Technical Articles >  ArcGIS Server (10.0 and prior)  >  Web ADF for the Microsoft .Net Framework  >  Installation  >  General

Knowledge Base - Technical Articles


Technical Article   HowTo:  Configure a reverse proxy system architecture for ArcGIS Server with Microsoft ISA Server

Article ID: 35892
Software:  ArcGIS Server 9.3, 9.3.1, 10
Platforms:  Windows XP, Server 2003, Vista, Server 2008

Summary

Instructions provided describe the procedure for configuring a reverse proxy for ArcGIS Server using the Microsoft Internet Security and Acceleration (ISA) Server. For a complete description of and reasons to use the reverse proxy architecture see
How to: Configure a reverse proxy system architecture with ArcGIS Server.


  The following instructions are specific to the Windows Server 2003 operating system, but most of the configuration steps for the ArcGIS Server Java Edition Web services and ADF applications are similar on Windows Server 2008 and UNIX/Linux systems.


  Differences in configuring the .NET and Java versions of ArcGIS Server are clearly noted.


  For the following instructions, the Web Server host name for the internal ArcGIS Web services and ADF applications is 'myInternalServer', the reverse proxy ISA server host name is 'myExternalServer', and the ArcGIS Server instance name is 'arcgis'. Substitute the server names and instance name as appropriate. Use the fully qualified domain name (FQDN) when entering values for the external server (e.g., myExternalServer.esri.com) so that Internet users are able to contact the server and so that host names match for Secure Sockets Layers (SSL) certificates.


 Reverse proxy deployments represent an enterprise level, third-party (non-Esri) solution. As a premium service, Esri provides reverse proxy implementation and configuration services for use with Esri products through Esri Professional Services.



Before starting

Ensure that the ISA server is properly installed on the external server. -show me-

Initial Setup
It is best practice to have a dedicated reverse proxy machine in the
DMZ that is not performing other roles. Microsoft (MS) recommends that this machine not even have an installation of Internet Information Services (IIS). This machine only needs a
single network interface because it will be acting as an edge firewall.
For this reason, these instructions use the Standard edition of MS ISA
Server. If using the Enterprise edition of MS ISA Server, there may be some
differences from that described below.

1) Pre-requisites.

a) Disable all but one network interface on the machine.
For each network interface (including wireless ones) select Start > Control Panel > Network connections > 'Name of Connection To Disable'. In the Connection Status dialog box that appears, click the 'Disable' button.

 If using Enterprise edition, do not disable additional network interfaces.

b) Disable any IIS Web sites currently running on port 80.
Select Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager. In the left pane of the IIS Manager, expand the local computer node and Web Sites, right-click the Web site that is running on port 80 (usually 'Default Web Site'), and select 'Stop'. Close the IIS Manager window.

2) MS ISA Server 2006 Installation wizard instructions.

a) Select 'Typical' install.

b) On the internal network pane click 'Add'. In the 'Addresses' window, click 'Add Adapter'. In the 'Select Network Adapters' window, select the remaining network interface (usually 'Local Area Connection') and click 'OK'. In the 'Addresses' window click 'OK'. In the 'Installation Window' click 'Next'.

 If using Enterprise edition, select the Internet-facing network interface in this step.

c) Click 'Next' without selecting 'Allow non-encrypted Firewall client connections' on the 'Firewall Client Connections page', and click 'Next' on the following page and 'Install' on the final page.


Configuring ISA as a Reverse Proxy
MS ISA uses the terminology 'Publish an internal web site' to describe
creating a reverse proxy for internal Web sites viewed by internet clients. Before Web sites can be published, a Network Adapter, HTTP Access rules, and HTTP Listeners must be configured. Use the ISA Server Management console opened from Start > All Programs > MS ISA Server > ISA Server Management with the instructions below to complete pre-publishing configuration steps.

1) Set up the 'Single Network Adapter' Network Template.

a) In the left panel of the ISA Server Management console, expand the 'hostName' node, expand the 'Configuration' node, and click on 'Networks'. Click the 'Templates' tab in the right panel and select 'Single Network Adapter' from the list.

b) In the 'Network Template Wizard', click 'Next' three times, and select 'Apply default Web proxying and caching configuration' policy, click 'Next', click 'Finish' and dismiss the warning.

c) In the center 'Networks' panel click 'Apply' to update the configuration.
 This disallows any further communication to/from the computer, so make sure to be present at the computer console and not to use a remote connection.


