Knowledge Base - Technical Articles


Technical Article   HowTo:  Configure a reverse proxy system architecture with ArcGIS Server

Article ID: 32634
Software:  ArcGIS Server 9.2, 9.3, 9.3.1, 10
Platforms:  Windows XP, Server 2003, Vista, Server 2008, Windows 7 AIX 5.1, 5.2 Solaris 8, 9, 10 Linux-SUSE Server 9 RHEL 4

Summary

Esri recommends using a reverse proxy Web server configuration to isolate ArcGIS Server behind an organization's firewall and make the server's applications and services available to the Internet.

Two Web servers are used in this system architecture: a reverse proxy Web server and the ArcGIS Server Web server. The reverse proxy Web server hides information about the ArcGIS Server Web server running on the internal LAN, such as its real virtual directory names and host name and IP address, from external Internet clients such as Web browsers, Web services clients, and ArcGIS Desktop or Custom ArcEngine applications using Internet connections. The reverse proxy Web server is typically located in a perimeter network also known as a DMZ, demilitarized zone, or screened subnet. Inside the DMZ, the reverse proxy Web server receives incoming HTTP requests from the Internet, usually through an external firewall that restricts traffic to a known port, typically port 80, and redirects them to the ArcGIS Server Web server in the internal LAN through a port in the internal firewall, unknown to the outside world.

A primary advantage of this architecture is that external clients are not aware that their requests are actually handled by an internal server. In this way, the entire ArcGIS Server system operates within a secure internal network. For more information and an illustration of this architecture, see the following topic in the ArcGIS Server help system link below:

Firewalls and ArcGIS Server

Procedure

The information below describes the details of configuring ArcGIS Server and various security and Web servers to work together in a reverse proxy configuration. Click on the 'show me' corresponding to the reverse proxy server of choice.


 Reverse proxy deployments represent an enterprise level, third-party solution. As a premium service, Esri provides reverse proxy deployment services through Esri Professional Services.



  • Apache Web Server -show me-
    Summary
    Instructions provided describe the procedure for configuring a reverse proxy for ArcGIS Server using an Apache Web Server. For a complete description of and reasons to use the reverse proxy architecture, see How to: Configure a reverse proxy system architecture with ArcGIS Server.
    Procedure
    Reverse proxies and load balancers are servers that act as 'front-end' web servers through which all clients connect to 'back-end' servers. A reverse proxy system refers to a single back-end server, unlike a load balancing system which refers to many back-end servers.



    [O-Image] Reverse Proxy Implementation

    1. Download and Instal Apache HTTP Server
      A. Navigate to the Apache HTTP Server Project Download page.
      B. Select the appropriate link based on platform and version (32-bit or 64-bit) and save the file.
      C. Run the installation process.
    2. Edit httpd.conf
      On the Apache Server installation, replace the highlighted values in the file below with the ArcGIS Server machine name.



      [O-Image] Edit httpd.conf for RP
    3. Restart Apache
      For Windows: Start > Run > Services.msc > Apache Server > Restart

      For Linux: Run the following command

      apache@reverseproxy$ /apache/bin/httpd restart

    4. Test the connection to ArcServer(s)
      Test the following connections to ensure the endpoints respond accordingly:
      • http://reverseproxy/arcgis/services?wsdl
      • http://reverseproxy/arcgis/rest/services
      • http://reverseproxy/arcgis/tokens
      • http://reverseproxy/arcgis/manager
      • http://reverseproxy/arcgisoutput
      • http://reverseproxy/arcgisjobs
      • http://reverseproxy/arcgiscache
      • http://reverseproxy/arcgisinput
    5. Stop ArcGIS Server
      For Windows: Start > Run > services.msc > ArcGIS Server Object Manager > Stop

      For Linux: Run the following command

      arcgis@som1$ /arcgis/server10.0/scripts/stopserver

    6. Edit Server.dat file
      On all ArcGIS Servers in the system, replace the highlighted fields in the code below with the hostname of the reverse proxy.



      [O-Image] Edit Server.dat file
    7. Edit Service.cfg files
      Replace all the URLs within all *.cfg files found under '\ArcGIS\Server10.0\server\user\cfg\*.cfg'.

      See the screenshot below for an example.



