Knowledge Base - Technical Articles


Technical Article   HowTo:  Configure a reverse proxy system architecture for ArcGIS Server with an Apache Web Server

Article ID: 35948
Software:  ArcGIS Server 9.2, 9.3, 9.3.1
Platforms:  Windows XP, 2003Server, Vista, 2008Server

Summary

Instructions provided describe the procedure for configuring a reverse proxy for ArcGIS Server using an Apache Web Server. For a complete description of and reasons to use the reverse proxy architecture, see How to: Configure a reverse proxy system architecture with ArcGIS Server.

  The following instructions are specific to Windows operating systems, but most of the configuration steps for the Apache Web Server and the ArcGIS Server Java Edition Web services and ADF applications are similar on UNIX/Linux systems.


 Differences in configuring the .NET and Java versions of ArcGIS Server are clearly noted.


 For the following instructions, the Web Server host name for the internal ArcGIS Web services and ADF applications is 'myInternalServer', the reverse proxy Web server host name is 'myExternalServer', and the ArcGIS Server instance name is 'arcgis'. Substitute the server names and instance name as appropriate. Use the fully qualified domain name (FQDN) when entering values for the external server (e.g., myExternalServer.esri.com) so that Internet users are able to contact the server and so that host names match for SSL certificates.


Before starting

A) Verify that the external server can connect to the internal server. -show me-

The firewall between myExternalServer and myInternalServer must allow HTTP requests on a port for myInternalServer's Web server. By default, this is port 80.

To test the connection, open a Web browser on myExternalServer and enter the URL for myInternalServer. Typically, myInternalServer uses a private IP address, for example, 10.1.2.22. For the above example, entering the URL http://10.1.2.22:80 in a Web browser on myExternalServer should render the default Web page for myInternalServer.

If Web pages from myInternalServer are not available from a browser running on myExternalServer, ask the firewall administrator to open the appropriate HTTP port through the firewall to myInternalServer.

Optionally, to enable or increase the speed of communication between external and internal servers, the host's file on the machine 'myExternalServer' may need to be updated with the IP address and host name of the machine 'myInternalServer'. This may reduce the time to resolve the internal server host name.

a) On the reverse proxy server machine, open the host's file in Notepad or other text editor. On a Windows server, this file is located at <Windows Directory>\System32\drivers\etc\Hosts.

b) At the bottom of the host's file, add the entry below. This assumes the IP address of the internal server is 10.1.2.22. Change the IP address and machine name as appropriate.

10.1.2.22 myInternalServer

c) Save the host's file. The changes take effect immediately with no restart needed.


B) Make sure that the ArcGIS Server for either the Microsoft .NET Framework or the Java Framework is installed on the internal server (myInternalServer). These instructions assume that the ArcGIS ADF Web applications and Web services are on myInternalServer. No ESRI components are required on the external server (myExternalServer).

C) Ensure that the Apache Web Server is installed on the external server. To download and find documentation on the Apache Web Server, see http://httpd.apache.org/.

D) (OPTIONAL) On the internal server, install the ArcGIS Web instance with a non-default name (e.g., GISServices instead of ArcGIS).
 The same name for the ArcGIS directory must be used on both the internal and external Web servers.



E) (OPTIONAL) For added security, on the internal server, install the ArcGIS instance on a non-default Web site and/or non-default port.

 If this is done in .NET on IIS, ensure that ASP.NET support is added to the non-default Web site before installing the ArcGIS instance (use the aspnet_regiis tool).


F) (OPTIONAL) Configure security for services and applications on the internal GIS server. This restricts access to services or applications exposed to the Internet. See the ArcGIS Server Help for .NET or for Java for information on configuring users, roles, and permissions.

G) (OPTIONAL) Configure support for SSL (HTTPS):
(i) Install SSL support on the external Web server, for example, Open SSL for Apache. On Windows, it is possible to install Apache with SSL by using the package labeled 'Win32 Binary including OpenSSL' located at The Apache HTTP Server Download page.

To enable SSL with the OpenSSL package installed, use a text editor to open the httpd.conf file in the Apache conf directory, and uncomment these two lines in httpd.conf (for example, remove the # from the start of each line):

LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf


(ii) Obtain and install an SSL certificate from a recognized Certificate Authority (CA) on the external Apache Web Server. See http://www.apache-ssl.org/ for information on obtaining an SSL certificate from a recognized CA.

In the httpd-ssl.conf file in Apache's conf/extra folder, check that the paths in SSLCertificateFile and SSLCertificateKeyFile point to the certificate installed. If the SSL port from the default 443 was changed, update the ports in the file as well. Save the file and restart the Apache service.

(iii) Obtain and install an SSL certificate from a CA on the internal Web server.

 It is possible to use HTTPS only for client requests to the external server, and use plain HTTP for requests between the external and internal servers. However, this leaves all communication (e.g., usernames and passwords) between the two servers vulnerable to capture by someone with access to the DMZ or internal network.


(iv) Require SSL (HTTPS) for some or all ArcGIS Server services and Web applications. For services, use the folder properties in ArcCatalog or Manager (check the 'Require Encrypted Web Access' option). For Web applications, use the Applications tab in Manager to edit the properties of the application. In the Applications tab, use the Advanced Options to set the URL to use HTTPS.