2) Set up HTTP access rules.

a) In the left panel of the ISA Server Management console, click the 'Firewall Policy' node.

b) In the center panel, click the 'Default rule' (or top-most rule if others exist).

c) In the right panel, click the 'Tasks' tab and select 'Create Access Rule'.

d) In the 'New Access Rule Wizard' name the rule 'Outgoing HTTP' and click 'Next'. In the 'Rule Action' pane, select 'Allow' and click 'Next'. In the 'Protocols' pane, select 'Selected Protocols' for the 'This rule applies to:' drop-down list, and click 'Add'. In the 'Add Protocols' dialog box, select the 'Web' node and select 'HTTP' and click 'Add', select 'HTTPS' and click 'Add', and click 'Close'. Click 'Next'. In the 'Access Rule Sources' pane click 'Add'. In the 'Add Network Entities' dialog box, expand the 'Network Sets' node and select 'All Networks (and Local Host), and click 'Add' followed by 'Close'. Click 'Next'. In the 'Access Rule Destinations' pane, click 'Add'. In the 'Add Network Entities' dialog box, expand the 'Network Sets' node, select 'All Networks (and Local Host)', and click 'Add' followed by 'Close'. Click 'Next'. Click 'Next' again. Click 'Finish'. In the center pane, click 'Apply'.

3) Set up HTTP Listener(s).

a) In the left panel of the ISA Server Management console, click the 'Firewall Policy' node.

b) In the right panel, click the 'Toolbox' tab and select 'Network Objects'. Right-click on 'Web Listeners' and select 'New Web Listener'.

c) In the 'New Web Listener Definition Wizard' dialog box enter 'External HTTP 80' for the Web listener name and click 'Next'. In the 'Client Connection Security' pane, select 'Do not require SSL secured connections with clients' and click 'Next'. In the 'Web Listener IP Addresses' pane, select 'All Networks (and Local Host)', uncheck 'ISA Server will compress .... support compression' and click 'Next'. In the 'Authentication Settings' pane, select 'No Authentication' from the 'Select how clients will provide credentials to ISA Server' combo box, click 'Next' twice, and click 'Finish'. In the center pane, click 'Apply'.

d) (OPTIONAL) Configure ISA for use with SSL. Select this option if the ArcGIS Server configuration uses Token-based authentication and/or will be encrypting services and/or Web applications with SSL.

i) Obtain and install an SSL certificate from a recognized Certificate Authority (CA) on the external ISA Server. See http://support.microsoft.com/kb/840614 for information on obtaining and installing an SSL certificate from a recognized CA and configuring MS ISA server to use the certificate for SSL connections. Some relevant highlights from the above link include:

aa) If the CA that issues the certificates is not a commercial CA already known by Windows, make sure to import the CA's own certificate into the list of trusted root certification authorities using the 'Certificates' dialog box opened by selecting the 'Certificates' button in the 'Certificates' pane in the 'Content' tab of the 'Internet Options' dialog box opened from the 'Tools > Internet Options' menu item in Internet Explorer.

bb) If IIS is not installed on the ISA Server, use the IIS installation on the internal server to create the certificate request for the ISA server. When the certificate is retrieved from the CA, copy it to the ISA server, right-click the certificate, and select 'install certificate'. In the dialog box that appears, select the defaults and click 'OK'.


ii) Set up HTTPS Listener.

aa) Follow instructions 3a and 3b above.

bb) In the 'New Web Listener Definition Wizard' dialog box, enter 'External HTTPS 443' for the Web listener name and click 'Next'. In the 'Client Connection Security' pane, select 'Require SSL ... with clients' and click 'Next'. In the 'Web Listener IP Addresses' pane, select 'All Networks (and local Host)', uncheck 'ISA Server will .... compression' and click 'Next'. In the 'Listener SSL Certificates' pane, select the 'Use a single certificate for this Web Listener' radio button and click the 'Select Certificate' button. Select the certificate defined in d)i) above and click the 'Select' button and click 'Next. In the 'Authentication Settings' pane, select 'No Authentication' from the 'Select how clients will provide credentials to ISA Server' combo box, click 'Next' twice, and click 'Finish'. In the center pane, click 'Apply'.

Procedure

Instructions provided below illustrate the process of configuring ArcGIS Server and Microsoft ISA Server to operate in a reverse proxy configuration for ArcGIS Server Web services and ADF applications.

Steps 1 through 5 below are required for all ArcGIS Server systems using a reverse proxy Web system architecture. These steps need only be performed once per system. Step 6 is only required if using the token service for REST services. Step 7 shows how to access ArcGIS services working with reverse proxy Web servers. Step 8 reveals the requirements for authoring new ArcGIS Server Web ADF applications that can be accessed through the reverse proxy Web server. Step 9 illustrates how to convert pre-existing ArcGIS Server Web ADF applications to work with a newly deployed reverse proxy Web server.

