Select to view content in your preferred language

Web Adaptor in DMZ for use with ArcGIS Online

5182
6
04-07-2016 07:10 AM
NickAlexandrou1
Deactivated User

My organization currently has our ArcServer behind our firewall and is implementing a web server with Web Adaptor installed and configured on it for use with our ArcGIS Online Organization account in our DMZ. Without the Web Adaptor in the DMZ, we currently have to VPN into our network to allow the data in our web-maps to appear. I understand the Web Adaptor was created so resolve this specific issue. My question comes from the configuring of the web adaptor. I understand how to make the web adaptor communicate back into our network to interact with our ArcServer, however, I do not understand the communication from the Web Adaptor through our exterior firewall, to our ArcGIS Online accounts. When we open an external facing port for ArcGIS Online requests (rest urls for the data), what ip address do we make that port accessible to? Do we just open the port to any world wide web authenticated domain through ESRI, or are there specific ESRI cloud based server ip address where the authentication credentials are held when we log into AGOL that the requests for data come from?

I hope this question was posed in a way that makes sense.

0 Kudos
6 Replies
RebeccaStrauch__GISP
MVP Emeritus

Do you have the typical port 80 open for web/IIS traffic?  Or 443 if secure services (and using https).  If so, in AGOL, for the "My Contents" tab, select "Add Item" and "Item from the web".  For the URL, copy the URL from the REST Services directory for the service, as you would see it if viewing thru you web adaptor.  For example:

Under the blue is my the URL to my web machine and "mapping" is the name of my web adaptor, e.g.

https://<IIS URL>/mapping/rest/services/dfg_public/USAtopoArcOnline/MapServer

We use https, but this could be http if you don't have it setup.

0 Kudos
NickAlexandrou1
Deactivated User

We haven't actually set the web adaptor up yet in the DMZ. They established one a couple years ago, although it is still behind our firewall completely and defeats the purpose of having one (I could just go to our ArcServer Manager page and grab the rest URL's from there). I've asked them to put a new web adaptor in our DMZ to eliminate VPN needs into our network, since I would be grabbing the URL from the new web machine and web adaptor in the DMZ (like you've noted). Our IT dept. is just skeptical as to when port 80 or 443  is open for web/IIS traffic, if anyone is capable of accessing it and entering our network. I don't believe they have either ports open currently, and were just looking for specifics of configuration. Their concern is port phishing if the ports are open to web/IIS traffic. Granted I am not a network/firewall expert, but this is the gist of what I've understood from their concerns. They have ports open for other applications, but those ports have been configured to specific IP addresses of the servers requesting information, so it is a singular end to end communication. It seems like the web adaptor is not that way?

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

I just included these links in another thread

Trust | ArcGIS

I would start looking thru this and seeing if you can make your IT folks a little more comfortable.  I know I have gone thru many of the same processes, but however they setup all our public IIS pages, works and they seem to be happy with.  BTW, our IIS and web adaptors are on a different server then the AGS which is behind our firewall.  

I have many of these other links under my "pinned" section, and rather than include them here again...

Web AppBuilder Developer Edition - Customization Resource List

NickAlexandrou1
Deactivated User

Thanks Rebecca, I'll do some more digging in your provided links. Our IIS and Web Adaptor will also be on a different machine than our AGS. Our AGS is housed on a machine behind our firewall and our IIS and Web Adaptor Machine is currently in the process of being built in our DMZ.

0 Kudos
NickAlexandrou1
Deactivated User

Rebecca, this might be a dumb question but would there be an issue if the Web Adaptor is established via https and port 443, our AGOL account only uses https access, but our AGS behind our firewall is not? For instance, our AGS server manager page's url is simply http://<servername>:6080/arcgis/manager/ would there be an issue if that is lacking https? Or does it not have https because that is not required being that it exists on our secured network already behind our firewall? Sorry if there is an obvious answer I should know, this is just not something I am an expert on.

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

I would not think that would be an issue, but can not answer for sure.  When using the <servername>:6080 you are accessing the server direct, and not thru the web adapter, from what I understand of it.    When using the 443 and web adapter, you are using something like IIS for web access.

We actually have two web adapters installed, one for public services, the other for secure.  Both web adapters will show the public (non-secure) services and will let you login for the secure services.  But when it comes into play for me is in my proxy file.  The public web adapter does not need a token so just passed the requests thru (and secure services will not pass). For the secure web adapter, the proxy has a token.

At the dev summit this year, there was a really good session on using proxies and getting things to work with AGS and AGOL.  Unfortunately, was not listed as one of the free sessions. I purchased the recordings and this is one of my "must watch again, a couple times" sessions. I probably won't be able to really let my brain soak in the info until June/July time frame myself.  If you have access to the recordings, or are going to the UC, look for a session called something like "Use Online Services without End-user Login with Resource-Proxy"  Not sure if it will work for us (I'm looking at OpenData access or secured data) but it had real potential.  Proxies are nothing new, but this got me thinking of them in a different way.

I hope some of the helps.  I find that sometimes you won't really know how things will work until you try them.

0 Kudos