Procedure

Instructions provided below illustrate the process of configuring ArcGIS Server and an Apache Web Server to operate in a reverse proxy configuration for ArcGIS Server Web services and ADF applications.

Steps 1 through 5 below are required for all ArcGIS Server systems using a reverse proxy Web system architecture. These steps need only be performed once per system. Step 6 is only required if SSL (HTTPS) is used to secure services. Step 7 is only required if using the token service for REST services. Step 8 shows how to access ArcGIS services working with reverse proxy Web servers. Step 9 must be performed for each ArcGIS Server ADF application that works with the reverse proxy Web server. Step 10 reveals the requirements for authoring new ArcGIS Server Web ADF applications that can be accessed through the reverse proxy Web server. Step 11 illustrates how to convert pre-existing ArcGIS Server Web ADF applications to work with a newly deployed reverse proxy Web server.

  1. Create and Web share three new directories on the internal server (myInternalServer). Applications using Internet services access these directories for image output, image caching, and geoprocessing output. Any names and locations may be used for these directories, but it is recommended to create the directories within the default ArcGIS Server directories location. In this example, the default ArcGIS Server directory is C:\arcgisserver and the three directories are named:

    C:\arcgisserver\proxyoutput
    C:\arcgisserver\proxycache
    C:\arcgisserver\proxyjobs


    If the directories are created in a location other than the default server directory location (C:\arcgisserver by default), the ArcGIS Server Object Container account must have read/write permissions to the server directories' directory. -show me-

    a) Determine the account name used to run the ArcGIS Server Object Container (SOC) process. This account was specified during installation. Typically, this account is named ArcGISSOC. It may be identified by opening Task Manager on the machine running the SOC process and finding an ArcSOC process. Use the View-Select Columns to turn on the User Name column, if necessary.

    b) Open Windows Explorer and navigate to the folder created.

    c) Right-click on the server directories folder and select Properties. A Properties dialog box opens.

    d) Click the Security tab in the dialog box.

    e) Click the Add... button. A select-users dialog box opens.

    f) In the select-users dialog box, verify that the 'From this location:' box displays the location of the SOC user. Usually this is the local computer, but if a domain account was used during installation, then the location should be the domain name. If the location is not correct, click Locations and select the local machine name or domain. Click OK to return to the select-users dialog box.

    g) Type the user account identified above into the text box in the select-users dialog box. Alternatively, search for the user by clicking Advanced. Click Find Now. Highlight the SOC user and click OK. In the select-user dialog box, click Check Names to verify that the user is valid. Click OK. This returns to the folder Properties dialog box, with the account now added to the list of users.

    h) With the SOC user account highlighted, click the check box for Modify to enable permissions for the user.

    i) Click OK to apply the permissions and close the Properties dialog box.


    After creating the three directories and adjusting their access permissions, they must also be Web shared.

    Instructions for .NET: -show me-

    For each folder created:

    a) Open the IIS control panel from Start > Control Panel > Administrative Tools > Internet Information Services.

    b) Expand the 'myInternalServer (local computer)' node. Expand the 'Web Sites' node.

    c) Right-click the 'Default Web Site' node and select 'New > Virtual Directory…' from the context menu to open the 'Virtual Directory Creation' wizard.

    d) Click 'Next' and enter the name of the newly created directory, for example 'proxyoutput', in the 'Alias:' text file and click 'Next'.

    e) In the 'Directory:' text field on the 'Web site content directory' pane, enter or browse to the path of the newly created directory.

    f) Click 'Next' and uncheck the 'Run scripts (such as ASP)' check box. Click 'Next' and 'Finish'.

    (OPTIONAL) For each directory that will also be secured using SSL:

    a) Right-click the newly created virtual directory and select 'Properties'.

    b) In the 'Properties' dialog box, select the 'Directory Security' tab and click the 'Edit' button in the 'Secure Communications' panel.

    c) In the 'Secure Communications' dialog box, click the 'Require Secure Channel (SSL)' check box, and click 'OK' again in the 'Properties' dialog box.


    Instructions for Java: -show me-

    If the directories are added in the default server directory location, nothing more is required.

    If the directories are added in a non-default server directory location, verify that they are added as a context path to the Web server being used. For the default Tomcat instance installed with ArcGIS Server, locate the server.xml file (in the directory C:\Program Files\ArcGIS\java\manager\service\tomcat\managerappserver\conf by default) and add an entry for the new server directory location. For example, to add the three directories created above,

    C:\MyServerDirectories\proxyoutput
    C:\MyServerDirectories\proxyjobs
    C:\MyServerDirectories\proxycache

    insert a line into the server.xml file for 'MyServerDirectories' after the other <Context Path> elements of the form:

    <Context path="/server2" docBase="C:/MyServerDirectories”/>


      For the remainder of the instructions, use '/server2' where '/server' is indicated in URLs.




  2. Add the directories created in the previous step to the ArcGIS Server configuration using either ArcCatalog or ArcGIS Manager. These directories are in addition to the existing server directories.

    Create one output directory, one cache directory, and one jobs directory, using the physical directories created above.

    The URLs for server virtual directories associated with the physical directories created in step 1 must take this form:

    http://myExternalServer/proxyoutput
    http://myExternalServer/proxycache
    http://myExternalServer/proxyjobs


     The above URLs must refer to the external server, not the internal server.