  1. Create and Web share three new directories on the internal server (myInternalServer). Applications using Internet services access these directories for image output, image caching, and geoprocessing output. Any names and locations may be used for these directories, but it is recommended to create the directories in the default ArcGIS Server directories location. In this example, the default ArcGIS Server directory is C:\arcgisserver and the three directories are named:

    C:\arcgisserver\proxyoutput
    C:\arcgisserver\proxycache
    C:\arcgisserver\proxyjobs


    If the directories are created in a location other than the default server directory location (C:\arcgisserver by default), the ArcGIS Server Object Container account must have read/write permissions to the server directories' directory. -show me-

    a) Determine the account name used to run the ArcGIS Server Object Container (SOC) process. This account was specified during installation. Typically, this account is named ArcGISSOC. It may be identified by opening Task Manager on the machine running the SOC process and finding an ArcSOC process. Use the View-Select Columns to turn on the User Name column, if necessary.

    b) Open Windows Explorer and navigate to the folder created.

    c) Right-click on the server directories folder and select Properties. A Properties dialog box opens.

    d) Click the Security tab in the dialog box.

    e) Click the Add... button. A select-users dialog box opens.

    f) In the select-users dialog box, verify that the 'From this location:' box displays the location of the SOC user. Usually this is the local computer, but if a domain account was used during installation, then the location should be the domain name. If the location is not correct, click Locations and select the local machine name or domain. Click OK to return to the select-users dialog box.

    g) Type the user account identified above into the text box in the select-users dialog box. Alternatively, search for the user by clicking Advanced. Click Find Now. Highlight the SOC user and click OK. In the select-user dialog box, click Check Names to verify that the user is valid. Click OK. This returns to the folder Properties dialog box, with the account now added to the list of users.

    h) With the SOC user account highlighted, click the check box for Modify to enable permissions for the user.

    i) Click OK to apply the permissions and close the Properties dialog box.


    After creating the three directories and adjusting their access permissions, they must also be Web shared.

    Instructions for .NET: -show me-

    For each folder created:

    a) Open the IIS control panel from Start > Control Panel > Administrative Tools > Internet Information Services.

    b) Expand the 'myInternalServer (local computer)' node. Expand the 'Web Sites' node.

    c) Right-click the 'Default Web Site' node and select 'New > Virtual Directory…' from the context menu to open the 'Virtual Directory Creation' wizard.

    d) Click 'Next' and enter the name of the newly created directory, for example 'proxyoutput', in the 'Alias:' text file and click 'Next'.

    e) In the 'Directory:' text field on the 'Web site content directory' pane, enter or browse to the path of the newly created directory.

    f) Click 'Next' and uncheck the 'Run scripts (such as ASP)' check box. Click 'Next' and 'Finish'.

    (OPTIONAL) For each directory that will also be secured using SSL:

    a) Right-click the newly created virtual directory and select 'Properties'.

    b) In the 'Properties' dialog box, select the 'Directory Security' tab and click the 'Edit' button in the 'Secure Communications' panel.

    c) In the 'Secure Communications' dialog box, click the 'Require Secure Channel (SSL)' check box, and click 'OK' again in the 'Properties' dialog box.


    Instructions for Java: -show me-

    If the directories are added in the default server directory location, nothing more is required.

    If the directories are added in a non-default server directory location, verify that they are added as a context path to the Web server being used. For the default Tomcat instance installed with ArcGIS Server, locate the server.xml file (for v9.x, the default directory is C:\Program Files\ArcGIS\java\manager\service\tomcat\managerappserver\conf, for v10, the default directory is C:\Program Files\ArcGIS\Server10.0\java\manager\service\managerappserver\conf) and add an entry for the new server directory location. For example, to add the server directories created above,

    C:\MyServerDirectories\proxyoutput
    C:\MyServerDirectories\proxyjobs
    C:\MyServerDirectories\proxycache
    C:\MyServerDirectories\proxyindex (v10.0 only)

    insert a line into the server.xml file for 'MyServerDirectories' after the other <Context Path> elements of the form: 

    <Context path="/server2" docBase="C:/MyServerDirectories”/>


      For the remainder of the instructions, use '/server2' where '/server' is indicated in URLs.




    

  2. Add the directories created in the previous step to the ArcGIS Server configuration using either ArcCatalog or ArcGIS Manager. These directories are in addition to the existing server directories. 

    

    Create one output directory, one cache directory, and one jobs directory using the physical directories created above. 

    

    The URLs for server virtual directories associated with the physical directories created in step 1 must take this form:

    

    http://myExternalServer/proxyoutput
    http://myExternalServer/proxycache
    http://myExternalServer/proxyjobs
    


     The above URLs must refer to the external server, not the internal server.

    

    (OPTIONAL) Replace HTTP with HTTPS in the above examples if securing the virtual directories with SSL.