      [O-Image] Edit Service.cfg files example
    8. Edit rest.config
      On all ArcGIS Servers in the system, edit all the URLs within the following file by replacing the local SOM with the reverse proxy's hostname.

      See the screenshot below for an example.


      [O-Image] Edit rest.config file example
    9. Start ArcGIS Server
      For Windows: Start > Run > services.msc > ArcGIS Server Object Manager > Start

      For Linux: Run the following command

      arcgis@som1$ /arcgis/server10.0/scripts/startserver
      





  • Microsoft ISA Server -show me-
    Summary
    Instructions provided describe the procedure for configuring a reverse proxy for ArcGIS Server using the Microsoft Internet Security and Acceleration (ISA) Server. For a complete description of and reasons to use the reverse proxy architecture see
    How to: Configure a reverse proxy system architecture with ArcGIS Server.


      The following instructions are specific to the Windows Server 2003 operating system, but most of the configuration steps for the ArcGIS Server Java Edition Web services and ADF applications are similar on Windows Server 2008 and UNIX/Linux systems.


      Differences in configuring the .NET and Java versions of ArcGIS Server are clearly noted.


      For the following instructions, the Web Server host name for the internal ArcGIS Web services and ADF applications is 'myInternalServer', the reverse proxy ISA server host name is 'myExternalServer', and the ArcGIS Server instance name is 'arcgis'. Substitute the server names and instance name as appropriate. Use the fully qualified domain name (FQDN) when entering values for the external server (e.g., myExternalServer.esri.com) so that Internet users are able to contact the server and so that host names match for Secure Sockets Layers (SSL) certificates.


     Reverse proxy deployments represent an enterprise level, third-party (non-Esri) solution. As a premium service, Esri provides reverse proxy implementation and configuration services for use with Esri products through Esri Professional Services.



    Before starting

    Ensure that the ISA server is properly installed on the external server.
    -show me-
    Procedure
    Instructions provided below illustrate the process of configuring ArcGIS Server and Microsoft ISA Server to operate in a reverse proxy configuration for ArcGIS Server Web services and ADF applications.

    Steps 1 through 5 below are required for all ArcGIS Server systems using a reverse proxy Web system architecture. These steps need only be performed once per system. Step 6 is only required if using the token service for REST services. Step 7 shows how to access ArcGIS services working with reverse proxy Web servers. Step 8 reveals the requirements for authoring new ArcGIS Server Web ADF applications that can be accessed through the reverse proxy Web server. Step 9 illustrates how to convert pre-existing ArcGIS Server Web ADF applications to work with a newly deployed reverse proxy Web server.

    1. Create and Web share three new directories on the internal server (myInternalServer). Applications using Internet services access these directories for image output, image caching, and geoprocessing output. Any names and locations may be used for these directories, but it is recommended to create the directories in the default ArcGIS Server directories location. In this example, the default ArcGIS Server directory is C:\arcgisserver and the three directories are named:

      C:\arcgisserver\proxyoutput
      C:\arcgisserver\proxycache
      C:\arcgisserver\proxyjobs


      If the directories are created in a location other than the default server directory location (C:\arcgisserver by default), the ArcGIS Server Object Container account must have read/write permissions to the server directories' directory.
      -show me-

      After creating the three directories and adjusting their access permissions, they must also be Web shared.

      Instructions for .NET:
      -show me-

      Instructions for Java:
      -show me-


    2. Add the directories created in the previous step to the ArcGIS Server configuration using either ArcCatalog or ArcGIS Manager. These directories are in addition to the existing server directories.

      Create one output directory, one cache directory, and one jobs directory using the physical directories created above.

      The URLs for server virtual directories associated with the physical directories created in step 1 must take this form:

      http://myExternalServer/proxyoutput
      http://myExternalServer/proxycache
      http://myExternalServer/proxyjobs


       The above URLs must refer to the external server, not the internal server.


      (OPTIONAL) Replace HTTP with HTTPS in the above examples if securing the virtual directories with SSL.

      (OPTIONAL) For secure services with cached tiles, the cache directory should be secured to prevent unauthorized access to tiles. A cache directory with no virtual directory can be used to control access. For details, see the ArcGIS Server Help topic Securing the cache directory.

