Web Adaptor with Admin rights

6738
7
04-15-2014 07:16 AM
Highlighted
Occasional Contributor

We use ArcGIS for Server 10.2 with Web Adaptor (with Admin rights), so we use port 80 for administrating tasks. Does it make any security hole for us? In all ESRI ArcGIS architecture diagrams, Admin uses 6080.

Tags (2)
7 Replies
Highlighted
Esri Regular Contributor
You can administer ArcGIS Server through the web adaptor, or you can check the box to disallow administration through the web adaptor and allow users inside your network to admin the server on port 6080. In any case, I'd personally not expose port 6080 to the outside world - connections to 6080 should be created by users on your internal network. What specific security holes are of concern? I'll tailor my response to your needs.
Highlighted
Occasional Contributor
You can administer ArcGIS Server through the web adaptor, or you can check the box to disallow administration through the web adaptor and allow users inside your network to admin the server on port 6080. In any case, I'd personally not expose port 6080 to the outside world - connections to 6080 should be created by users on your internal network. What specific security holes are of concern? I'll tailor my response to your needs.


We just use map services for internal network. We are using Web Adaptor(80) to administer and just wanted to be sure that enabling admin rights in Web Adaptor is safe.
Reply
0 Kudos
Highlighted
Esri Regular Contributor
We just use map services for internal network. We are using Web Adaptor(80) to administer and just wanted to be sure that enabling admin rights in Web Adaptor is safe.


It is, especially for internal users. Enabling admin access means that users can access server manager and the admin API via the web adaptor instead of going to the default application server port of 6080 to do so. Just limit the users that are members of the admin role to prevent users from performing unauthorized access to your site.
Highlighted
MVP Regular Contributor
To take this a step further, the Allowed Admin Access IPs section of the AGS Administrator API (found under Security > Config) allows you to control which IP addresses for client machines have access to the Administrative API.  This can be used as an additional security measure to prevent any un-authorized access to the server.  Just input a comma-separated list of IP addresses for client machines of known users who you wish to grant access (assuming your network assigned static IPs).
Highlighted
New Contributor III
Whether I check the "Enable administrative access to your site through the Web Adaptor" or not I am forced to administer ArcGIS server
through :6080. Reading this post it sounds like the most secure thing to do.

Our network is tightly secured, so I am wondering if that's why it will not work for me and if others are able to get this to work and access ArcGIS Server Manager using the web adaptor.  When I try to log on through the web adaptor it just hangs.
Reply
0 Kudos
Highlighted
New Contributor III
To answer my own question, it was a corrupt web adapter installation.  I am now able to administer ArcGIS Server through the web adaptor url using windows domain authentication.  Or I should say that I was last week, came in on Monday and now we are not able to.  Server Manager throws the error "Unauthorized Access:You are not authorized to access this application. Please contact your administrator."

In Catalog, trying to access ArcGIS server throws: "Token-based authentication failure." or "The server response took too long"
We are not using tokens and when you hit http://<servername>/arcgis/rest/services it shows that I am logged in as a local windows domain user?

We have an environment with the following configuration:
- Web Server with IIS / Web Adaptor 10.2.2
- GIS Server - ArcGIS Server 10.2.2
- Web Adaptor 10.2.2
- Integrated Windows Authentication
- Roles are managed by ArcGIS Server. Role type: Administrators
- Web Tier Authentication - IIS enabled Windows Auth.
Highlighted
New Contributor III
One more time....

Somehow we were removed as Role members of the Admin group. Problem solved!