    

    (OPTIONAL) For secure services with cached tiles, the cache directory should be secured to prevent unauthorized access to tiles. A cache directory with no virtual directory can be used to control access. For details, see the ArcGIS Server Help topic Securing the cache directory.

    

    See the Web page below for instructions on adding server directories:

    Creating a server directory

  3. Re-configure existing services or create new services to be used by external users. Services accessible to external users must use the new server directories created in the previous step.

    

    For instructions on creating new services, see the following Web page:

    Adding a new service

    

    When creating a new service select the output, cache, and/or jobs directories created above (see step 5 from the instructions described at the above link).

    

    If modifying an existing service, set the output, cache, and/or jobs directories in the Parameters panel of the service properties.


      Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two services: one for internal and one for external users.

    

    (OPTIONAL) Require HTTPS for services. Instructions are available from the following links:

    .NET: Securing Internet Connections or Java: Organizing services in folders



    

  4. Configure REST services on the internal server.

    


     After making these changes, some parts of the REST services may not work properly when accessed using the internal server URL.

    

    Configure REST services for ArcGIS Server .NET Edition: -show me-

    

    
a) Use a text or XML editor to open C:\Inetpub\wwwroot\ArcGIS\rest\rest.config (may be different if installed in a non-default location).

    

    b) Change the following elements to use the name and ports of the external server.



    <SoapUrl>http://myExternalServer/arcgis/services</SoapUrl>

    <SoapSslUrl>https://myExternalServer/arcgis/services</SoapSslUrl>

    

    <ServicesDirectoryHelpUrl>http://myExternalServer/ arcgis/SDK/REST/servicesdirectory.html</ServicesDirectoryHelpUrl>

    

    <ApiHelp baseUrl=”http://myExternalServer/arcgis/SDK/REST/index.html?”>

    

    <Port>80</Port>

    <SslPort>443</SslPort>



     Do not change the <ServerName> value. It must point to the internal server.

    c) For added security, require HTTPS when users log into the Services Directory and Admin utility by changing the value of <UseSslForLoginAndAdmin> to true.

    

    d) Save and close the rest.config file.
    

    

    

    

    

    

    Configure REST services for ArcGIS Server JAVA Edition: -show me-

    

    
a) Use a text editor to open C:\ArcGIS\java\web_output\rest\WEB-INF\classes\server.properties (may be different if installed in a non-default location).

    

    b) Change the following property to use the name and port, if required, of the external server:



    com.esri.rest.SOAP_URL=http\://myExternalServer/arcgis/services


    

    c) Save and close the server.properties file.

    

    d) Use a text editor to open C:\ArcGIS\java\web_output\rest\WEB-INF\classes\resources\rest-config.properties (may be different if installed in a non-default location).

    

    e) Change the following property to use the name and port, if required, of the external server:



    base.url=http://myExternalServer/arcgis/sdk/rest


    

    f) If the external server uses non-standard ports for HTTP and HTTPS, update the following properties to reflect the non-standard ports. 

    config.reverse-proxy-http-port=80

    config.reverse-proxy-ssl-port=443


    

    g) Save and close the rest-config.properties file.
    

    

    

    

    



    

  5. Add Web publishing rules on the external server.

    

    Create Web publishing rules for ArcGIS Server Web services and server directories.

     Create Web publishing rules for ArcGIS Server .NET Edition. -show me-

    

    
A) Create Web publishing rules for ArcGIS Server server directories defined in step 1.

    

    i) In the left panel of the MS ISA Server Management console, click the 'Firewall Policy' node.

    

    ii) In the center panel, click and highlight the first policy.

    

    iii) In the right panel, click the 'Tasks' tab and click 'Publish Web Sites'.

    

    iv) Follow the instructions below for the 'New Web Publishing Rule Wizard' that appears.

    

    aa)In first pane, enter 'Server Directories' for the 'Web publishing rule name:' and click 'Next'. 

    

    bb) In the 'Select Rule Action' pane, click the 'Allow' radio button and click 'Next'. 

    

    cc) In the 'Publishing Type' pane, select the 'Publish a single Web site or load balancer' radio button and click 'Next'. 

    

    dd) In the 'Server Connection Security' pane select the 'Use non-secured ... farm' radio button and select 'Next' (OPTIONAL: If the ArcGIS Server is using SSL for encrypted communications - see below - choose the 'Use SSL ... farm' radio button on this pane instead). 

    

    ee) In the 'Internal Publishing Details' pane enter the FQDN for 'myInternalServer' in the 'Internal site name:' text box. If there is no DNS in the DMZ and the 'myInternalServer' host name cannot be resolved on the ISA Server machine, check the 'Use a computer ... server' check box and enter the IP address for 'myInternalServer'. Click 'Next'. 