      See the Web page below for instructions on adding server directories:
      Creating a server directory
    3. Re-configure existing services or create new services to be used by external users. Services accessible to external users must use the new server directories created in the previous step.

      For instructions on creating new services, see the following Web page:
      Adding a new service

      When creating a new service select the output, cache, and/or jobs directories created above (see step 5 from the instructions described at the above link).

      If modifying an existing service, set the output, cache, and/or jobs directories in the Parameters panel of the service properties.

        Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two services: one for internal and one for external users.


      (OPTIONAL) Require HTTPS for services. Instructions are available from the following links:
      .NET: Securing Internet Connections or Java: Organizing services in folders


    4. Configure REST services on the internal server.


       After making these changes, some parts of the REST services may not work properly when accessed using the internal server URL.


      Configure REST services for ArcGIS Server .NET Edition:
      -show me-

      Configure REST services for ArcGIS Server JAVA Edition:
      -show me-


    5. Add Web publishing rules on the external server.

      Create Web publishing rules for ArcGIS Server Web services and server directories.
      Create Web publishing rules for ArcGIS Server .NET Edition.
      -show me-

      Create web publishing rules for ArcGIS Server Java Edition.
      -show me-

    6. (OPTIONAL) Configure the token service URLs on the internal server. If the server has been configured with token-based security, the token service must be made available through the reverse proxy.

      Configure the reverse proxy for ArcGIS Server .NET Edition:
      -show me-

      Configure the reverse proxy for ArcGIS Server Java Edition:
      -show me-


    7. The ArcGIS Server Web services (SOAP and REST) may now be accessed by the following URLs:

      SOAP:

      http://myExternalServer/arcgis/services

      REST:

      http://myExternalServer/arcgis/rest/services


       If the site uses SSL, replace the HTTP with HTTPS in the examples above.


       Service URLs for REST services may be obtained by accessing the Services Directory from the external server.


       Only internet connections to ArcGIS Server Web services are possible with these URLs. To administer the ArcGIS Server, connect to the internal server, either using Manager or ArcCatalog.


       For added security, ask a systems administrator to restrict HTTP traffic through the internal firewall to IP address of the reverse proxy Web server machine. This prevents Internet clients from directly accessing the open internal HTTP port.


       For added security, ask a systems administrator to apply filters to the HTTP traffic emanating from the reverse proxy Web server to restrict known nefarious packet types.

    8. (OPTIONAL) Author and publish new ArcGIS Server Web ADF Applications using Manager or the IDE that works with the reverse proxy server.

      When authoring a new ArcGIS Server Web ADF Application, use the new external service URLs shown in the previous step when specifying Internet services to add to the application.

      After creating a new application, add its path to the Web publishing rules as defined in step 5.


    9. (OPTIONAL) Edit pre-existing ArcGIS Server Web ADF applications initially authored with services using internal URLs.

      Web applications created with services referenced by internal URLs do not work outside an organization’s firewall. To convert the applications to work with the reverse proxy Web server, they must be edited manually.

      a) Configure the ArcGIS Server Web application on the internal Web server.

      For .NET:
      -show me-

      For Java:
      -show me-


      b) Configure the reverse proxy Web server for the ArcGIS Server Web ADF Application edited in a) by adding its path to the Web publishing rules as defined in step 5.

      c) Test the Web site to ensure it works from the Internet.
      -show me-

      Repeat (a) through (c) for each Web application on the internal server that needs to be available to external users.

       Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two versions of the Web application: one for internal and one for external users.

  • IIS 7 Web Server -show me-
    Summary
    Instructions provided describe how to configure a reverse proxy for ArcGIS Server using Internet Information Services (IIS) 7 with two extensions: Application Request Routing (ARR) and URL Rewrite. ARR and URL Rewrite are supported on IIS 7 on Windows Server 2008. The extensions are not available for earlier versions of IIS or Windows. While the external reverse proxy server must be Windows Server 2008, the internal server may be any operating system supported for ArcGIS Server 9.3.

    For a complete description of and reasons to use the reverse proxy architecture see
    How to: Configure a reverse proxy system architecture with ArcGIS Server

     • The instructions for the internal ArcGIS Server are specific to Windows operating systems, but most of the principles also apply on UNIX/Linux systems.

