Deployment Patterns for Exposing ArcGIS Enterprise Secured Services to External Users

23045
34
05-19-2021 11:29 AM
NoahMayer
Esri Contributor
17 34 23K

Introduction

 

Security plays a big part in the enterprise architecture design process. Security policies vary between organizations, and different deployment patterns are required to meet those requirements and constraints. In this post I will try to address some of the more common security constraints, and suggest deployment patterns to satisfy them.

This is by no means an exhaustive list of all available security requirements and security architecture patterns.

This post will focus on architecture patterns to expose ArcGIS Enterprise secured resources to external clients, i.e. systems with the requirement to be accessed outside of the organization internal network, via a DMZ, e.g. to support field workers access without a VPN.

There are additional considerations that play part in the decision on which pattern to use, which this post is not going to cover, such as how many resources, e.g. hardware, licensing, and staff, will be required for each pattern.

In order to simplify and focus on the security aspect of the architecture pattern, all architectures in this post are not highly available, but each can be adjusted to a highly available architecture without changing the pattern.

 

DMZ Reverse Proxy

 

Let’s begin with the most common external facing ArcGIS Enterprise system deployment pattern, using a reverse proxy in the DMZ.

 

Figure 1 - DMZ Reverse Proxy

 

Figure 1 - DMZ Reverse Proxy.PNG

 

In this pattern, all ArcGIS Enterprise components are hosted in the internal network, behind the firewall, and a reverse proxy (this can be a commercial reverse proxy, such as F5 or NetScaler, open-source reverse proxy such as Nginx or HAProxy, or a second set of ArcGIS Web Adaptors), is deployed in the DMZ, and passes external requests to ArcGIS Enterprise.

ArcGIS Enterprise portal supports only one DNS for public portal URL (the web context URL), and to support external access, an externally resolvable DNS name for the portal’s web context URL, e.g. https://gis.company.com/portal, must be used.

In most cases, the pattern above will include implementation of a Split Domain Name System (Split DNS), i.e. internal requests to ArcGIS Enterprise DNS (e.g. gis.company.com) will be resolved to the internal web adaptors machine IP, so internal users will stay behind the firewall, and external requests to ArcGIS Enterprise DNS will be resolved to the DMZ reverse proxy IP.

Using a Web Application Firewall (WAF) in front of the DMZ reverse proxy is a security best practice, as it adds additional security controls. Esri maintains a document (organizational login is required) in https://trust.arcgis.com with list of endpoints which may be safely filtered from external access to deny external access to potentially sensitive resources in your ArcGIS Enterprise site.

 

Special Security Constraints

 

No Unauthenticated Access to the Internal Network

 

In a federated ArcGIS Enterprise system, portal is responsible for user authentication and authorization. In the pattern above, when user makes a request to ArcGIS Enterprise, ArcGIS Enterprise will first check if the request to the secured resource (e.g. service) contains a valid authentication information, and if not, ArcGIS Enterprise will return a redirect response to the client to authenticate with the configured identity provider, e.g. SAML or OpenID Connect.

In the architecture above, an unauthenticated request from an external client is passed from the DMZ reverse proxy to an internal web adaptor, and from the web adaptor to ArcGIS Enterprise portal or server, before ArcGIS Enterprise returns a redirect response to the client.

Some security policies forbid unauthenticated access to the intranet zone, and so the above architecture does not meet this constraint.

 

No HTTPS Access / Only Database Access is Allowed from the DMZ to the Internal Network

 

Most security policies allow inbound access from the DMZ to the internal network, but may limit the type of allowed access by protocols or ports. Examples would be to not allow HTTPS (Hypertext Transfer Protocol Secure) access from DMZ to the intranet or allowing only database access via custom ports.

In the architecture above the DMZ reverse proxy pass the requests to ArcGIS Enterprise using HTTPS via port 443, which does not meet the constraint.

 

No Inbound Access from the DMZ to the Internal Network

 

In some cases, security policies forbid any type of inbound access from the DMZ to the internal network, and only allow non-persistent connections from the intranet to the DMZ.

 

Security Architecture Patterns

 

Let’s consider the below security architecture patterns and review how each pattern addresses some or all of the security constraints which we have reviewed above.  