    

    ff) In the 'Internal Publishing Details' pane, enter 'arcgisserver/proxyOutput/*' in the 'Path (optional):' text box. Also, check the check box for 'Forward the original...previous page.' Click 'Next'. 

    

    gg) In the 'Public Name Details' pane, enter the FQDN for 'myExternalServer' and click 'Next'. 

    

    hh) In the 'Select Web Listener' pane, select 'External HTTP 80' from the 'Web listener:' combo box (OPTIONAL: If the ArcGIS Server is using SSL for encrypted communications - see below - select 'External HTTPS 443' from the 'Web listener:' combox box instead) and click 'Next'. 

    

    ii) In the 'Authentication Delegation' pane, accept the defaults by clicking 'Next'.

     

    jj) In the 'User Sets' pane, accept the defaults by clicking 'Next'.  Click 'Finish' to close the wizard.  

    

    kk) In the center pane, click 'Apply'.
    

    

    v) Add additional paths to the Web publishing rule.

    

    aa) In the center pane, right-click the 'Server Directories' firewall-policy/rule and select 'Properties'. 

    

    bb) In the 'Server Directories Properties' dialog box, select the 'Paths' tab and click the 'Add button'.

    

    cc) In the 'Path mapping' dialog box, enter 'arcgisserver/proxyJobs' in the 'Specify ... blank.' text field and click 'OK'.

    

    dd) Click 'OK' and click 'Apply' in the center pane.
    

    

    vi) Repeat step iv) above for the 'arcgisserver/proxyCache' path.
    

    

    B) Create a Web publishing rule for ArcGIS Server services.

    

    i) Follow steps A.i-iv above using 'services' for the 'Web Publishing Rule Name:' and '/arcgis/services/*' for the 'Path (Optional)' text field.

    

    ii) Repeat step A.v above with the 'services' rule using '/aspnet_client/*' in the 'Specify ... blank.' text field.
    

    

    C. Create a Web publishing rule for ArcGIS Server REST services.

    

    i) Follow steps A.i-iv above using 'REST services' for the 'Web Publishing Rule Name:' and '/arcgis/rest/*' for the 'Path (Optional)' text field.

    

    ii) Repeat step A.v above with the 'REST services' rule using '/arcgis/sdk/rest/*' in the 'Specify ... blank.' text field.
    

    

    D. Create a Web publishing rule for the ArcGIS Server KML services.

    

    i) Follow steps A.i-iv above using 'KML service' for the 'Web Publishing Rule Name:' and '/arcgis/Kml/*' for the 'Path (Optional)' text field.
    

    

    E. Create a Web publishing rule for the ArcGIS Server token service.

    

    i) Follow steps A.i-iv above using 'token service' for the 'Web Publishing Rule Name:', '/arcgis/tokens/*' for the 'Path (Optional)' text field.
    

    

    F. Create a Web publishing rule for ArcGIS Server ADF Web Applications.

    

    i) Follow steps A.i-iv above using 'ADF Applications' for the 'Web Publishing Rule Name:' and the path to an application for the 'Path (Optional)' text field. For example, if the application was named 'MyADFApplication', enter 'MyADFApplication/*' for the 'Path (Optional)' text field.

    

    ii) Repeat step A.v above using additional paths to ADF application in the 'Specify ... blank.' text field.
    

    

    

    

    

    

    Create web publishing rules for ArcGIS Server Java Edition. -show me-

    

    
A) Create Web publishing rules for ArcGIS Server server directories defined in step 1.

    

    i) In the left panel of the MS ISA Server Management console, click the 'Firewall Policy' node.

    

    ii) In the center panel, click and highlight the first policy.

    

    iii) In the right panel, click the 'Tasks' tab and click 'Publish Web Sites'.

    

    iv) Follow the instructions below for the 'New Web Publishing Rule Wizard' that appears.

    

    aa)In first pane, enter 'Server Directories' for the 'Web publishing rule name:' and click 'Next'. 

    

    bb) In the 'Select Rule Action' pane, click the 'Allow' radio button and click 'Next'. 

    

    cc) In the 'Publishing Type' pane, select the 'Publish a single Web site or load balancer' radio button and click 'Next'. 

    

    dd) In the 'Server Connection Security' pane select the 'Use non-secured ... farm' radio button and select 'Next' (OPTIONAL: If the ArcGIS Server is using SSL for encrypted communications - see below - select the 'Use SSL ... farm' radio button on this pane instead). 

    

    ee) In the 'Internal Publishing Details' pane enter the FQDN for 'myInternalServer' in the 'Internal site name:' text box. If there is no DNS in the DMZ and the 'myInternalServer' host name cannot be resolved on the ISA Server machine, check the 'Use a computer ... server' check box and enter the IP address for 'myInternalServer'. Click 'Next'. 

