Community

Deployment Patterns for Exposing ArcGIS Enterprise Secured Services to External Users

17937
23
05-19-2021 11:29 AM
NoahMayer
by Esri Contributor
Esri Contributor
13 23 17.9K
‎05-19-2021 11:29 AM

Introduction

 

Security plays a big part in the enterprise architecture design process. Security policies vary between organizations, and different deployment patterns are required to meet those requirements and constraints. In this post I will try to address some of the more common security constraints, and suggest deployment patterns to satisfy them.

This is by no means an exhaustive list of all available security requirements and security architecture patterns.

This post will focus on architecture patterns to expose ArcGIS Enterprise secured resources to external clients, i.e. systems with the requirement to be accessed outside of the organization internal network, via a DMZ, e.g. to support field workers access without a VPN.

There are additional considerations that play part in the decision on which pattern to use, which this post is not going to cover, such as how many resources, e.g. hardware, licensing, and staff, will be required for each pattern.

In order to simplify and focus on the security aspect of the architecture pattern, all architectures in this post are not highly available, but each can be adjusted to a highly available architecture without changing the pattern.

 

DMZ Reverse Proxy

 

Let’s begin with the most common external facing ArcGIS Enterprise system deployment pattern, using a reverse proxy in the DMZ.

 

Figure 1 - DMZ Reverse Proxy

 

Figure 1 - DMZ Reverse Proxy.PNG

 

In this pattern, all ArcGIS Enterprise components are hosted in the internal network, behind the firewall, and a reverse proxy (this can be a commercial reverse proxy, such as F5 or NetScaler, open-source reverse proxy such as Nginx or HAProxy, or a second set of ArcGIS Web Adaptors), is deployed in the DMZ, and passes external requests to ArcGIS Enterprise.

ArcGIS Enterprise portal supports only one DNS for public portal URL (the web context URL), and to support external access, an externally resolvable DNS name for the portal’s web context URL, e.g. https://gis.company.com/portal, must be used.

In most cases, the pattern above will include implementation of a Split Domain Name System (Split DNS), i.e. internal requests to ArcGIS Enterprise DNS (e.g. gis.company.com) will be resolved to the internal web adaptors machine IP, so internal users will stay behind the firewall, and external requests to ArcGIS Enterprise DNS will be resolved to the DMZ reverse proxy IP.

Using a Web Application Firewall (WAF) in front of the DMZ reverse proxy is a security best practice, as it adds additional security controls. Esri maintains a document (organizational login is required) in https://trust.arcgis.com with list of endpoints which may be safely filtered from external access to deny external access to potentially sensitive resources in your ArcGIS Enterprise site.

 

Special Security Constraints

 

No Unauthenticated Access to the Internal Network

 

In a federated ArcGIS Enterprise system, portal is responsible for user authentication and authorization. In the pattern above, when user makes a request to ArcGIS Enterprise, ArcGIS Enterprise will first check if the request to the secured resource (e.g. service) contains a valid authentication information, and if not, ArcGIS Enterprise will return a redirect response to the client to authenticate with the configured identity provider, e.g. SAML or OpenID Connect.

In the architecture above, an unauthenticated request from an external client is passed from the DMZ reverse proxy to an internal web adaptor, and from the web adaptor to ArcGIS Enterprise portal or server, before ArcGIS Enterprise returns a redirect response to the client.

Some security policies forbid unauthenticated access to the intranet zone, and so the above architecture does not meet this constraint.

 

No HTTPS Access / Only Database Access is Allowed from the DMZ to the Internal Network

 

Most security policies allow inbound access from the DMZ to the internal network, but may limit the type of allowed access by protocols or ports. Examples would be to not allow HTTPS (Hypertext Transfer Protocol Secure) access from DMZ to the intranet or allowing only database access via custom ports.

In the architecture above the DMZ reverse proxy pass the requests to ArcGIS Enterprise using HTTPS via port 443, which does not meet the constraint.

