL" value="{HTTP_HOST}" />
</serverVariables>
<action type="Rewrite" url="https://internalserver.domain:6443/{R:0}" />
</rule>
<rule name="RP-HTTPS-BaseContextPath" stopProcessing="true">
<match url="(arcgis/?)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="on" />
<add input="{SERVER_PORT}" pattern="443" />
</conditions>
<serverVariables>
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
<set name="ORIGINAL_URL" value="{HTTP_HOST}" />
</serverVariables>
<action type="Redirect" url="https://exteraldomain.com/{R:0}/home/" redirectType="SeeOther" />
</rule>
<rule name="RP-HTTPS-Portal" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="on" />
<add input="{SERVER_PORT}" pattern="443" />
</conditions>
<serverVariables>
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
<set name="ORIGINAL_URL" value="{HTTP_HOST}" />
</serverVariables>
<action type="Rewrite" url="https://internalserver.domain:7443/{R:0}" />
</rule>
</rules>
<outboundRules>
<rule name="Rewrite Location Header HTTPS" preCondition="IsRedirection">
<match serverVariable="RESPONSE_Location" pattern="^https://internalserver.domain:(6|7)443/(.*)" />
<action type="Rewrite" value="https://{ORIGINAL_URL}/{R:2}" />
<conditions>
<add input="{ORIGINAL_URL}" pattern=".+" />
</conditions>
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2147483647" />
</requestFiltering>
</security>
<directoryBrowse enabled="true" showFlags="Date, Time, Size, Extension" />
<staticContent>
<mimeMap fileExtension=".lyr" mimeType="application/octet-stream" />
</staticContent>
</system.webServer>
</configuration>
Regards.
Hello @CraigRussell
Thanks for your time.
- It might be possible, and it might work, but it doesn't mean that it is documented and/or supported.
There is documentation, for example.
The Web Adaptor is a reverse proxy built to act as such, some time ago support had been consulted about, and the answer was something like "Web Adaptor is not the only way to perform the process, if configured properly the alternative should work normally".
But there is no official step-by-step, so you have to build it manually without a base and this maybe can cause issues, I understand your argument and you are right.
- And CloudBuilder isn't the exact same scenario as a standard reverse proxy setup because its doing all of the config for you.
It is interesting how it is configured in new versions, since it discards IIS; there must be some performance / security reason involved.
- To clarify this option, I mean that you would still use your reverse proxy in the DMZ, and this would point to the internal web adaptors.
Ah ok, yes this can be an option. At the moment I see it as the best alternative in case the environment cannot be configured.
The intention is make it as simple as possible, a reverse proxy to both sites and filter the rest through rules in the antivirus / firewall; the detail with this redirection from the IIS in the DMZ to the internal IIS would be the performance, it could be a temporary alternative while we figure out how to configure the environment.
It has been possible to configure Portal, create hosted services too but I have had problems with the ArcGIS GIS Server. The IIS does not rewrite the rest fine and sometimes place the context /arcgis in the url, I do a manual change to /server and you can access.
Regards.
Yeah, I think that using your DMZ IIS to point to two internal web adaptors is the only way around this without unfederating or introducing an additional component like Azure App Gateway. Have a go at this and let me know if it resolves the issue.