    

    ff) In the 'Internal Publishing Details' pane, enter 'arcgis/server/proxyOutput/*' in the 'Path (optional):' text box. Also, check the check box for 'Forward the original...previous page.' Click 'Next'.

    

    gg) In the 'Public Name Details' pane, enter the FQDN for 'myExternalServer' and click 'Next'. 

    

    hh) In the 'Select Web Listener' pane, select 'External HTTP 80' from the 'Web listener:' combo box (OPTIONAL: If the ArcGIS Server is using SSL for encrypted communications - see below - select 'External HTTPS 443' from the 'Web listener:' combo box instead) and click 'Next'. 

    

    ii) In the 'Authentication Delegation' pane, accept the defaults by clicking 'Next'.

     

    jj) In the 'User Sets' pane, accept the defaults by clicking 'Next'.  Click 'Finish' to close the wizard.  

    

    kk) In the center pane, click 'Apply'.
    

    

    v) Configure bridging (mapping to non-standard HTTP and HTTPS ports on the internal server) for the Web publishing rule.  

    aa) In the center pane, right-click the 'Server Directories' firewall-policy/rule and select 'Properties'. 

    

    bb) In the 'Server Directories Properties' dialog box, select the 'Bridging' tab and enter '8399' in the 'Redirect requests to HTTP port:' text box (OPTIONAL: If the ArcGIS Server is using SSL for encrypted communications - see below - enter '8398' in the 'Redirect requests to SSL port:' text box and uncheck 'Redirect requests to HTTP port.). 

    

    cc) Click 'OK' and click 'Apply' in the center pane.
    

    

    vi) Add additional paths to the Web publishing rule.

    

    aa) In the center pane, right-click the 'Server Directories' firewall-policy/rule and select 'Properties'. 

    

    bb) In the 'Server Directories Properties' dialog box, select the 'Paths' tab and click the 'Add button'.

    

    cc) In the 'Path mapping' dialog box, enter 'arcgis/server/proxyJobs' in the 'Specify ... blank.' text field and click 'OK'.

    

    dd) Click 'OK' and click 'Apply' in the center pane.
    

    

    vii) Repeat step vi) above for the 'arcgis/server/proxyCache' path.
    

    

    B) Create a Web publishing rule for ArcGIS Server services

    

    i) Follow steps A.i-v above using 'services' for the 'Web Publishing Rule Name:' and '/arcgis/services/*' for the 'Path (Optional)' text field.
    

    

    C. Create a Web publishing rule for ArcGIS Server REST services.

    

    i) Follow steps A.i-v above using 'REST services' for the 'Web Publishing Rule Name:' and '/arcgis/rest/*' for the 'Path (Optional)' text field.

    

    ii) Repeat step A.vi above with the 'REST services' rule using '/arcgis/sdk/rest/*' in the 'Specify ... blank.' text field.
    

    

    D. Create a Web publishing rule for the ArcGIS Server KML services.

    

    i) Follow steps A.i-v above using 'KML service' for the 'Web Publishing Rule Name:' and '/arcgis/Kml/*' for the 'Path (Optional)' text field.
    

    

    E. Create a Web publishing rule for the ArcGIS Server token service.

    

    i) Follow steps A.i-v above using 'token service' for the 'Web Publishing Rule Name:', '/arcgis/tokens/*' for the 'Path (Optional)' text field.
    

    

    F. Create a Web publishing rule for ArcGIS Server ADF Web Applications.

    

    i) Follow steps A.i-v above using 'ADF Applications' for the 'Web Publishing Rule Name:' and the path to an application for the 'Path (Optional)' text field. For example, if the application was named 'MyADFApplication', enter 'MyADFApplication/*' for the 'Path (Optional)' text field.

    

    ii) Repeat step A.vi above using additional paths to ADF application in the 'Specify ... blank.' text field.
    

    

    

    

    

    

  6. (OPTIONAL) Configure the token service URLs on the internal server. If the server has been configured with token-based security, the token service must be made available through the reverse proxy. 

    

    Configure the reverse proxy for ArcGIS Server .NET Edition: -show me-

    

    
a) Use a text or XML editor to open the web.config for the REST application. By default, this file is located at C:\Inetpub\wwwroot\ArcGIS\rest.

    

    b) In the <appSettings> section, set the <TokenServiceURL> to point to the external server name and HTTPS port. For example, https://myExternalServer/ArcGIS/tokens/.

    

    c) Repeat the above two steps for the web.config files in both C:\Inetpub\wwwroot\ArcGIS\Services and C:\Inetpub\wwwroot\ArcGIS\tokens.
    