 

No Inbound Access from the DMZ to the Internal Network

 

In some cases, security policies forbid any type of inbound access from the DMZ to the internal network, and only allow non-persistent connections from the intranet to the DMZ.

 

Security Architecture Patterns

 

Let’s consider the below security architecture patterns and review how each pattern addresses some or all of the security constraints which we have reviewed above.  

 

DMZ ArcGIS Enterprise Portal and Registered Services

 

Figure 2 - ArcGIS Enterprise Portal Proxy

 

Figure 2 - ArcGIS Enterprise Portal Proxy.PNG

 

In figure 2 above, there is an ArcGIS Enterprise portal in the DMZ, and an ArcGIS Enterprise server in the internal network. The internal standalone server is not federated with portal – services are published directly to the standalone server, configured as secured in server using an application account (ArcGIS Enterprise server built-in application account or Active Directory / LDAP service account), and then added to portal as items from the web with stored credentials. When ArcGIS Enterprise server secured service is registered in portal with stored credentials, portal creates a proxy URL for that service, and all requests to that service will go through portal before they are forwarded to the internal standalone Server. ArcGIS Enterprise portal also allows you to define rate limit and specific referrers that can access the service.

Using the above pattern meets the constraint of no unauthenticated access to the internal network, as all external requests must pass through the portal in the DMZ, which will first authenticate and authorize the user, and only then make a request to the service in the internal network. Be aware that since all requests from portal to server are done using the stored credentials, you lose the editor tracking capability.

The architecture in this pattern can be elaborated to include an internal-facing federated system of ArcGIS Enterprise with portal, hosting server, and federated server(s), as depicted in figure 3.

 

Figure 3 - ArcGIS Enterprise Portal Proxy Elaborated

 

Figure 3 - ArcGIS Enterprise Portal Proxy Elaborated.png

Internal Replicated Geodatabase

 

Some organizations’ security policies do not allow HTTPS access from the DMZ to the intranet, and only allow database access, usually via non-default ports, and in many cases also do not allow external access to a primary production database, and require the usage of a separate database.

In figure 4 below, ArcGIS Enterprise is deployed to the DMZ, and an internal replicated enterprise geodatabase is used as registered data source for the mapping server. Either Esri geodatabase replication or RDBMS replication can be used.

 

Figure 4 - Database Replication

 

Figure 4 - Database Replication.PNG

 

Figure 5 below presents an elaborated architecture which includes internal-facing ArcGIS Enterprise system in the internal network and an external-facing ArcGIS Enterprise system in the DMZ.

 

Figure 5 - Database Replication Elaborated

 

Figure 5 - Database Replication Elaborated.PNG

 

Service Publication and Collaboration

 

Finally, for those who do not allow any inbound access from the DMZ to the intranet, figure 6 below depicts an external-facing ArcGIS Enterprise in the DMZ, and an internal-facing ArcGIS Enterprise in the intranet, with:

  1. Services published to the DMZ ArcGIS Enterprise system as hosted layers, and automated tasks running on a schedule (e.g. nightly or weekly) to overwrite the hosted data with updated data from the internal ArcGIS Enterprise system
  2. Feature layers are shared by copy from the internal ArcGIS Enterprise system to the DMZ ArcGIS Enterprise system via distributed collaboration with two-way shared editing (introduced at version 10.9)

 

Figure 6 - Service Publication and Collaboration

 

Figure 6 - Service Publication and Collaboration.PNG

 

Restrict External Applications Access to ArcGIS Enterprise

 

In some cases, organizations use ArcGIS Enterprise to support external integrating applications and want to restrict external applications access by filtering external requests, allowing requests only from either specific list or range of IPs, or from specific domains.