    • Differences exist in configuring the .NET and Java versions of ArcGIS Server and are clearly noted.



     The Application Request Routing extension is currently (as of January 2009) in Release Candidate status. Organizations may wish to delay deployment until final release of the extension.


     Reverse proxy deployments represent an enteprise level, third-party (non-Esri) solution. As a premium service, Esri provides reverse proxy implementation and configuration services for use with Esri products through Esri Professional Services.

    Procedure
    Instructions provided below illustrate the process of configuring ArcGIS Server and IIS 7 to operate in a reverse proxy configuration for ArcGIS Server Web services and ADF applications.

    For these instructions, the Web Server host name for the internal ArcGIS Web services and ADF applications is called 'myInternalServer', the reverse proxy Web server host name is called 'myExternalServer', and the ArcGIS Server instance name is 'arcgis'. Substitute server names and the instance name as appropriate. Use the fully qualified domain name (FQDN) when entering values for the external server, for example, myExternalServer.esri.com, so that Internet users are able to contact the server and so that any SSL certificates resolve properly.

    Before starting, ensure that:

    A) The external server can connect to the internal server. -show me-

    The firewall between myExternalServer and myInternalServer must allow HTTP requests on a port for myInternalServer's Web server. By default, this is port 80.

    To test the connection, open a Web browser on myExternalServer and enter the URL for myInternalServer. Typically, myInternalServer uses a private IP address, for example, 10.1.2.22. For the above example, entering the URL http://10.1.2.22:80 in a Web browser on myExternalServer should render the default Web page for myInternalServer.

    If Web pages from myInternalServer are not available from a browser running on myExternalServer, ask the firewall administrator to open the appropriate HTTP port through the firewall to myInternalServer.

    Optionally, to enable or increase the speed of communication between external and internal servers, the host's file on the machine 'myExternalServer' may need to be updated with the IP address and host name of the machine 'myInternalServer'. This may reduce the time to resolve the internal server host name.

    a) On the reverse proxy server machine, open the host's file in Notepad or other text editor. On a Windows server, this file is located at <Windows Directory>\System32\drivers\etc\Hosts.

    b) At the bottom of the host's file, add the entry below. This assumes the IP address of the internal server is 10.1.2.22. Change the IP address and machine name as appropriate.

    10.1.2.22 myInternalServer

    c) Save the host's file. The changes take effect immediately with no restart needed.


    B) ArcGIS Server for either the Microsoft .NET or Java Framework is installed on the internal server (myInternalServer). These instructions assume that the ArcGIS ADF Web applications and Web services are on myInternalServer. The internal Web server can be any supported for ArcGIS Server. No ESRI components are required on the external server (myExternalServer).

    C) Microsoft IIS 7 is installed on the external server. If necessary, install IIS on Windows Server 2008.

    D) The Application Request Routing (ARR) extension for IIS 7 is installed, including the required prerequisite extension URL Rewrite Module for IIS 7. The download links under Related Information at the bottom of this article provide an install package that includes both ARR and URL Rewrite. Select the x86 (32-bit) or x64 (64-bit) package as appropriate for your operating system. Alternatively, it is possible to install the ARR and URL Rewrite extensions separately (see the Using the Application Request Routing page for installation links).

    E) (OPTIONAL) On the internal server, install the ArcGIS Web instance with a non-default name (e.g., GISServices instead of ArcGIS).
     The same name for the ArcGIS directory must be used on both the internal and external Web servers.


    F) (OPTIONAL) For added security, on the internal server, install the ArcGIS instance on a non-default Web site and/or non-default port.
     Non-default ports for HTTP or HTTPS will require additional configuration for ARR. Instructions are included under step 5 below.



     If this is done in .NET on IIS, ensure that ASP.NET support is added to the non-default Web site before installing the ArcGIS instance (use the aspnet_regiis tool).


    G) (OPTIONAL) Configure security for services and applications on the internal GIS server. This restricts access to services or applications exposed to the Internet. See the ArcGIS Server Help for .NET or for Java for information on configuring users, roles, and permissions.

    H) (OPTIONAL) Configure support for SSL (HTTPS):
    (i) Obtain and install an SSL certificate from a recognized Certificate Authority (CA) on the external IIS 7 Web server. See the ArcGIS Server Help topic, Setting up SSL, for details on setting up SSL on IIS.