    

    

    

    

    

    Configure the reverse proxy for ArcGIS Server Java Edition: -show me-

    

    
a) Edit the arcgis_wshandler.properties file for the services application. By default, this file is located in C:\Program Files\ArcGIS\java\web_output\services\WEB-INF\classes.

    

    b) Find the arcgis.webservices.security.tokenserviceurl property and change the host name to myExternalServer:


    arcgis.webservices.security.tokenserviceurl=http://myExternalServer/arcgis/tokens

    

    c) Save and close the file.

    

    d) Edit the security.xml file for the rest application. By default, this file is located in C:\Program Files\ArcGIS\java\web_output\rest\WEB-INF\classes.

    	

    e) Find the 'TokenServiceURL' key and change the host name to myExternalServer:


    <entry key="TokenServiceURL">http://FLASH6/arcgis/tokens</entry>

    

    f) Save and close the file.

    

    g) Restart the ArcGIS Server Manager Service.
    

    

    

    

    



    

  7. The ArcGIS Server Web services (SOAP and REST) may now be accessed by the following URLs:

    

    SOAP:

    

    http://myExternalServer/arcgis/services

    

    REST:

    

    http://myExternalServer/arcgis/rest/services

    


     If the site uses SSL, replace the HTTP with HTTPS in the examples above.


     Service URLs for REST services may be obtained by accessing the Services Directory from the external server.


     Only internet connections to ArcGIS Server Web services are possible with these URLs. To administer the ArcGIS Server, connect to the internal server, either using Manager or ArcCatalog.


     For added security, ask a systems administrator to restrict HTTP traffic through the internal firewall to IP address of the reverse proxy Web server machine. This prevents Internet clients from directly accessing the open internal HTTP port. 


     For added security, ask a systems administrator to apply filters to the HTTP traffic emanating from the reverse proxy Web server to restrict known nefarious packet types. 

    

  8. (OPTIONAL) Author and publish new ArcGIS Server Web ADF Applications using Manager or the IDE that works with the reverse proxy server. 

    

    When authoring a new ArcGIS Server Web ADF Application, use the new external service URLs shown in the previous step when specifying Internet services to add to the application.

    

    After creating a new application, add its path to the Web publishing rules as defined in step 5.



    

  9. (OPTIONAL) Edit pre-existing ArcGIS Server Web ADF applications initially authored with services using internal URLs. 

    

    Web applications created with services referenced by internal URLs do not work outside an organization’s firewall. To convert the applications to work with the reverse proxy Web server, they must be edited manually. 

    

    a) Configure the ArcGIS Server Web application on the internal Web server.

    

    For .NET: -show me-

    

    
(1) Open the Web application in Visual Studio, Visual Web Developer Express, or other development environment. If such a tool is not available, a text editor may be used to edit pages, but edit the page exactly as directed below. 

    

    (2) Open the Web page that contains Web ADF controls. In ASP.NET applications, the page to edit is named Default.aspx.

    

    (3) Change the URLs used for each service in each resource manager control to refer to the external URL for the service. For the MapResourceManager control, the ResourceItems contain one or more resources. Open the properties of each resource and find the URL of the service. If it points to an ArcGIS Internet source, change the URL to use the external server; for example:

    

    http://myExternalServer/arcgis/services

     If the firewall prevents HTTP connections from the internal computer to the external Web server, the browse button (...) in the Resource Definition Editor may not list services. In this case, manually change the URL to reference the external Web server.

    

    Use the following page as a reference when setting the resource URLs:

    Using the MapResourceManager control

    

    (4) Save the file.

    

    (5) If other Web pages in the application contain ESRI Web controls, repeat (2) through (4) for each of these pages. 

    

    (6) Rebuild and, if required, redeploy the application.
    

    

    

    

    

    For Java: -show me-

    

    
The best approach for applications deployed into the embedded Web server using the Manager Web application is to recreate them following the procedures in step 11.

    


     This step can only be performed on Web applications that are exported and deployed to a third-party Web application server. 

    

    1) In the directory where the Web application is deployed, navigate to the WEB-INF directory. 

    

    2) Edit the 'faces-config.xml' file. Search for the 'endPointURL' property and change its internal URL value to the new external URLs established in step 3 above. For example, if the original URL is http://myInternalServer:8399/MyServices/MapServer, change the lines to http://myExternalServer/MyServices/MapServer. See example below:

    

    Before:


    <managed-property>

    <property-name>endPointURL</property-name>

    <value>http://myInternalServer:8399/MyServices/MapServer</value>

    </managed-property>

    

    After:


    <managed-property>

    <property-name>endPointURL</property-name>

    <value>http://myExternalServer/MyServices/MapServer</value>

    </managed-property>

    

    3) If the Web application server is configured to automatically reload applications after changes are made, the Web application works with the reverse proxy server the next time it is accessed. Otherwise, the Web application server should be restarted.
    