 

DMZ ArcGIS Enterprise Portal and Registered Services

 

Figure 2 - ArcGIS Enterprise Portal Proxy

 

Figure 2 - ArcGIS Enterprise Portal Proxy.PNG

 

In figure 2 above, there is an ArcGIS Enterprise portal in the DMZ, and an ArcGIS Enterprise server in the internal network. The internal standalone server is not federated with portal – services are published directly to the standalone server, configured as secured in server using an application account (ArcGIS Enterprise server built-in application account or Active Directory / LDAP service account), and then added to portal as items from the web with stored credentials. When ArcGIS Enterprise server secured service is registered in portal with stored credentials, portal creates a proxy URL for that service, and all requests to that service will go through portal before they are forwarded to the internal standalone Server. ArcGIS Enterprise portal also allows you to define rate limit and specific referrers that can access the service.

Using the above pattern meets the constraint of no unauthenticated access to the internal network, as all external requests must pass through the portal in the DMZ, which will first authenticate and authorize the user, and only then make a request to the service in the internal network. Be aware that since all requests from portal to server are done using the stored credentials, you lose the editor tracking capability.

The architecture in this pattern can be elaborated to include an internal-facing federated system of ArcGIS Enterprise with portal, hosting server, and federated server(s), as depicted in figure 3.

 

Figure 3 - ArcGIS Enterprise Portal Proxy Elaborated

 

Figure 3 - ArcGIS Enterprise Portal Proxy Elaborated.png

Internal Replicated Geodatabase

 

Some organizations’ security policies do not allow HTTPS access from the DMZ to the intranet, and only allow database access, usually via non-default ports, and in many cases also do not allow external access to a primary production database, and require the usage of a separate database.

In figure 4 below, ArcGIS Enterprise is deployed to the DMZ, and an internal replicated enterprise geodatabase is used as registered data source for the mapping server. Either Esri geodatabase replication or RDBMS replication can be used.

 

Figure 4 - Database Replication

 

Figure 4 - Database Replication.PNG

 

Figure 5 below presents an elaborated architecture which includes internal-facing ArcGIS Enterprise system in the internal network and an external-facing ArcGIS Enterprise system in the DMZ.

 

Figure 5 - Database Replication Elaborated

 

Figure 5 - Database Replication Elaborated.PNG

 

Service Publication and Collaboration

 

Finally, for those who do not allow any inbound access from the DMZ to the intranet, figure 6 below depicts an external-facing ArcGIS Enterprise in the DMZ, and an internal-facing ArcGIS Enterprise in the intranet, with:

  1. Services published to the DMZ ArcGIS Enterprise system as hosted layers, and automated tasks running on a schedule (e.g. nightly or weekly) to overwrite the hosted data with updated data from the internal ArcGIS Enterprise system
  2. Feature layers are shared by copy from the internal ArcGIS Enterprise system to the DMZ ArcGIS Enterprise system via distributed collaboration with two-way shared editing (introduced at version 10.9)

 

Figure 6 - Service Publication and Collaboration

 

Figure 6 - Service Publication and Collaboration.PNG

 

Restrict External Applications Access to ArcGIS Enterprise

 

In some cases, organizations use ArcGIS Enterprise to support external integrating applications and want to restrict external applications access by filtering external requests, allowing requests only from either specific list or range of IPs, or from specific domains.

 

ArcGIS Online Proxy

 

Similar to the DMZ ArcGIS Enterprise Portal and Registered Services pattern (figure 2 above), ArcGIS Online also acts as a proxy when you register secured services from either standalone ArcGIS Enterprise server or from federated ArcGIS Enterprise system. In Figure 7 below, services from an internal ArcGIS Enterprise system are registered in ArcGIS Online with stored credentials, ArcGIS Online can access the services via the DMZ reverse proxy, and the reverse proxy is configured to allow requests only from ArcGIS Online domain, blocking requests from any other sources. The integrating system web or mobile app can be registered with ArcGIS Online using OAuth 2.0 and ArcGIS Identity, so only authenticated and authorized users can access the registered services. Since ArcGIS Online will access the services using the stored credentials, editor tracking will not work. Similar to portal, you can define rate limit and specific referrers that can access the services.

 

Figure 7 - ArcGIS Online and Registered Services

 

Figure 7 - ArcGIS Online and Registered Services.PNG

 

Server Proxy

 

Another approach would be to use a standalone ArcGIS Enterprise server site and a server proxy to access secured services from an integrating web app.

In figure 8 below, integrating system web app clients are configured to send GIS requests to a proxy, hosted on the integrating system application server. The integrating application server is responsible to secure access to the proxy, i.e. allow only app-authenticated users to access the proxy, and to protect (encrypt) the ArcGIS Enterprise server credentials. The proxy handles the ArcGIS Enterprise server token security on behalf of the client, using a server built-in application account or an Active Directory / LDAP service account, and sends the request to the internal standalone ArcGIS Enterprise server site via the DMZ reverse proxy. The reverse proxy is configured to allow requests only from the integrating app server(s) IPs (list or range), blocking requests from any other sources.