    (ii) Obtain and install an SSL certificate from a CA on the internal Web server. See documentation for your Web server for details.

     It is possible to use HTTPS only for client requests to the external server, and use plain HTTP for requests between the external and internal servers. However, this leaves all communication (e.g., usernames and passwords) between the two servers vulnerable to capture by someone with access to the DMZ or internal network.


    (iii) Require SSL (HTTPS) for some or all ArcGIS Server services and Web applications. For services, use the folder properties in ArcCatalog or Manager (check the 'Require Encrypted Web Access' option). For Web applications, use the Applications tab in Manager to edit the properties of the application. In the Applications tab, use the Advanced Options to set the URL to use HTTPS. Alternatively, if the application is not listed in Manager, the IIS Manager console can be used to require SSL for the application. To do this, start IIS Manager, navigate to and click the application to select it, double-click the SSL Settings icon, check the box to Require SSL, and click Apply.


    Steps 1 through 4 below are required for all ArcGIS Server systems using a reverse proxy Web system architecture. These steps only need to be performed once per system. Step 5 may be required to enable the reverse proxy Web server to communicate across the internal firewall. Step 6 is only required when using non-Apache reverse proxy Web servers with ArcGIS Server. Step 7 shows how to access ArcGIS services working with reverse proxy Web servers. Step 8 must be performed for each ArcGIS Server ADF application that works with the reverse proxy Web server. Step 9 reveals the requirements for authoring new ArcGIS Server Web ADF applications that can be accessed through the reverse proxy Web server. Step 10 illustrates how to convert pre-existing ArcGIS Server Web ADF applications to work with a newly deployed reverse proxy Web server.

    1. Create and Web share three new directories on the internal server (myInternalServer). Applications using Internet services access these directories for image output, image caching, and geoprocessing output. Any names and locations may be used for these directories, but it is recommended to create the directories within the default ArcGIS Server directories location. In this example, the default ArcGIS Server directory is C:\arcgisserver and the three directories are named:

      C:\arcgisserver\proxyoutput
      C:\arcgisserver\proxycache
      C:\arcgisserver\proxyjobs


      If the directories are created in a location other than the default server directory location (C:\arcgisserver by default), the ArcGIS Server Object Container account must have read/write permissions to the server directories' directory.
      -show me-

      After creating the three directories and adjusting their access permissions, they must also be Web shared.

      Instructions for .NET:
      -show me-

      Instructions for Java:
      -show me-


    2. Add the directories created in the previous step to the ArcGIS Server configuration using either ArcCatalog or ArcGIS Manager. These directories are in addition to the existing server directories.

      Create one output directory, one cache directory, and one jobs directory using the physical directories created above.

      The URLs for server virtual directories associated with the physical directories created in step 1 must take this form:

      http://myExternalServer/proxyoutput
      http://myExternalServer/proxycache
      http://myExternalServer/proxyjobs


       The above URLs must refer to the external server, not the internal server.


      (OPTIONAL) Replace HTTP with HTTPS in the above examples if securing the virtual directories with SSL.

      (OPTIONAL) For secure services with cached tiles, the cache directory should be secured to prevent unauthorized access to tiles. A cache directory with no virtual directory can be used to control access. For details, see the following ArcGIS Server Help topic: Securing the cache directory.

      See the Web page below for instructions on adding server directories:
      Creating a server directory
    3. Re-configure existing services or create new services to be used by external users. Services accessible to external users must use the new server directories created in the previous step.

      For instructions on creating new services, see the following Web page:
      Adding a new service

      When creating a new service, select the output, cache, and/or jobs directories created above (see step 5 from the instructions described at the above link).

      If modifying an existing service, set the output, cache, and/or jobs directories in the Parameters panel of the service properties.

        Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two services: one for internal and one for external users.

      (OPTIONAL) Require HTTPS for services. Instructions are available from the following links:
      .NET: Securing Internet Connections or Java: Organizing services in folders

    4. Configure REST services on the internal server.

       After making these changes, some parts of the REST services may not work properly when accessed using the internal server URL.