 

ArcGIS Online Proxy

 

Similar to the DMZ ArcGIS Enterprise Portal and Registered Services pattern (figure 2 above), ArcGIS Online also acts as a proxy when you register secured services from either standalone ArcGIS Enterprise server or from federated ArcGIS Enterprise system. In Figure 7 below, services from an internal ArcGIS Enterprise system are registered in ArcGIS Online with stored credentials, ArcGIS Online can access the services via the DMZ reverse proxy, and the reverse proxy is configured to allow requests only from ArcGIS Online domain, blocking requests from any other sources. The integrating system web or mobile app can be registered with ArcGIS Online using OAuth 2.0 and ArcGIS Identity, so only authenticated and authorized users can access the registered services. Since ArcGIS Online will access the services using the stored credentials, editor tracking will not work. Similar to portal, you can define rate limit and specific referrers that can access the services.

 

Figure 7 - ArcGIS Online and Registered Services

 

Figure 7 - ArcGIS Online and Registered Services.PNG

 

Server Proxy

 

Another approach would be to use a standalone ArcGIS Enterprise server site and a server proxy to access secured services from an integrating web app.

In figure 8 below, integrating system web app clients are configured to send GIS requests to a proxy, hosted on the integrating system application server. The integrating application server is responsible to secure access to the proxy, i.e. allow only app-authenticated users to access the proxy, and to protect (encrypt) the ArcGIS Enterprise server credentials. The proxy handles the ArcGIS Enterprise server token security on behalf of the client, using a server built-in application account or an Active Directory / LDAP service account, and sends the request to the internal standalone ArcGIS Enterprise server site via the DMZ reverse proxy. The reverse proxy is configured to allow requests only from the integrating app server(s) IPs (list or range), blocking requests from any other sources.

 

Figure 8 - Integrating Web App Server Proxy

 

Figure 8 - Integrating Web App Server Proxy.PNG

 

23 Comments
George_Thompson
by Esri Frequent Contributor
Esri Frequent Contributor
‎05-19-2021 11:46 AM

Great resource, thanks!

JoshuaBixby
by MVP Esteemed Contributor
MVP Esteemed Contributor
‎05-19-2021 01:11 PM

Given that Esri's own GitHub repository for Resource Proxy states, "We don't recommend using this resource proxy. It is not being maintained and there's been no active development for many years," I don't think it should be included in this blog post.

NoahMayer
by Esri Contributor
Esri Contributor
‎05-19-2021 02:05 PM

@JoshuaBixby Thanks for the feedback. I have updated the pattern to describe the usage of a server proxy with web clients.

LukeSavage
by
Occasional Contributor II
‎06-04-2021 09:05 AM

Great diagrams and article describing the various deployment patterns within various security network methods.  In addition, there are always holes and without an IT SOP Mitigation plan to combat breaches, architecture is only one facet of the scenario.  Love this article and you have eloquently made it simple to understand.  Thank you 🙂 

GavinCollins1
by Esri Contributor
Esri Contributor
‎06-29-2021 08:21 AM

Thanks @NoahMayer great article 😀

Sizige
by
New Contributor II
‎11-01-2021 08:16 AM

Thank you for this.  I have been trying to advocate for our portal to be open to share resources to the public.  I will provide this to our IT infrastructure folkes.  Great article and diagrams.  

MartinWennerwald1
by
New Contributor
‎03-04-2022 12:02 AM

Hi Noah

Thanks for a great detailed article.

We are currently working on setting up the ArcGIS Online Proxy setup (Fig. 7), but can't seem to find information on which domains to limit access to. In your article you write : "ArcGIS Online can access the services via the DMZ reverse proxy, and the reverse proxy is configured to allow requests only from ArcGIS Online domain, blocking requests from any other sources."

Where do I find the documentation for what the "arcgis online domain" consists of, specifically with regards to registered services?

Thanks in advance.

/Martin

0 Kudos
NoahMayer
by Esri Contributor
Esri Contributor
‎03-04-2022 06:57 AM

Hi @MartinWennerwald1!