    (OPTIONAL) Replace HTTP with HTTPS in the above examples if securing the virtual directories with SSL.

    (OPTIONAL) For secure services with cached tiles, the cache directory should be secured to prevent unauthorized access to tiles. A cache directory with no virtual directory can be used to control access. For details, see the ArcGIS Server Help topic Securing the cache directory.

    See the Web page below for instructions on adding server directories:
    Creating a server directory
  3. Re-configure existing services or create new services to be used by external users. Services accessible to external users must use the new server directories created in the previous step.

    For instructions on creating new services, see the following Web page:
    Adding a new service

    When creating a new service select the output, cache, and/or jobs directories created above (see step 5 from the instructions described at the above link).

    If modifying an existing service, set the output, cache, and/or jobs directories in the Parameters panel of the service properties.

      Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two services: one for internal and one for external users.


    (OPTIONAL) Require HTTPS for services. Instructions are available from the following links:
    .NET: Securing Internet Connections or Java: Organizing services in folders


  4. Configure REST services on the internal server.


     After making these changes, some parts of the REST services may not work properly when accessed using the internal server URL.


    Configure REST services for ArcGIS Server .NET Edition: -show me-

    a) Use a text or XML editor to open C:\Inetpub\wwwroot\ArcGIS\rest\rest.config (may be different if installed in a non-default location).

    b) Change the following elements to use the name and ports of the external server.


    <SoapUrl>http://myExternalServer/arcgis/services</SoapUrl>
    <SoapSslUrl>https://myExternalServer/arcgis/services</SoapSslUrl>

    <ServicesDirectoryHelpUrl>http://myExternalServer/ arcgis/SDK/REST/servicesdirectory.html</ServicesDirectoryHelpUrl>

    <ApiHelp baseUrl=”http://myExternalServer/arcgis/SDK/REST/index.html?”>

    <Port>80</Port>
    <SslPort>443</SslPort>


     Do not change the <ServerName> value. It must point to the internal server.

    c) For added security, require HTTPS when users log into the Services Directory and Admin utility by changing the value of <UseSslForLoginAndAdmin> to true.

    d) Save and close the rest.config file.


    Configure REST services for ArcGIS Server JAVA Edition: -show me-

    a) Use a text editor to open C:\ArcGIS\java\web_output\rest\WEB-INF\classes\server.properties (may be different if installed in a non-default location).

    b) Change the following property to use the name and port, if required, of the external server:


    com.esri.rest.SOAP_URL=http\://myExternalServer/arcgis/services


    c) Save and close the server.properties file.

    d) Use a text editor to open C:\ArcGIS\java\web_output\rest\WEB-INF\classes\resources\rest-config.properties (may be different if installed in a non-default location).

    e) Change the following property to use the name and port, if required, of the external server:


    base.url=http://myExternalServer/arcgis/sdk/rest


    f) If the external server uses non-standard ports for HTTP and HTTPS, update the following properties to reflect the non-standard ports.

    config.reverse-proxy-http-port=80
    config.reverse-proxy-ssl-port=443


    g) Save and close the rest-config.properties file.



  5. Enable the reverse proxy server on the external server.

    a) Open the httpd.conf file in a text editor. By default, this file is located on Windows in C:\Program Files\Apache Group\Apache2\conf.

    Enable the reverse proxy: -show me-

    Search for and uncomment the following lines by removing the # signs at the start of each line:

    #LoadModule proxy_module modules/mod_proxy.so
    
    #LoadModule proxy_http_module modules/mod_proxy_http.so


    The lines should now read:

    LoadModule proxy_module modules/mod_proxy.so
    
    LoadModule proxy_http_module modules/mod_proxy_http.so



    Configure the reverse proxy by adding required directives to the httpd.conf file.
     The same name for the ArcGIS directory must be used on both the internal and external Web servers.


    Configuration for ArcGIS Server .NET Edition: -show me-


    ProxyRequests Off
    

    ProxyPass /arcgis/services http://myInternalServer/arcgis/services
    ProxyPassReverse /arcgis/services http://myInternalServer/arcgis/services

    ProxyPass /arcgis/rest http://myInternalServer/arcgis/rest
    ProxyPassReverse /arcgis/rest http://myInternalServer/arcgis/rest

    ProxyPass /arcgis/sdk/rest http://myInternalServer/arcgis/sdk/rest
    ProxyPassReverse /arcgis/sdk/rest http://myInternalServer/arcgis/sdk/rest

    ProxyPass /aspnet_client/ http://myInternalServer/aspnet_client/
    ProxyPassReverse /aspnet_client/ http://myInternalServer/aspnet_client/

    ProxyPass /arcgis/tokens http://myInternalServer/arcgis/tokens
    ProxyPassReverse /arcgis/tokens http://myInternalServer/arcgis/tokens

    ProxyPass /proxyoutput/ http://myInternalServer/proxyoutput/
    ProxyPassReverse /proxyoutput/ http://myInternalServer/proxyoutput/

    ProxyPass /proxyjobs/ http://myInternalServer/proxyjobs/
    ProxyPassReverse /proxyjobs/ http://myInternalServer/proxyjobs/