      Configure REST services for ArcGIS Server .NET Edition:
      -show me-

      Configure REST services for ArcGIS Server JAVA Edition:
      -show me-


    5. Configure the reverse proxy server on the external server. For reference, see the page "Define and Configure an Application Request Routing Server Group", available at Using the Application Request Routing Module.

      (i) Launch IIS Manager from Start > (All) Programs > Administrative Tools > Internet Information Services (IIS) Manager.

      (ii) Expand the root of the server (e.g., myExternalServer). The Server Farms feature item should be listed under the server root.
       ARR can also be used to create Web farms to load balance requests to multiple servers. This article only describes using ARR to forward requests to a single, internal server.


      (iii) Right-click on Server Farms and click Add Server Farm...

      (iv) In the Create Server Farm wizard, enter a name for the reverse proxy, e.g., AGSReverseProxy. This name is used in a pseudo URL for the forwarded site later on. Click Next.

      (v) In the Add Server panel, enter the name (or IP address) of the internal ArcGIS Server machine, e.g., myInternalServer. Click Finish. If prompted to create automatic URL rewrite rules, click No.

      (vi) In IIS Manager, expand the server and its Server Farms node if necessary, and click the server farm (reverse proxy) just created. Several icons should display (Health Test, Load Balance, etc.). Double-click the Routing Rules icon.

      (vii) In the Routing Rules panel that displays, check the box for Use URL Rewrite to inspect incoming requests. In the Actions panel on the right side of IIS Manager, click Apply.

      If the internal Web server uses a port for HTTP other than 80 (or HTTPS other than 443), configure the Web farm server ports:
      -show me-
    6. Add rules for the reverse proxy on the external server. These rules determine what URLs will be forwarded to the internal server.

      Rules are added in the URL Rewrite extension, which works with the ARR extension for the reverse proxy. Open the URL Rewrite panel by one of these methods: (a) in the Routing Rules panel viewed in part vii of the previous step, in the Actions panel, click the URL Rewrite link; or (b) in IIS Manager, click in the left side on the server name, and double-click on the URL Rewrite icon in the main panel, in the IIS category.

      For EACH directory to be forwarded by the reverse proxy, perform steps (i) to (vi) below. Click the link below to display the list for .NET or Java as appropriate for your installation. Enter the directory as described at step (iv). Adjust the names as appropriate for your installation. The first three are server directories as set in step 2 above. The ArcGIS directories for KML and WMS may be omitted if support is not needed externally for these service types. The tokens directory is needed only if ArcGIS services are secured with token-based authentication (see ArcGIS Server Help for information on secure services). For each Web application to be made available through the external server, add a URL Rewrite rule, using the application's path on the internal server. See steps 9 and 10 for more on Web application configuration.

      Directories to add rules for .NET:
      -show me-
      Directories to add rules for Java:
      -show me-

      (i) In the Actions pane of the URL Rewrite panel, click Add Rules...

      (ii) In the Add Rule dialog box, select Blank Rule, and click OK.

      (iii) In the Edit Rule panel that displays, enter a name for the rule. The name is not used publicly but should be named to make it easy to identify, for example, ReverseProxyOutput. Set Requested URL to Matches the pattern, and Using to Wildcards (regular expressions can also be used to match directories, but directions are not given here).

      (iv) Enter the Pattern, which should be the directory path with a wildcard character. For example, for the directory proxyoutput, enter proxyoutput*. Do not start the path with a slash character. See the links above for the list of directories for .NET or Java. Check the option to Ignore Case unless the requests should be case-sensitive.

      (v) Set the Action to Route to Server Farm. Confirm that the Action Properties displays the server farm name created for the reverse proxy (e.g., AGSReverseProxy). The server farm is used as a pseudo-URL here, and the actual location is the computer added earlier to the server farm. Leave the Path as "/{R:0}", which means that the URL path will be passed to the reverse proxy. Check the option to Stop processing of subsequent rules.

      If HTTPS should be used or required for the directory, modify the properties of the rule before saving it:
      -show me-

      (vi) To save the rule, click Apply in the Actions pane on the right side of IIS Manager.

      Repeat steps (i) to (vi) above for each directory that should be proxied, as listed for .NET or Java above.