    

    

    

    

    

    b) Configure the reverse proxy Web server for the ArcGIS Server Web ADF Application edited in a) by adding its path to the Web publishing rules as defined in step 5.

    

    c) Test the Web site to ensure it works from the Internet. -show me-

    

    
(1) Open a Web browser on a computer, using the Internet outside the organization's network, if possible. Testing it from the perimeter network on a computer different from the external server also works.

    

    (2) Enter the URL of the external server and the Web site name. For example, if the Web site name configured above is myADFApplication, the URL would be:

    

    http://myExternalServer/myADFApplication

    

    (3) If there are any errors, or the site does not load completely, recheck that all settings have been made as instructed.

    

    Troubleshooting tips:

    

    •	If the site does not load at all (page-not-found, 404 error), check the proxy settings as covered in section (b) of this step.

    

    •	If the basic page outline loads, but there is no map or script errors display, check that the Web page has the settings for ESRI Web controls as instructed in section (a) of this step.

    

    •	If the page outline loads and no script errors occur, but no map loads, the map configuration may be incorrect. Test whether it is possible to preview the map service from the external server using one of the three methods below:

    

    Use ArcGIS Desktop (ArcCatalog, ArcMap) installed outside the organization's firewall or on the perimeter network. 

    

    Use ArcGIS Desktop from the internal network if internal users can contact the external server (myExternalServer). Use Desktop in either case to connect to the services on myExternalServer: use the Add-data button, expand GIS Servers, double-click Add ArcGIS Server, and add the server as an ArcGIS Internet server using the URL as in the step above, "The ArcGIS Server Web services (SOAP and REST) may now be accessed...". 

    

    Load the following URLs into a browser:

    

    http://myExternalServer/arcgis/services?wsdl
    http://myExternalServer/arcgis/services/myArcGISservice/MapServer?wsdl
    

    Change the second URL to match a service on your system. These should load an XML (WSDL) document. If these methods fail to connect to the service, then recheck the proxy settings in step 5 as well as the directory settings in steps 2 and 3.

    

    •	(IIS7/Application Request Routing only) If a list of services can be obtained for a server in ArcCatalog or Manager, but any request to obtain details for a service or display a service fail, check that the URL Rewrite rule created for the services directory has its match type set to Wildcard, not Regular Expressions.
    

    

    

    

    

    

    Repeat (a) through (c) for each Web application on the internal server that needs to be available to external users.


     Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two versions of the Web application: one for internal and one for external users.

    







Related Information







Created: 12/3/2008

Last Modified: 3/7/2012


		

			Article Rating: 
			
				
			
				
			
				
			
				
			 (2)
		

	







	

		
Comments

		
			
			


				

				By 
				biswaketan  - 
				06/02/2011 1:54 AM 
				

                

                    
                            
                                
		Great article! It helped a lot!
                            
                            
                

				

				
					
Rating: 			
						
							
						
							
						
							
						
							
						
					

				
			
	
		
			
			


				

				By 
				
				Anonymous
				 - 
				01/28/2011 11:55 AM 
				

                

                    
                            
                                
		The article needs to be updated.
                            
                            
                

				
It would be a good idea that the "/aspnet_client/*" path should be mentioned under step 5 > .NET > Step F of this great KB. 

				
					
Rating: 			
						
							
						
							
						
							
						
							
						
							
						
					

				
			
	
		
			
			


				

				By 
				
				Anonymous
				 - 
				02/26/2010 5:29 PM 
				

                

                    
                            
                                
		The article needs to be updated.
                            
                            
                

				
Step 5, .NET Edition, section A, iv, ff
   ‘arcgisserver/proxyOutput/*’ should be ‘/proxyOutput/*’ based on the virtual directories created in step 1
Step 5, .NET Edition, section A, v, cc
   ‘arcgisserver/proxyJobs’ should be ‘/proxyJobs/*’
Setp 5, .NET Edition, section A, vi
   ‘arcgisserver/proxyCache’ should be ‘/proxyCache/*’

Similar changes need to be made for the Java edition based on the virtual directories created in step 1:
Step 5, Java Edition, section A, iv, ff
   ‘arcgis/server/proxyOutput/*’ should be ‘/proxyOutput/*’
Step 5, Java Edition, section A, vi
   ‘arcgis/server/proxyJobs’ should be ‘/proxyJobs/*’
Step 5, Java Edition, section A, vii
   ‘arcgis/server/proxyCache’ should be ‘/proxyCache/*’