    ProxyPass /proxycache/ http://myInternalServer/proxycache/
    ProxyPassReverse /proxycache/ http://myInternalServer/proxycache/



     These directives are all case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, all of the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyRequests Off
    

    ProxyPassMatch (?i)^/ArcGIS/services(.*)$ http://myInternalServer/arcgis/services$1
    ProxyPassReverse /arcgis/services http://myInternalServer/arcgis/services

    ProxyPassMatch (?i)^/ArcGIS/rest(.*)$ http://myInternalServer/arcgis/rest$1
    ProxyPassReverse /arcgis/rest http://myInternalServer/arcgis/rest

    ProxyPassMatch (?i)^/ArcGIS/SDK/REST(.*)$ http://myInternalServer/arcgis/sdk/rest$1
    ProxyPassReverse /arcgis/sdk/rest http://myInternalServer/arcgis/sdk/rest

    ProxyPassMatch (?i)^/aspnet_client/(.*)$ http://myInternalServer/aspnet_client/$1
    ProxyPassReverse /aspnet_client/ http://myInternalServer/aspnet_client/

    ProxyPassMatch (?i)^/ArcGIS/tokens(.*)$ http://myInternalServer/arcgis/tokens$1
    ProxyPassReverse /arcgis/tokens http://myInternalServer/arcgis/tokens

    ProxyPassMatch (?i)^/proxyoutput/(.*)$ http://myInternalServer/proxyoutput/$1
    ProxyPassReverse /proxyoutput/ http://myInternalServer/proxyoutput/

    ProxyPassMatch (?i)^/proxycache/(.*)$ http://myInternalServer/proxycache/$1
    ProxyPassReverse /proxycache/ http://myInternalServer/proxycache/

    ProxyPassMatch (?i)^/proxyjobs/(.*)$ http://myInternalServer/proxyjobs/$1
    ProxyPassReverse /proxyjobs/ http://myInternalServer/proxyjobs/



      ArcGIS Server should not be administered from outside the organizational firewall. If manager must be accessed from outside the firewall, add the following additional ProxyPass/Reverse directives, realizing that the manager password will be exposed to possible interception and decryption:



    ProxyPassMatch (?i)^/ArcGIS/Manager(.*)$ http://myInternalServer/arcgis/manager$1
    
    ProxyPassReverse /arcgis/manager http://myInternalServer/arcgis/manager


    (OPTIONAL) Make some service folders only accessible to internal users by adding "!" to the end of a ProxyPassMatch directive. For example, in a case where services in a folder named 'internalOnly' should only be seen by internal users add the following entries:

    ProxyPassMatch (?i)^/ArcGIS/services/InternalOnly(.*)$  !



    Configuration for ArcGIS Server Java Edition: -show me-


    ProxyRequests Off
    

    ProxyPass /arcgis/services http://myInternalServer:8399/arcgis/services
    ProxyPassReverse /arcgis/services http://myInternalServer:8399/arcgis/services

    ProxyPass /arcgis/rest http://myInternalServer:8399/arcgis/rest
    ProxyPassReverse /arcgis/rest http://myInternalServer:8399/arcgis/rest

    ProxyPass /arcgis/sdk/rest http://myInternalServer:8399/arcgis/sdk/rest
    ProxyPassReverse /arcgis/sdk/rest http://myInternalServer:8399/arcgis/sdk/rest

    ProxyPass /arcgis/tokens http://myInternalServer:8399/arcgis/tokens
    ProxyPassReverse /arcgis/tokens http://myInternalServer:8399/arcgis/tokens

    ProxyPass /proxyoutput/ http://myInternalServer:8399/proxyoutput/
    ProxyPassReverse /proxyoutput/ http://myInternalServer:8399/proxyoutput/

    ProxyPass /proxyjobs/ http://myInternalServer:8399/proxyjobs/
    ProxyPassReverse /proxyjobs/ http://myInternalServer:8399/proxyjobs/

    ProxyPass /proxycache/ http://myInternalServer:8399/proxycache/
    ProxyPassReverse /proxycache/ http://myInternalServer:8399/proxycache/




     These directives are all case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, all of the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyPassMatch (?i)^/ArcGIS/services(.*)$ http://myInternalServer:8399/arcgis/services$1
    
    ProxyPassReverse /arcgis/services http://myInternalServer:8399/arcgis/services

    ProxyPassMatch (?i)^/ArcGIS/rest(.*)$ http://myInternalServer:8399/arcgis/rest$1
    ProxyPassReverse /arcgis/rest http://myInternalServer:8399/arcgis/rest

    ProxyPassMatch (?i)^/ArcGIS/SDK/REST(.*)$ http://myInternalServer:8399/arcgis/sdk/rest$1
    ProxyPassReverse /arcgis/sdk/rest http://myInternalServer:8399/arcgis/sdk/rest

    ProxyPassMatch (?i)^/ArcGIS/tokens(.*)$ http://myInternalServer:8399/arcgis/tokens$1
    ProxyPassReverse /arcgis/tokens http://myInternalServer:8399/arcgis/tokens

    ProxyPassMatch (?i)^/proxyoutput/(.*)$ http://myInternalServer:8399/proxyoutput/$1
    ProxyPassReverse /proxyoutput/ http://myInternalServer:8399/proxyoutput/

