Azure application gateway and TLS termination

192
2
02-02-2023 03:23 PM
danbecker
Regular Contributor

On-prem deployment has https://gis.domain.com being passed through our firewall to our webadaptor vm, port 443 only. *.domain.com CA signed cert is installed on webadaptor VM, IIS. 2 webadaptors are installed on this same machine, /portal(443) and /server(443)

We just finished a base configuration deployment in Azure: portal, server, datastore and webadaptor VMs. We deployed Azure application gateway in front of the webadaptor VM. Our *.domain.com cert has to be installed on both the azure app. gateway and the backend webadaptor VM.

The application gateway supports TLS termination, which offloads it from the webadaptor VM. This got me thinking, is it beneficial, (CPU wise) to configure ArcGIS Enterprise communication solely over :80 ?

 

Is this possible?

Azure application gateway terminates *.domain.com TLS session, then passes requests:

:443/portal --> http://webadaptorvm.internal.com/portal

:443/server -->http://webadaptorvm.internal.com/portal

I would install new webadaptors with the same names, listening on port80. Would this also require me to configure the portal and server VMs to listen on http also?

Portal doc: https://enterprise.arcgis.com/en/portal/latest/administer/windows/configure-https.htm

Server doc: https://enterprise.arcgis.com/en/server/latest/administer/windows/secure-arcgis-server-communication...

 

Tags (2)
0 Kudos
2 Replies
Scott_Tansley
Regular Contributor

I wouldn't.  If you choose to remove the AAG in the future or use a different product, then all your content will be HTTP. 

Effecitvely, the internal configurations of each item will be HTTP.  When the client receives the webmap, the links to services etc will state HTTP, and that could cause a clash.  Also given that nearly online content is HTTPS the Portal will not be happy mixing protocols.

The other thing is that internal users could be routed to the IIS/Web Adaptor without going to the AAG.  If that's the case, then they still need to be HTTPS for everything to work.

In this day and age, I'd stick with the default flag of HTTPS Only in the Portal Security settings, and everything will work just nicely.

 

Scott Tansley
Consulting Architect (ArcGIS Enterprise)
https://www.linkedin.com/in/scotttansley/
GJHollard
Esri Contributor

Is this possible?

Nope, don't cross the schemes.  Stay HTTPS the whole way through.  If you want to save on the Web Adaptor CPU load, consider configuring the AAG to talk directly to the 7443 and 6443 ports (still HTTPS).  You'll have to configure a few more rules in the AAG, but you can remove the WA component completely.