 

Figure 8 - Integrating Web App Server Proxy

 

Figure 8 - Integrating Web App Server Proxy.PNG

 

34 Comments
George_Thompson
Esri Notable Contributor

Great resource, thanks!

JoshuaBixby
MVP Esteemed Contributor

Given that Esri's own GitHub repository for Resource Proxy states, "We don't recommend using this resource proxy. It is not being maintained and there's been no active development for many years," I don't think it should be included in this blog post.

NoahMayer
Esri Contributor

@JoshuaBixby Thanks for the feedback. I have updated the pattern to describe the usage of a server proxy with web clients.

LukeSavage
Frequent Contributor

Great diagrams and article describing the various deployment patterns within various security network methods.  In addition, there are always holes and without an IT SOP Mitigation plan to combat breaches, architecture is only one facet of the scenario.  Love this article and you have eloquently made it simple to understand.  Thank you 🙂 

GavinCollins1
Esri Contributor

Thanks @NoahMayer great article 😀

Sizige
by
Emerging Contributor

Thank you for this.  I have been trying to advocate for our portal to be open to share resources to the public.  I will provide this to our IT infrastructure folkes.  Great article and diagrams.  

MartinWennerwald1
Occasional Explorer

Hi Noah

Thanks for a great detailed article.

We are currently working on setting up the ArcGIS Online Proxy setup (Fig. 7), but can't seem to find information on which domains to limit access to. In your article you write : "ArcGIS Online can access the services via the DMZ reverse proxy, and the reverse proxy is configured to allow requests only from ArcGIS Online domain, blocking requests from any other sources."

Where do I find the documentation for what the "arcgis online domain" consists of, specifically with regards to registered services?

Thanks in advance.

/Martin

NoahMayer
Esri Contributor

Hi @MartinWennerwald1!

Esri is maintaining an ArcGIS Online domain requirements document in ArcGIS Trust Center.  There are tow versions of the document:

Public document (less detailed): https://trust.arcgis.com/en/documents/AGOL_Domain_Requirements.pdf 

Customer Accessible Document (more detailed, requires login): https://trust.arcgis.com/en/customer-documents/ArcGIS%20Online%20FQDN%20Requirements%20V1.8%20June%2... 

This document is intended mainly for a forward proxy, to allow users to access ArcGIS Online resources, so you can see the list beyond what's required for setting up the ArcGIS Online Proxy (Fig. 7). 

What I would recommend is to view the service URL in the portal item which is created for the registered services, this URL is the proxy URL, and allow only the FQDNs which are used for the proxy:

NoahMayer_0-1646405799303.png

 

MehdiPira1
Esri Contributor

Very helpful, Thanks @NoahMayer .

BrianVillanueva
New Explorer

Hi @NoahMayer , where can I find the stencils used in the diagrams?

NoahMayer
Esri Contributor

@JeffDeWeese can you help?

JeffDeWeese
Esri Contributor

The only publicly available icons I am aware of are here, but they lack the server type icons, etc.: https://community.esri.com/t5/implementing-arcgis-blog/esri-presentation-icons/ba-p/886935 

vijaybadugu
Frequent Contributor

I have Question regarding configuration of DMZ with Single machine Deployment, we have been struggling to configure reverse proxy for ArcGIS Enterprise. We recently Upgraded the Enterprise to 11.1. All components are on Same Windows Server (2 WA's, Server, Data store and Portal) Federated IWA. We have Configured the load balancer on DMZ Server and open the 443 to route the traffic from DMZ Server. Here is the Our Requirement, Suppose User or member accessed the URL from External, It should route from the DMZ (Split DNS). If user Accessed from Internal network, it should hit Direct server instead of Routing From DMZ. Is this Possible ? If yes, How I need to configure those ? Please help us . 

NoahMayer
Esri Contributor

Hi @vijaybadugu,

What you are describing is a Split (or Split-Brain) DNS configuration:  in this configuration, as you described, internal users are directed to the internal server IP (which is a private IP) and external users are directed to the DMZ reverse proxy IP (which is a public IP). The actual configuration depends on how your organization configures DNS.
In many cases, organizations will have:
1. Internal DNS servers, where they would configure A-Records and CNAME records for their internal domain, for example:
A Record: machine1.company.int --> <Machine Internal IP>
CNAME Record: maps.company.com -->  machine1.company.int
2. Public DNS service, such as Google or Cloudflare, where they would configure an A Record for the external users, for example:
A Record: maps.company.com --> <DMZ Reverse Proxy Public IP>

In this configuration, all internal users, since they are on the internal network, which is configured to use the internal DNS servers for name resolution, will be directed to the internal server, and all the external users, since they are coming from the Internet, will be directed to the DMZ reverse proxy.  