Esri is maintaining an ArcGIS Online domain requirements document in ArcGIS Trust Center.  There are tow versions of the document:

Public document (less detailed): https://trust.arcgis.com/en/documents/AGOL_Domain_Requirements.pdf 

Customer Accessible Document (more detailed, requires login): https://trust.arcgis.com/en/customer-documents/ArcGIS%20Online%20FQDN%20Requirements%20V1.8%20June%2... 

This document is intended mainly for a forward proxy, to allow users to access ArcGIS Online resources, so you can see the list beyond what's required for setting up the ArcGIS Online Proxy (Fig. 7). 

What I would recommend is to view the service URL in the portal item which is created for the registered services, this URL is the proxy URL, and allow only the FQDNs which are used for the proxy:

NoahMayer_0-1646405799303.png

 

0 Kudos
MehdiPira1
by Esri Contributor
Esri Contributor
‎05-17-2022 06:45 PM

Very helpful, Thanks @NoahMayer .

0 Kudos
BrianVillanueva
by
New Contributor
‎07-19-2022 12:08 PM

Hi @NoahMayer , where can I find the stencils used in the diagrams?

NoahMayer
by Esri Contributor
Esri Contributor
‎07-19-2022 02:43 PM

@JeffDeWeese can you help?

0 Kudos
JeffDeWeese
by Esri Contributor
Esri Contributor
‎07-19-2022 08:25 PM

The only publicly available icons I am aware of are here, but they lack the server type icons, etc.: https://community.esri.com/t5/implementing-arcgis-blog/esri-presentation-icons/ba-p/886935 

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-13-2023 09:45 AM

I have Question regarding configuration of DMZ with Single machine Deployment, we have been struggling to configure reverse proxy for ArcGIS Enterprise. We recently Upgraded the Enterprise to 11.1. All components are on Same Windows Server (2 WA's, Server, Data store and Portal) Federated IWA. We have Configured the load balancer on DMZ Server and open the 443 to route the traffic from DMZ Server. Here is the Our Requirement, Suppose User or member accessed the URL from External, It should route from the DMZ (Split DNS). If user Accessed from Internal network, it should hit Direct server instead of Routing From DMZ. Is this Possible ? If yes, How I need to configure those ? Please help us . 

0 Kudos
NoahMayer
by Esri Contributor
Esri Contributor
‎06-13-2023 04:29 PM

Hi @vijaybadugu,

What you are describing is a Split (or Split-Brain) DNS configuration:  in this configuration, as you described, internal users are directed to the internal server IP (which is a private IP) and external users are directed to the DMZ reverse proxy IP (which is a public IP). The actual configuration depends on how your organization configures DNS.
In many cases, organizations will have:
1. Internal DNS servers, where they would configure A-Records and CNAME records for their internal domain, for example:
A Record: machine1.company.int --> <Machine Internal IP>
CNAME Record: maps.company.com -->  machine1.company.int
2. Public DNS service, such as Google or Cloudflare, where they would configure an A Record for the external users, for example:
A Record: maps.company.com --> <DMZ Reverse Proxy Public IP>

In this configuration, all internal users, since they are on the internal network, which is configured to use the internal DNS servers for name resolution, will be directed to the internal server, and all the external users, since they are coming from the Internet, will be directed to the DMZ reverse proxy.  

DavidHoy
by Esri Contributor
Esri Contributor
‎06-13-2023 04:32 PM

hi Vijay,

your plan is sound - a split-zone dns arrangement would certainly allow the ArcGIS Enterprise to work for external and internal users.

There are many forms of DNS, so, it is difficult to provide instructions here unless you can be more specific. A bit of web searching for the doc for your particular DNS provider should get you there.

If you cant work it out - it is not a critically bad thing to allow your internal users to have everyone have the FQDN resolve to the Reverse Proxy.

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-14-2023 06:23 AM

We have configured AZURE AD for  authenticate SAML for internal and external. is that best practice to go farward

0 Kudos
NoahMayer
by Esri Contributor
Esri Contributor
‎06-14-2023 11:49 AM

@vijaybadugu Yes definitely. SAML and OpenID Connect logins are recommended. 

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-14-2023 03:00 PM

Have a another question regarding content transfer, The current user format with IWA is <usrname>@domain. when I moved from the AD to Azure AD, The format of username would be changed to <usrname>@domain.net (email format). How do I transfer the content to new user ? is there a way to update enterprise user without transferring the content ? and we have a bunch of users. when comes to the identity store, can I keep same what it is now  "windows" in portal admin

User store configuration:{ "type": "WINDOWS"

 

Group store configuration:{ "type": "WINDOWS", 

 

? do i need to change anything? Actually I disabled the windows authentication and enabled Anonymous enabled.

0 Kudos
DavidHoy
by Esri Contributor
Esri Contributor
‎06-14-2023 07:12 PM

If you just switch to using SAML login, you are correct that new users may appear in your Portal for the <usrname>@domain.net username provided by Azure AD as they start to login (if you have automatic user creation enabled)

There is no back-door way to update existing users to have a new username.

You will need to transfer any content owned by the existing usernames <usrname>@domain to be owned by the new names.

We have handled this by scripting
- create the new users and assign the new users the appropriate type and role
- assign the new usernames to the Groups to match the old username
- transfer ownership of any Portal items to the new user
- disable the existing Username (remove in future)

Once this is complete, the first time a user logs in via SAML, they will find their new username is in place

You cannot have IWA and SAML working at the same time, so User Store Configuration and Group Store configuration cannot be "WINDOWS"

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-14-2023 07:31 PM

Can I make both as empty (user store and group store ) ? 

0 Kudos
DeanMoiler
by
Occasional Contributor
‎06-15-2023 03:24 AM

Hi @vijaybadugu,

You can apply your SAML username to existing users to allow SAML login if you don't want to migrate content / create / delete users. More info here:

Solved: Re: Change Authentication from IWA to other method... - Esri Community

As @DavidHoy  says, this won't change the user's username, but it will allow existing users to log in with SAML.

We investigated creating a new domain attribute to hold username@domain to keep this naming format, as we had thousands of users, and have new users created in this format, but the overhead for this attribute was passed over in favour of creating new users with new username format and migrating content and users by script.

0 Kudos
vijaybadugu
by
Occasional Contributor II
‎06-15-2023 06:38 AM

I removed user and group store configurations as I'm using SAML authentication. as I mentioned earlier, It is federated with server, 

Service URL

Administration URL
as per old configurations, I did not change anything and anywhere except WebContextURL in arcgis portal admin.all are pointing to internal domain reference.
 
For above Server Configurations Do I need provide DNS  alias or internal domain ? 
 
 
vijaybadugu_1-1686835810041.png

 

Every time, I click on Organization tab in ArcGIS Portal, it displays a dialog to sign in. can we bypass this ?  after clicking ok, it automatically signed in.

We have a Web application and in that, all map services are pointing to <internal domain>/rest/services/<Service Name>/MapServer. Do I need to change all map services URLs to DNS alias  instead of internal domain that we were using till now?
 
Thanks 

 

 
 

 

0 Kudos
NoahMayer
by Esri Contributor
Esri Contributor
‎06-15-2023 02:24 PM

@vijaybadugu,

Portal for ArcGIS does not support changing/setting the WebContextURL for an existing ArcGIS Enterprise system that has content, because all the original items have the old, internal domain URLs, and all those will have to be updated to the new DNS alias.

The Services URL in the federation will have to be updated with the new DNS alias because this is how all users will access the services. External users will not be able to resolve your internal domain URLs. 

I recommend you collaborate with Esri professional services to assist you with this process.  

0 Kudos
About the Author
I am a senior Enterprise Solutions Architect within Esri's Implementation Services Department. I have over 15 years of experience in technical consulting, solution design and system architecture.