      Before leaving the list of URL Rewrite rules, check whether a rule with a name ending in _loadbalance has been added (the ARR extension may add it when use of URL Rewrite is enabled). If so, click to select it, and click Disable Rule in the Actions pane. This rule, if left in effect, would forward all traffic to the back-end server, not just the requests defined with the rules created above.
    7. (OPTIONAL) Configure the token service URLs on the internal server. If the server has been configured with token-based security, the token service must be made available through the reverse proxy.

      Configure the reverse proxy for ArcGIS Server .NET Edition:
      -show me-

      Configure the reverse proxy for ArcGIS Server Java Edition:
      -show me-



       If Web ADF applications running on the internal server use services with token-based security, then those Web ADF applications must be able to communicate with the token service by way of the external URL configured in the services web.config. Some organizations may not allow access by default from the internal server to servers in the DMZ perimeter network. If necessary, modify the firewall/router rules so that the internal server can make the request to the token service on the external server.

    8. The ArcGIS Server Web services (SOAP and REST) may now be accessed by the following URLs:

      SOAP:

      http://myExternalServer/arcgis/services

      REST:

      http://myExternalServer/arcgis/rest/services


       If the site uses SSL, replace the HTTP with HTTPS in the examples above.


       Service URLs for REST services may be obtained by accessing the Services Directory from the external server.


       Only internet connections to ArcGIS Server Web services are possible with these URLs. To administer the ArcGIS Server, connect to the internal server, either using Manager or ArcCatalog.


       For added security, ask a systems administrator to restrict HTTP traffic through the internal firewall to IP address of the reverse proxy Web server machine. This prevents Internet clients from directly accessing the open internal HTTP port.


       For added security, ask a systems administrator to apply filters to the HTTP traffic emanating from the reverse proxy Web server to restrict known nefarious packet types.

    9. (OPTIONAL) Author and publish new ArcGIS Server Web ADF Applications using Manager or the IDE that works with the reverse proxy server.

      When authoring a new ArcGIS Server Web ADF Application, use the new external service URLs shown in the previous step when specifying Internet services to add to the application.

      After creating a new application, add its path to the Web publishing rules as defined in step 6.


    10. (OPTIONAL) Edit pre-existing ArcGIS Server Web ADF applications initially authored with services using internal URLs.

      Web applications created with services referenced by internal URLs do not work outside an organization’s firewall. To convert the applications to work with the reverse proxy Web server, they must be edited manually.

      a) Configure the ArcGIS Server Web application on the internal Web server.

      For .NET:
      -show me-

      For Java:
      -show me-


      b) Configure the reverse proxy Web server for the ArcGIS Server Web ADF Application edited in 'a)' by adding its path to the Web publishing rules as defined in step 6.

      c) Test the Web site to ensure it works from the Internet.
      -show me-

      Repeat (a) through (c) for each Web application on the internal server that needs to be available to external users.

       Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two versions of the Web application: one for internal and one for external users.


Created: 2/7/2007
Last Modified: 3/7/2012

Article Rating: (8)
If you would like to post a comment, please login

Comments

By jmward - 01/24/2013 2:56 PM

The article needs to be updated.

I would like to see the same article for the new 10.1 structure. I was able to follow the instructions of this article to get our reverse proxy server set up. But I am struggling to get the same set up to work with 10.1.

Rating:

By mkoneya - 11/09/2012 2:14 PM

I would like to see a new article that discusses the topic outlined below.

Found this very useful for configuring ArcGIS Server 10 with ISA. We were successful in doing so thanks to this article. Now we are upgrading our server to ArcGIS 10.1 and would like to see the same information for configuring ArcGIS Server 10.1 with ISA/TMG both with the web adapter and without. Have not found any documentation that addresses this issue in 10.1

Rating:

By mkschmidtjr - 03/29/2012 5:50 AM

Other - See details below.

Hello ESRI Team Please note this article gets us started on the ARR product but for an environment that I encountered recently we had to change the following items to get reverse proxying to work: Application Pools | DefaultAppPool | “Managed Pipeline Mode” we switched it from “Integrated” to “Classic” Also we had to add an * in front of our url rewrite condition. So our ReverseProxyOutput pattern looked like this: *proxyoutput* otherwise we did not see any hits in the monitoring and management of AGSReverseProxy Server Farm. Best wishes to all.