DavidHoy
Esri Contributor

hi Vijay,

your plan is sound - a split-zone dns arrangement would certainly allow the ArcGIS Enterprise to work for external and internal users.

There are many forms of DNS, so, it is difficult to provide instructions here unless you can be more specific. A bit of web searching for the doc for your particular DNS provider should get you there.

If you cant work it out - it is not a critically bad thing to allow your internal users to have everyone have the FQDN resolve to the Reverse Proxy.

vijaybadugu
Frequent Contributor

We have configured AZURE AD for  authenticate SAML for internal and external. is that best practice to go farward

NoahMayer
Esri Contributor

@vijaybadugu Yes definitely. SAML and OpenID Connect logins are recommended. 

vijaybadugu
Frequent Contributor

Have a another question regarding content transfer, The current user format with IWA is <usrname>@domain. when I moved from the AD to Azure AD, The format of username would be changed to <usrname>@domain.net (email format). How do I transfer the content to new user ? is there a way to update enterprise user without transferring the content ? and we have a bunch of users. when comes to the identity store, can I keep same what it is now  "windows" in portal admin

User store configuration:{ "type": "WINDOWS"

 

Group store configuration:{ "type": "WINDOWS", 

 

? do i need to change anything? Actually I disabled the windows authentication and enabled Anonymous enabled.

DavidHoy
Esri Contributor

If you just switch to using SAML login, you are correct that new users may appear in your Portal for the <usrname>@domain.net username provided by Azure AD as they start to login (if you have automatic user creation enabled)

There is no back-door way to update existing users to have a new username.

You will need to transfer any content owned by the existing usernames <usrname>@domain to be owned by the new names.

We have handled this by scripting
- create the new users and assign the new users the appropriate type and role
- assign the new usernames to the Groups to match the old username
- transfer ownership of any Portal items to the new user
- disable the existing Username (remove in future)

Once this is complete, the first time a user logs in via SAML, they will find their new username is in place

You cannot have IWA and SAML working at the same time, so User Store Configuration and Group Store configuration cannot be "WINDOWS"

vijaybadugu
Frequent Contributor

Can I make both as empty (user store and group store ) ? 

DeanMoiler
Frequent Contributor

Hi @vijaybadugu,

You can apply your SAML username to existing users to allow SAML login if you don't want to migrate content / create / delete users. More info here:

Solved: Re: Change Authentication from IWA to other method... - Esri Community

As @DavidHoy  says, this won't change the user's username, but it will allow existing users to log in with SAML.

We investigated creating a new domain attribute to hold username@domain to keep this naming format, as we had thousands of users, and have new users created in this format, but the overhead for this attribute was passed over in favour of creating new users with new username format and migrating content and users by script.

vijaybadugu
Frequent Contributor

I removed user and group store configurations as I'm using SAML authentication. as I mentioned earlier, It is federated with server, 

Service URL

Administration URL
as per old configurations, I did not change anything and anywhere except WebContextURL in arcgis portal admin.all are pointing to internal domain reference.
 
For above Server Configurations Do I need provide DNS  alias or internal domain ? 
 
 
vijaybadugu_1-1686835810041.png

 

Every time, I click on Organization tab in ArcGIS Portal, it displays a dialog to sign in. can we bypass this ?  after clicking ok, it automatically signed in.

We have a Web application and in that, all map services are pointing to <internal domain>/rest/services/<Service Name>/MapServer. Do I need to change all map services URLs to DNS alias  instead of internal domain that we were using till now?
 
Thanks 

 

 
 

 

NoahMayer
Esri Contributor

@vijaybadugu,

Portal for ArcGIS does not support changing/setting the WebContextURL for an existing ArcGIS Enterprise system that has content, because all the original items have the old, internal domain URLs, and all those will have to be updated to the new DNS alias.

The Services URL in the federation will have to be updated with the new DNS alias because this is how all users will access the services. External users will not be able to resolve your internal domain URLs. 

I recommend you collaborate with Esri professional services to assist you with this process.  

GeoExplorer
Occasional Explorer

Hello Noah,

Thank you for providing the various deployment patterns that suit our organization's needs.

We are working on a design to facilitate an external-facing ArcGIS Enterprise to enable field crews to connect and share data via collaboration with external government agencies.

