make only secure services available

AllenJones · ‎10-10-2013

I need to serve unsecured services inside my fire wall and secure services ONLY outside my firewall from the same ArcGIS server install. I have installed 2 webadaptors, one in a DMZ (outside firewall) and one inside firewall. This exposes both secured and unsecured services for inside users as expected if they have valid credentials, if not valid they only see unsecured. This is as expected and acceptable for inside firewall users. But on the outside firewall Web Adapter (forward facing proxy), users have to log in to see secure as expected but the unsecured services are exposed outside as well without logging in. This is a problem. We have applications running inside my organization that consume ArcGIS services and do not employ security and don't need to because it's inside my firewall. I have spoken to support and they tell me i have to run parallel ArcGIS servers, one hosting secured and one hosting unsecured services which will require another license.

The problem revolves around the unsecured services being accessed using anonymous access on the unsecured services folder. If i disable anonymous access on that folder it is no longer unsecured.

The bottom line is some things need to be unsecured inside my firewall but cannot be unsecured outside and i do not want to purchase another ArcGIS server just to isolate these services. Any suggestions?

LeoDonahue · ‎10-13-2013

But on the outside firewall Web Adapter (forward facing proxy), users have to log in to see secure as expected but the unsecured services are exposed outside as well without logging in. This is a problem

The bottom line is some things need to be unsecured inside my firewall but cannot be unsecured outside and i do not want to purchase another ArcGIS server just to isolate these services. Any suggestions?

i admit that I somewhat don't follow you. why are unsecured sevices exposed outside your firewall to users without logging in a problem? isn't that the intent?

If your web adaptor is deployed to a Tomcat web server, you could place a security constraint on the URL patterns to your secured services. That would force users to log in before Tomcat would service the request to those URL patterns, while the other unsecured services would be accessible by everyone. I'm sure IIS has the same concept, I just don't know where to steer you.

LeoDonahue · ‎10-13-2013

Maybe this article?

http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization

StephanieSnider · ‎10-15-2013

Your plan is to secure services outside your organization and unsecure services inside your org. But what if you did it the opposite way. Securing services internally so that the public could not access them and unsecuring services externally.

I have a similar situation. As directly by our IT dept, we went the route of purchasing two ArcGIS Server licenses - one for internal services (unsecure) and one for external services (secure). However, if I was restricted to only one license of ArcGIS Server, this is how I would set it up:

You could setup ArcGIS Server to use secure services (https) with SSL encryption (trusted certificate). Use the GIS Tier authentication on the GIS Server and set the Web Adaptor to use anonymous authentication in IIS. Then put all your unsecure services (the ones you want the public to see without logging in) in the root directory and set permissions to Public. Then create a folder for your secure services (the ones you want only your internal users to see) and set permissions on that folder to a role which contains the users who should be able to access those services. If you have web maps that need to use secure map services, you can put those in a folder that also has the permissions set to a role, then create tokens for the web maps to use those secure services.

The public would not be able to see the folders that have permissions set but would be able to see all map services in the root directory. The internal users could see all the public services (in the root directory) plus whatever folders they have been given access to use.