Rating:

By Anonymous - 03/22/2010 1:41 PM

The article needs to be updated.

This solved my problem in IE6.

Rating:

By Anonymous - 10/23/2009 8:19 AM

The article needs to be updated.

How do you know if your arcgis server is the java or .net version?

By Anonymous - 09/29/2008 11:03 AM

The article needs to be updated.

This article does not discuss reverse proxy for REST services or secure services with the Tokens service. This could also discuss approaches for working with multiple instances within a large organization. How do you handle verse proxy of services without name conflicts: 1. unique instance names 2. virtual hosts

By Anonymous - 08/14/2008 6:27 AM

The article needs to be updated.

This needs to be updated for 9.3. It also needs to be clear about what needs to be reverse proxied for each type of application: server based (.net java), browser based (JavaScript, flex). It also should not be reverse proxying manager. Manager is not meant to be accessed via the internet, especially without ssl. The above instructions create an unsecure system because logging into manager would expose the web servers admin password to the internet.

Rating:

By Anonymous - 08/12/2008 7:37 PM

I would like to see a new article that discusses the topic outlined below.

Please create step by step instructions for Microsoft ISA! If you reference ISA, you should support an ISA implamentation. This topic is severely under documented.

Rating:

By Anonymous - 02/28/2008 10:13 AM

Other - See details below.

In the article you show an example of reverse proxy for the manager application through the reverse proxy using HTTP. ProxyPass /arcgis/manager http://myInternalServer/arcgis/manager ProxyPassReverse /arcgis/manager http://myInternalServer/arcgis/manager Because the manager application requires a password you will be sending that password over the internet in clear text. This is very bad. I think the example should either remove the manager reverse proxy settings or show how to set things up using SSL with Apache.

By Anonymous - 02/28/2008 10:09 AM

Other - See details below.

this article states: Though not discussed here, any Web server, including Microsoft Internet Information Server (IIS) can be configured as a reverse proxy. The configuration principles are very similar. For an IIS Web server to operate as a reverse proxy server, third party software is required, for example, Microsoft's ISA Server. This is not true. In this case IIS is not acting as a reverse proxy. ISA is acting as a reverse proxy. ISA is a completely different server, not a part of IIS.

By Anonymous - 11/26/2007 10:29 AM

The article needs to be updated.

On the ProxyPass statements, you might be missing a trailing slash on the joboutput. Is the omission intentional? The use of trailing slashes on ProxyPass statements is quite important in certain places. There's nothing in the article to describe the logic and/or the importance of getting it right... i.e. adding a trailing slash to /arcgis/services would break things. I think Step 6, the 'relativeURLS' option, was added with a service pack (I spent many days with support diagnosing this problem back in 9.2 release so I'm pretty sure it's an SP2 addition). If so, please note which SP. Step 1 and Step 2 don't really make sense. Step 1 has you create a "server2" directory for java and instructs you to replace "server" with "server2" elsewhere in the doc. "server" only appears in Step 2. Why not just put "server2" in step 2? I believe the Java instructions should be separate and should use the AJP connector instead of reverse proxy. AJP connector provides better performance and help to solve various problems with dynamically retrieving URL's from without Tomcat (i.e. for custom web apps).

Rating:

By Anonymous - 09/28/2007 12:18 PM

The article contains a typographical or grammatical error.

Article ID: 32634 My question is regarding "Step 1: Create and Web share three new directories..... " >Instructions for .NET: >For each folder created: a) Open IIS Start>Control>IIS, etc. b) Expand the 'myExternalServer (local computer)' node. Expand the 'Web Sites' node. c) Right-click the 'Default Web Site' node and select 'New > Virtual Directory…' from the context menu to open the 'Virtual Directory Creation' wizard. d) Click 'Next' and enter the name of the newly created directory, for example 'proxyoutput', in the 'Alias:' text file and click 'Next'. e)In the 'Directory:' text field on the 'Web site content directory' pane, enter or browse to the path of the newly created directory. f) Click 'Next' and uncheck the 'Run scripts (such as ASP)' check box. Click 'Next' and 'Finish'. _____________________________________________________________ My question: Step b) Shouldn't 'myExternalServer' be 'myInternalServer'......is this a typo, or am I wrong? Thanks! -Mark

Rating: