10.1 Server with ISA / TMG

MeleKoneya · ‎10-21-2012

I am not an IT security staff member but rather a GIS Analyst and I am trying to understand how to tell our IT Security team what is needed to make the ArcGIS 10.1 Server installation that will be housed on our internal network accessible to our DMZ and the Internet.

We have an existing reverse proxy that is using Microsoft Forefront Threat Management gateway. We have successfully configured ArcGIS Server 10 to use our reverse proxy following the instructions provided in this document for a Microsoft ISA Server.

http://support.esri.com/en/knowledgebase/techarticles/detail/32634

However, as the architecture has changed in ArcGIS Server the instructions do not apply to 10.1.

As I understand it, we are trying to "intergrate with an existing reverse proxy" as shown below, but the instructions are only for Apache.

http://resources.arcgis.com/en/help/main/10.1/index.html#//01550000042s000000

Do I simply need to provide the internal machines name and port number to out Security Team?

Is there any reason to use the Web Adaptor in this scenario?

Thanks for any assistance,

Mele

nicogis · ‎10-21-2012

If you want the port between the reverse proxy and your secure internal network to remain unknown, you can install the Web Adaptor on another web server within your secure internal network. This Web Adaptor can be configured to accept traffic through a port of your choice.
This configuation is suitable for your existing reverse proxy:

The port used from ags server:
http://resources.arcgis.com/en/help/main/10.1/0154/015400000537000000.htm

MeleKoneya · ‎10-22-2012

Thanks for your response. I am considering using the web adaptor as you suggested.

Do I simply need to provide the internal machine name as Server.Domain:Port to our ISA Server Administrator using the port number used by the web adaptor?

Mele

MarvinTerry · ‎11-05-2012

The instruction are not sifficent to configure the web adapter for use with a ISA or TMG box. In prior version (10.0) Flexviewer could be loadd on the arcgis server and TMG/ISA needed a publishing rule for the URL of the arcgis site. Subdirectories for other arcgis services were also required.
With 10.1 If you install the web connector and create the same type of publishing rule in TMG/ISA pointing to the web adapter site you get nothing but errors. If from inside you point to the same URL the flexviewer works fine. It appears that there are additional rules that need to be added to TMG\ISA for the external user to reach services on the arec server 10.1 box. We have found no documentation and support does not seem to understand the issue.

MeleKoneya · ‎11-06-2012

I contacted ESRI Support since posting this to the forum. They did not provide assistance for ISA/TMG configuration for ArcGIS Server 10.1 as they said it was out of scope for Support Services as it deals with non-ESRI products. They suggested I contact Microsoft or ESRI Professional services for help. I don't know that Microsoft will know how to configure ArcGIS Server, and I would like to avoid paying Technical Services for information ESRI provided for ArcGIS 10.

I am not in the position to experiment with TMG settings as it is out of my department's control, so I hope to get some more detailed instructions to give to our IT security team.

Mele

JoeTosoni · ‎11-12-2013

Hello,

I am just curious if anyone has any helpful developments or progress to pass along in relation to installing the ArcGIS Web Adaptor for either ArcGIS 10.1 or 10.2 with an existing reverse proxy that uses Microsoft ForeFront TMG? Our ArcGIS enterprise server environment is currently on version 10.0 and leverages a reverse proxy server within the DMZ. We are planning to upgrade to 10.2 within the next few months, however, I am unsure if it would be advantageous to install the Web Adaptor on either a separate server behind the firewall or on the same server within our DMZ? Or, maybe it is not really needed given that our reverse proxy software achieves the same goal. One benefit may be that the web adaptor would allow us to control and secure our internal URL composition, which we will consider. It seems there are many other benefits as well but I still need to do more research on the TMG reverse proxy to determine if it suffices and performs in a similar manner. This is all relatively new to me given that I was GIS Analyst for many years and have recently been getting acquainted with ArcGIS for Server administrative aspects and tasks.

I have also read in a few posts that folks have had some trouble in the past with installing the 10.1 adaptor with a reverse proxy but things may have gotten better. Either way, any helpful information, tips, or articles would be much appreciated on this topic. Thanks! Joe