We were considering the architecture provided in Figure 5 of the document you mentioned. Our architecture team suggested placing the replicated geodatabase in the DMZ via port 1521 and running nightly replication instead of hosting it in the corporate network. We are using Oracle database, so allowing port 1521 or any other custom port to let replication work. Noting data is 24 hour delay to external ArcGIS instance.

Could you please advise on the issues associated with having a replicated Oracle database in the DMZ and enabling ArcGIS replication? Is allowing two-way replication a threat? One suggestion is to enable only one-way replication from the internal geodatabase to the external database in the DMZ and to write ETL scripts (FME) to fetch the data from the external database.

ArcGIS Enterprise 10.9.1

Oracle DB - 19c

 

NoahMayer
Esri Contributor

Dear @GeoExplorer ,

What are the concerns you have regarding using a two-way replication? In general I would prefer to use geodatabase replication over ETL where available, since geodatabase replication has a robust set of capabilities, such as viewing and resolving conflicts, which might be very challenging with ETL. Depending on the concerns you have, you might opt-in to use disconnected replication instead of connected replication. 

GeoExplorer
Occasional Explorer

Dear @NoahMayer,

Thank you for your response.

Cyber Security team in our Organisation has put two-way replication on hold, mentioning no communication from database in DMZ to corporate database network. But approved using one-way replication from corporate database to database in DMZ, which is disconnected replication that is batched to sync overnight.

Do you reckon it is really a problem/threat in enabling two-way replication as compared to One-way replication via custom port (1521)? Suggestion from the cyber security team is to write ETL scripts to bring down the necessary data collected by field users from the DMZ database to the corporate database.

DavidHoy
Esri Contributor

Hi @GeoExplorer 
it would be possible to have 2-way geodatabase replication using a geodata service running on the internal ArcGIS Server. This would only require 443 access through the internal firewall. The synchronisation would be triggered by a python script running on the Server in the DMZ. The python script would require a geodatabase connection (via Oracle client) to the DMZ Geodatabase but a geodata service connection to the "master"geodatabase within the secure network.

NoahMayer
Esri Contributor

@GeoExplorer 
I'm not in a position to say if a two-way replication is more of a problem/threat compared to a one-way replication from corporate database to the database in DMZ and ETL from the database in the DMZ to the corporate database. This is up to your security team to decide. If they have specific questions regarding how the Esri software works, or if they are willing to share their concerns, Esri PS can try to answer their questions and help them with their decisions. 

SimonSchütte_ct
Frequent Contributor

ArcGIS Online as Proxy: How to allow access only to requests from ArcGIS Online domain?

@NoahMayer Is there a list of the specific domains that need to be configured? In ArcGIS Trust, there is a document for the WAF and allowed ArcGIS Online domains, but there is nothing mentioned regarding which domains are relevant for this use case.

Some more details on the actual setup and configuration would be appreciated.

NoahMayer
Esri Contributor

@SimonSchütte_ct It definitely makes sense that in this use case only a subset of ArcGIS Online domains will be used. If you want to narrow down the list of allowed domains, it will require some testing to find out which domains are used in this use case. 

SimonSchütte_ct
Frequent Contributor

@NoahMayer These are my findings on ArcGIS Online <-> ArcGIS Enterprise Communication:

ArcGIS Online {subscription}.maps.arcgis.com will try to access
machinename.example.com/server/...
and
machinename.example.com/portal/...

Communication is initiated by {subscription}.maps.arcgis.com 
and another remoteaddress {someipaddress}:443 (is it a fixed or dynamic IP? generic for ArcGIS Online or specific to subscription?)
requesting access to the internal machinename.example.com server/portal endpoints.

Communication is done using HTTPS: GET, HEAD, POST, OPTIONS

NoahMayer
Esri Contributor

Related to the remote address {someipaddress}:443 requesting access to the internal endpoints: ArcGIS Online uses dynamic IPs, but you should not see requests coming from ArcGIS Online using IP address. Can you test allowing access only from {subscription}.maps.arcgis.com and see if it allows access via the ArcGIS Online proxy?

DavidHoy
Esri Contributor

If you were allowing CORS requests to your Portal from AGOL,
you would add the following to your AllowedOrigins

  1. https://www.arcgis.com
  2. https://<your-organization>.maps.arcgis.com

perhaps both these should be allowed and included in the list of URLs allowed to access your proxied service?

SimonSchütte_ct
Frequent Contributor

Thank you, I´ll have to give it a try.

About the Author
I am a senior Enterprise Solutions Architect within Esri's Implementation Services Department. I have over 15 years of experience in technical consulting, solution design and system architecture.