Using IIS Application Request Routing (ARR) to proxy GeoEvent Stream Services

RJSunderman · ‎02-05-2016

Technical Support is available on this topic. Please contact Esri Technical Support and mention Article ID 000011685 and Article ID 000011689

See also: Geoevent WebSockets in 10.6 with ARR‌ and Windows/IIS Reverse Proxy for GeoEvent WebSocket

I received a second request recently for the information below, provided to me originally by Javier on the GeoEvent Server development team, so I thought I’d post it in case others are looking for the information.

After installing ARR, double-click the URL Rewrite icon and create a similar rule (replacing the hostname of the Rewrite URL to match your environment):

After applying the rule confirm you are able to access GeoEvent Manager through IIS:

Configuring your SSL certificates will be important. You can use IIS to create and export a Domain Certificate with a private key and then configure ArcGIS Server and GeoEvent to use that certificate. An alternative would be to get IIS to trust the certificate that is configured with your ArcGIS Server/GeoEvent installation.

It was discovered that, using the 10.3.1 release of GeoEvent Server and IIS version 8.5 with WebSockets enabled, with ARR configured to create a reverse proxy for GeoEvent that StreamService connections did not work. This issue was addressed in the 10.4 release of GeoEvent Server.

10.3.1 deployments can create a reverse proxy similar to WebAdaptor specifically for WebSockets using NGINX. Steps outlined below provide some detail on installing and configuring NGINX. A sample nginx.conf configuration is attached which you can use as a reference.

Please note: Esri tech support cannot help troubleshoot reverse proxy configurations - whether they be NGINX, IIS, or Apache. If you do plan on deploying a reverse proxy as part of a systems solution, make sure you have someone with appropriate experience available to you for help troubleshooting. Esri tech support has a KB article you can refer to:

http://support.esri.com/cn/knowledgebase/techarticles/detail/40680

Install a WebSocket reverse proxy server Nginx.
Enable HTTPS on the proxy server and configure it to use a certificate issued by a trusted 3rd party CA (Thawte, VeriSign, DigiCert).
Configure the proxy server to forward requests to GeoEvent Services. Attached is an example of an Nginx configuration file. You will need to change the following settings:
- server_name <your Web Socket reverse proxy server name>
- ssl_certificate <your CA-cert certificate file>
- ssl_certificate_key <your CA-cert certificate key file>
- server <list of servers that GeoEvent Extension is running on>. In this example, the server names are dev01014.esri.com, dev01015.esri.com, and dev01018.esri.com

Note: The WebSocket reverse proxy server is set to use HTTPS, but it connects to HTTP on the backend. In the example configuration file, the proxy_pass for port 443 is set to http: //skivmHTTP; not https: //skivmHTTP.

In a web browser, navigate to http: //<ServerName>:6080/arcgis/admin to access the ArcGIS Server Administrator Directory.
Login and click system -> properties-> update.
Enter a property called WebSocketContextURL to point to the Web Socket reverse proxy.

For example:

{"WebSocketContextURL": "wss://skivm.esri.com"}

In a browser, navigate to:

https: //<WAMachineName>/<context>/rest/services/<StreamServiceName>/Streamserver/subscribe

Click Subscribe to verify data is streaming. You can also verify data is streaming by navigating to:

https: //<WAMachineName>/<context>/rest/services/<StreamServicename>/StreamServer?f=jsapi

See Also:

https://nginx.com/resources/wiki

http://nginx.com/resources/admin-guide/reverse-proxy

http://www.iis.net/downloads/microsoft/application-request-routing

http://www.iis.net/learn/extensions/configuring-application-request-routing-(arr)

Hope this information is helpful -

RJ

Anonymous User · ‎02-08-2016

Thanks Javier Delgadillo and RJ Sunderman for the pertinent information. Great way to show the steps "more like a cheat sheet". I'll be sure to pass along any lessons learned.

Note: Please see Using NginX for Stream Service Load Balancer.pdf attached above to thread’s original post.

BruceDodson · ‎06-16-2016

I just stumbled upon this thread while researching an unrelated issue, but thought I would take a moment to supplement the information provided here, as I did get GeoEvent Extension 10.2.2 WebSockets working successfully with an IIS / ARR based reverse proxy solution a few years ago, and extended that to work with 10.3.x WebSockets and Stream Services last year.

In 10.2.2 at least, it required an outbound rule to ensure that the Sec-WebSocket-Protocol header was included in the response if it was specified in the request. However, I disabled that rule in our 10.3.1 environment and it seemed to continue working. (I inferred that the difference may be in the StreamLayer API, which might not include the Sec-WebSocket-Protocol request header anymore. This header is optional in the request, but required in the response if it was included in the request.)

With Stream Services in 10.3.x there were also some restrictions on naming conventions - e.g. services would not respond correctly when clients subscribe if they had an underscore in the name. However, we adjusted our names to work within this limitation, and during the past year we have successfully been using IIS + ARR for our stream services with 10.3.1 in a production setting.

In addition, I changed the Idle time-out for the DefaultAppPool to 0 from the default of 20 minutes, since ARR uses this app pool and we would not want it shutting down when the connection is idle. This is set in the Advanced Properties of the app pool.

I also disabled all caching for that server farm as follows:

Finally, I should mention that all of our testing and production use during the past three years has been with the newer ARR 3.0, available through the Web Platform Installer, not with the older ARR 2.5. In this version I access the URL Rewrite settings via the Routing Rules under the server farm. Although it is also available under the Default Web Site Home as illustrated by Javier's screenshot and shows the same rules.

Also, in ARR 3.0 we can reroute to a server farm by name, rather than rewriting the URL to point to a specific server as was done by Javier. Here is an excerpt from one of our inbound rules to illustrate.

Finally, note that the Windows port of nginx is still beta quality only, according to their website, is not as stable as other platforms, and can only handle a maximum of 1024 concurrent connections. It is better now than it was a few years ago, but that was why I looked at ARR first. If our ARR based solution had not worked, our backup plan was to use a Linux based nginx virtual appliance.

SimonJackson · ‎07-24-2016

RJ Sunderman I have ArcGIS Server, Portal, Data Store & Geoevent all installed on one Azure VM.

I am also using a custom domain name which is registered with IIS where the web adaptor sits.

This allows me to login to ArcGIS Server and Portal via this external domain name, but as GeoEvent does not sit within IIS, I cannot login to GeoEvent via its VM machine name (as Portal does not trust the URL, giving me an invalid redirect URI error)

I am wondering if I can make use of ARR to get around this issue?

BrianLomas · ‎06-05-2017

We are receiving data from an AVL system which uses NMEA messaging. We also have a reverse proxy in the DMZ for security reasons. How do we send NMEA messages through the reverse proxy to Geoevent? We're thinking of adding gpsgate to our reverse proxy to act as a listener to send the information through the firewall to geoevent. Does this sound like a good option or is there a better way of doing this? Thanks.