    ProxyPassMatch (?i)^/proxycache/(.*)$ http://myInternalServer:8399/proxycache/$1
    ProxyPassReverse /proxycache/ http://myInternalServer:8399/proxycache/

    ProxyPassMatch (?i)^/proxyjobs/(.*)$ http://myInternalServer:8399/proxyjobs/$1
    ProxyPassReverse /proxyjobs/ http://myInternalServer:8399/proxyjobs/




     ArcGIS Server should not be administered from outside the organizational firewall. If manager must be accessed from outside the firewall, add the following additional ProxyPass/Reverse directives, realizing that the manager password will be exposed to possible interception and decryption:



    ProxyPassMatch (?i)^/ArcGISManager(.*)$ http://myInternalServer:8099/arcgismanager$1
    
    ProxyPassReverse /arcgismanager http://myInternalServer:8099/arcgismanager



    (OPTIONAL) Make some service folders only accessible to internal users by adding "!" to the end of a ProxyPassMatch directive. For example, in a case where services in a folder named 'internalOnly' should only be seen by internal users add the following entries:

    ProxyPassMatch (?i)^/ArcGIS/services/InternalOnly(.*)$ !



    b) Save the file and restart the Apache service from the Start > Control Panel > Administrative Tools > Services control panel.


  6. (OPTIONAL) Configure the external Apache Server to reverse proxy requests that use SSL (HTTPS).
    a) Edit the httpd-ssl.conf file in a text editor. By default, this file is located on Windows in C:\Program Files\Apache Group\Apache2\conf\extra\.

    Configure the reverse proxy for ArcGIS Server .NET Edition: -show me-


    ProxyRequests Off
    
    ProxyPreserveHost On

    ProxyPass /arcgis/services https://myInternalServer/arcgis/services
    ProxyPassReverse /arcgis/services https://myInternalServer/arcgis/services

    ProxyPass /arcgis/rest https://myInternalServer/arcgis/rest
    ProxyPassReverse /arcgis/rest https://myInternalServer/arcgis/rest

    ProxyPass /arcgis/sdk/rest https://myInternalServer/arcgis/sdk/rest
    ProxyPassReverse /arcgis/sdk/rest https://myInternalServer/arcgis/sdk/rest

    ProxyPass /aspnet_client/ https://myInternalServer/aspnet_client/
    ProxyPassReverse /aspnet_client/ https://myInternalServer/aspnet_client/

    ProxyPass /arcgis/tokens https://myInternalServer/arcgis/tokens
    ProxyPassReverse /arcgis/tokens https://myInternalServer/arcgis/tokens

    ProxyPass /proxyoutput/ https://myInternalServer/proxyoutput/
    ProxyPassReverse /proxyoutput/ https://myInternalServer/proxyoutput/

    ProxyPass /proxyjobs/ https://myInternalServer/proxyjobs/
    ProxyPassReverse /proxyjobs/ https://myInternalServer/proxyjobs/

    ProxyPass /proxycache/ https://myInternalServer/proxycache/
    ProxyPassReverse /proxycache/ https://myInternalServer/proxycache/


    The ProxyPreserveHost setting is needed when Web ADF applications use services with token-based security.

     These directives are all case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, all of the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyRequests Off
    
    ProxyPreserveHost On

    ProxyPassMatch (?i)^/ArcGIS/services(.*)$ https://myInternalServer/arcgis/services$1
    ProxyPassReverse /arcgis/services https://myInternalServer/arcgis/services

    ProxyPassMatch (?i)^/ArcGIS/rest(.*)$ https://myInternalServer/arcgis/rest$1
    ProxyPassReverse /arcgis/rest https://myInternalServer/arcgis/rest

    ProxyPassMatch (?i)^/ArcGIS/SDK/REST(.*)$ https://myInternalServer/arcgis/sdk/rest$1
    ProxyPassReverse /arcgis/sdk/rest https://myInternalServer/arcgis/sdk/rest

    ProxyPassMatch (?i)^/aspnet_client/(.*)$ https://myInternalServer/aspnet_client/$1
    ProxyPassReverse /aspnet_client/ https://myInternalServer/aspnet_client/

    ProxyPassMatch (?i)^/ArcGIS/tokens(.*)$ https://myInternalServer/arcgis/tokens$1
    ProxyPassReverse /arcgis/tokens https://myInternalServer/arcgis/tokens

    ProxyPassMatch (?i)^/proxyoutput/(.*)$ https://myInternalServer/proxyoutput/$1
    ProxyPassReverse /proxyoutput/ https://myInternalServer/proxyoutput/

    ProxyPassMatch (?i)^/proxycache/(.*)$ https://myInternalServer/proxycache/$1
    ProxyPassReverse /proxycache/ https://myInternalServer/proxycache/

    ProxyPassMatch (?i)^/proxyjobs/(.*)$ https://myInternalServer/proxyjobs/$1
    ProxyPassReverse /proxyjobs/ https://myInternalServer/proxyjobs/



      ArcGIS Server should not be administered from outside the organizational firewall. If manager must be accessed from outside the firewall, add the following additional ProxyPass/Reverse directives, realizing that the manager password will be exposed to possible interception and decryption:



    ProxyPassMatch  (?i)^/ArcGIS/Manager(.*)$ https://myInternalServer/arcgis/manager$1
    
    ProxyPassReverse /arcgis/manager https://myInternalServer/arcgis/manager


    (OPTIONAL) Make some service folders only accessible to internal users by adding "!" to the end of a ProxyPassMatch directive. For example, in a case where services in a folder named 'internalOnly' should only be seen by internal users add the following entries:

    ProxyPassMatch (?i)^/ArcGIS/services/InternalOnly(.*)$ !



    Configure the reverse proxy for ArcGIS Server Java Edition: -show me-


    ProxyRequests Off
    

    ProxyPass /arcgis/services https://myInternalServer:8399/arcgis/services
    ProxyPassReverse /arcgis/services https://myInternalServer:8399/arcgis/services

    ProxyPass /arcgis/rest https://myInternalServer:8399/arcgis/rest
    ProxyPassReverse /arcgis/rest https://myInternalServer:8399/arcgis/rest

    ProxyPass /arcgis/sdk/rest https://myInternalServer:8399/arcgis/sdk/rest
    ProxyPassReverse /arcgis/sdk/rest https://myInternalServer:8399/arcgis/sdk/rest

    ProxyPass /arcgis/tokens https://myInternalServer:8399/arcgis/tokens
    ProxyPassReverse /arcgis/tokens https://myInternalServer:8399/arcgis/tokens

    ProxyPass /proxyoutput/ https://myInternalServer:8399/proxyoutput/
    ProxyPassReverse /proxyoutput/ https://myInternalServer:8399/proxyoutput/

    ProxyPass /proxyjobs/ https://myInternalServer:8399/proxyjobs/
    ProxyPassReverse /proxyjobs/ https://myInternalServer:8399/proxyjobs/

    ProxyPass /proxycache/ https://myInternalServer:8399/proxycache/
    ProxyPassReverse /proxycache/ https://myInternalServer:8399/proxycache/




     These directives are all case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, all of the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyPassMatch (?i)^/ArcGIS/services(.*)$ https://myInternalServer:8399/arcgis/services$1
    
    ProxyPassReverse /arcgis/services https://myInternalServer:8399/arcgis/services

    ProxyPassMatch (?i)^/ArcGIS/rest(.*)$ https://myInternalServer:8399/arcgis/rest$1
    ProxyPassReverse /arcgis/rest https://myInternalServer:8399/arcgis/rest

    ProxyPassMatch (?i)^/ArcGIS/SDK/REST(.*)$ https://myInternalServer:8399/arcgis/sdk/rest$1
    ProxyPassReverse /arcgis/sdk/rest https://myInternalServer:8399/arcgis/sdk/rest

    ProxyPassMatch (?i)^/ArcGIS/tokens(.*)$ https://myInternalServer:8399/arcgis/tokens$1
    ProxyPassReverse /arcgis/tokens https://myInternalServer:8399/arcgis/tokens

    ProxyPassMatch (?i)^/proxyoutput/(.*)$ https://myInternalServer:8399/proxyoutput/$1
    ProxyPassReverse /proxyoutput/ https://myInternalServer:8399/proxyoutput/

    ProxyPassMatch (?i)^/proxycache/(.*)$ https://myInternalServer:8399/proxycache/$1
    ProxyPassReverse /proxycache/ https://myInternalServer:8399/proxycache/

    ProxyPassMatch (?i)^/proxyjobs/(.*)$ https://myInternalServer:8399/proxyjobs/$1
    ProxyPassReverse /proxyjobs/ https://myInternalServer:8399/proxyjobs/




     ArcGIS Server should not be administered from outside the organizational firewall. If manager must be accessed from outside the firewall, add the following additional ProxyPass/Reverse directives, realizing that the manager password will be exposed to possible interception and decryption:



    ProxyPassMatch  (?i)^/ArcGISManager(.*)$ https://myInternalServer:8099/arcgismanager$1
    
    ProxyPassReverse /arcgismanager https://myInternalServer:8099/arcgismanager



    (OPTIONAL) Make some service folders only accessible to internal users by adding "!" to the end of a ProxyPassMatch directive. For example, in a case where services in a folder named 'internalOnly' should only be seen by internal users add the following entries:

    ProxyPassMatch (?i)^/ArcGIS/services/InternalOnly(.*)$ !



    b) Save the file and restart the Apache service from the Start > Control Panel > Administrative Tools > Services control panel.


  7. (OPTIONAL) Configure the token service URLs. If the server has been configured with token-based security, the token service must be made available through the reverse proxy.

    Configure the reverse proxy for ArcGIS Server .NET Edition: -show me-

    a) Use a text or XML editor to open the web.config for the REST application. By default, this file is located at C:\Inetpub\wwwroot\ArcGIS\rest.

    b) In the <appSettings> section, set the <TokenServiceURL> to point to the external server name and HTTPS port. For example, https://myExternalServer/ArcGIS/tokens/.

    c) Repeat the above two steps for the web.config files in both C:\Inetpub\wwwroot\ArcGIS\rest\Services and C:\Inetpub\wwwroot\ArcGIS\rest\tokens.


    Configure the reverse proxy for ArcGIS Server Java Edition: -show me-

    a) Edit the arcgis_wshandler.properties file for the services application. By default, this file is located in C:\Program Files\ArcGIS\java\web_output\services\WEB-INF\classes.

    b) Find the arcgis.webservices.security.tokenserviceurl property and change the host name to myExternalServer:

    arcgis.webservices.security.tokenserviceurl=http://myExternalServer/arcgis/tokens


    c) Save and close the file.

    d) Edit the security.xml file for the rest application. By default, this file is located in C:\Program Files\ArcGIS\java\web_output\rest\WEB-INF\classes.

    e) Find the 'TokenServiceURL' key and change the host name to myExternalServer:

    <entry key="TokenServiceURL">http://FLASH6/arcgis/tokens</entry>


    f) Save and close the file.

    g) Restart the ArcGIS Server Manager Service.



  8. The ArcGIS Server Web services (SOAP and REST) may now be accessed by the following URLs:

    SOAP:

    http://myExternalServer/arcgis/services

    REST:

    http://myExternalServer/arcgis/rest/services


     If the site uses SSL, replace the HTTP with HTTPS in the examples above.


     Service URLs for REST services may be obtained by accessing the Services Directory from the external server.


     Only internet connections to ArcGIS Server Web services are possible with these URLs. To administer the ArcGIS Server, connect to the internal server, either using Manager or ArcCatalog.


     For added security, ask a systems administrator to restrict HTTP traffic through the internal firewall to IP address of the reverse proxy Web server machine. This prevents Internet clients from directly accessing the open internal HTTP port.


     For added security, ask a systems administrator to apply filters to the HTTP traffic emanating from the reverse proxy Web server to restrict known nefarious packet types.

  9. Configure the reverse proxy Web server for each ArcGIS Server Web ADF Application.

    Add an entry in the Apache httpd.conf file (usually located in C:\Program Files\Apache Group\Apache2\conf) for each ArcGIS Server Web ADF application created.

    For .NET: -show me-

    For an application named 'myADFApplication' deployed on the ArcGIS Server Web ADF server, add the following two lines to the end of the httpd.conf file:


    ProxyPass /myADFApplication http://myInternalServer/myADFApplication
    
    ProxyPassReverse /myADFApplication http://myInternalServer/myADFApplication



     These directives are case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyPassMatch (?i)^/myADFApplication(.*)$ http://myInternalServer/myADFApplication$1
    
    ProxyPassReverse /myADFApplication http://myInternalServer/myADFApplication



    Save the file and restart the Apache service from the Start > Control Panel > Administrative Tools > Services control panel.

    For Java: -show me-

    For an application named 'myADFApplication' deployed on the ArcGIS Server Web ADF server, add the following two lines to the end of the httpd.conf file:


    ProxyPass /myADFApplication http://myInternalServer:8399/myADFApplication
    
    ProxyPassReverse /myADFApplication http://myInternalServer:8399/myADFApplication



     These directives are case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyPassMatch (?i)^/myADFApplication(.*)$ http://myInternalServer:8399/myADFApplication$1
    
    ProxyPassReverse /myADFApplication http://myInternalServer:8399/myADFApplication



    Save the file and restart the Apache service from the Start > Control Panel > Administrative Tools > Services control panel.


    (OPTIONAL) For SSL enabled applications:
    Add an entry in the Apache httpd-ssl.conf file (usually located in C:\Program Files\Apache Group\Apache2\conf\extra) for each ArcGIS Server Web ADF application created that will use HTTPS.

    For .NET: -show me-

    For an application named 'myADFApplication' deployed on the ArcGIS Server Web ADF server, add the following two lines to the end of the httpd-ssl.conf file:


    ProxyPass /myADFApplication https://myInternalServer/myADFApplication
    
    ProxyPassReverse /myADFApplication https://myInternalServer/myADFApplication



     These directives are case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyPassMatch (?i)^/myADFApplication(.*)$ https://myInternalServer/myADFApplication$1
    
    ProxyPassReverse /myADFApplication https://myInternalServer/myADFApplication



    Save the file and restart the Apache service from the Start > Control Panel > Administrative Tools > Services control panel.

    For Java: -show me-

    For an application named 'myADFApplication' deployed on the ArcGIS Server Web ADF server, add the following two lines to the end of the httpd-ssl.conf file:


    ProxyPass /myADFApplication https://myInternalServer:8399/myADFApplication
    
    ProxyPassReverse /myADFApplication https://myInternalServer:8399/myADFApplication



     These directives are case-sensitive. To cover all cases, consider adding more directives to handle other case combinations. If using Apache 2.2.5 or later, the above case-sensitive ProxyPass/ProxyPassReverse directives can be replaced with the new case-insensitive ProxyPassMatch directives shown below.



    ProxyPassMatch (?i)^/myADFApplication(.*)$ https://myInternalServer:8399/myADFApplication$1
    
    ProxyPassReverse /myADFApplication https://myInternalServer:8399/myADFApplication



    Save the file and restart the Apache service from the Start > Control Panel > Administrative Tools > Services control panel.
  10. (OPTIONAL) Author and publish new ArcGIS Server Web ADF Applications using Manager or the IDE that works with the reverse proxy server.

    When authoring a new ArcGIS Server Web ADF Application, use the new external service URLs shown in step 8 when specifying Internet services to add to the application.

    After creating a new application, add its URL to the Apache httpd.conf file as shown in step 9.


  11. (OPTIONAL) Edit pre-existing ArcGIS Server Web ADF applications initially authored with services using internal URLs.

    Web applications created with services referenced by internal URLs do not work outside an organization’s firewall. To convert the applications to work with the reverse proxy Web server, they must be edited manually.

    a) Configure the ArcGIS Server Web application on the internal Web server.

    For .NET: -show me-

    (1) Open the Web application in Visual Studio, Visual Web Developer Express, or other development environment. If such a tool is not available, a text editor may be used to edit pages, but edit the page exactly as directed below.

    (2) Open the Web page that contains Web ADF controls. In ASP.NET applications, the page to edit is named Default.aspx.

    (3) Change the URLs used for each service in each resource manager control to refer to the external URL for the service. For the MapResourceManager control, the ResourceItems contain one or more resources. Open the properties of each resource and find the URL of the service. If it points to an ArcGIS Internet source, change the URL to use the external server; for example:

    http://myExternalServer/arcgis/services

     If the firewall prevents HTTP connections from the internal computer to the external Web server, the browse button (...) in the Resource Definition Editor may not list services. In this case, manually change the URL to reference the external Web server.


    Use the following page as a reference when setting the resource URLs:
    Using the MapResourceManager control

    (4) Save the file.

    (5) If other Web pages in the application contain ESRI Web controls, repeat (2) through (4) for each of these pages.

    (6) Rebuild and, if required, redeploy the application.

    For Java: -show me-

    The best approach for applications deployed into the embedded Web server using the Manager Web application is to recreate them following the procedures in step 11.


     This step can only be performed on Web applications that are exported and deployed to a third-party Web application server.

    1) In the directory where the Web application is deployed, navigate to the WEB-INF directory.

    2) Edit the 'faces-config.xml' file. Search for the 'endPointURL' property and change its internal URL value to the new external URLs established in step 3 above. For example, if the original URL is http://myInternalServer:8399/MyServices/MapServer, change the lines to http://myExternalServer/MyServices/MapServer. See example below:

    Before:

    <managed-property>
    
    <property-name>endPointURL</property-name>
    <value>http://myInternalServer:8399/MyServices/MapServer</value>
    </managed-property>


    After:

    <managed-property>
    
    <property-name>endPointURL</property-name>
    <value>http://myExternalServer/MyServices/MapServer</value>
    </managed-property>


    3) If the Web application server is configured to automatically reload applications after changes are made, the Web application works with the reverse proxy server the next time it is accessed. Otherwise, the Web application server should be restarted.


    b) Configure the reverse proxy Web server for the ArcGIS Server Web ADF Application edited in a) following the instructions in step 9.

    c) Test the Web site to ensure it works from the Internet. -show me-

    (1) Open a Web browser on a computer, using the Internet outside the organization's network, if possible. Testing it from the perimeter network on a computer different from the external server also works.

    (2) Enter the URL of the external server and the Web site name. For example, if the Web site name configured above is myADFApplication, the URL would be:

    http://myExternalServer/myADFApplication

    (3) If there are any errors, or the site does not load completely, recheck that all settings have been made as instructed.

    Troubleshooting tips:

    • If the site does not load at all (page-not-found, 404 error), check the proxy settings as covered in section (b) of this step.

    • If the basic page outline loads, but there is no map or script errors display, check that the Web page has the settings for ESRI Web controls as instructed in section (a) of this step.

    • If the page outline loads and no script errors occur, but no map loads, the map configuration may be incorrect. Test whether it is possible to preview the map service from the external server using one of the three methods below:

    Use ArcGIS Desktop (ArcCatalog, ArcMap) installed outside the organization's firewall or on the perimeter network.

    Use ArcGIS Desktop from the internal network if internal users can contact the external server (myExternalServer). Use Desktop in either case to connect to the services on myExternalServer: use the Add-data button, expand GIS Servers, double-click Add ArcGIS Server, and add the server as an ArcGIS Internet server using the URL as in the step above, "The ArcGIS Server Web services (SOAP and REST) may now be accessed...".

    Load the following URLs into a browser:

    http://myExternalServer/arcgis/services?wsdl
    http://myExternalServer/arcgis/services/myArcGISservice/MapServer?wsdl

    Change the second URL to match a service on your system. These should load an XML (WSDL) document. If these methods fail to connect to the service, then recheck the proxy settings in step 5 as well as the directory settings in steps 2 and 3.

    • (IIS7/Application Request Routing only) If a list of services can be obtained for a server in ArcCatalog or Manager, but any request to obtain details for a service or display a service fail, check that the URL Rewrite rule created for the services directory has its match type set to Wildcard, not Regular Expressions.


    Repeat (a) through (c) for each Web application on the internal server that needs to be available to external users.

     Some organizations do not allow internal users to connect to the organization's external servers. In this case, it may be necessary to create two versions of the Web application: one for internal and one for external users.


Related Information


Created: 12/8/2008
Last Modified: 12/8/2010

Article Rating: (6)
If you would like to post a comment, please login

Comments

By patrickdeelman - 07/22/2011 6:18 AM

I followed the article’s instructions, but experienced another problem. I’ve provided details below.

When trying to figure out some reverse proxy rules of my own, i started using the RewriteRule statements. Using Rewriterules i can take advantage of the rewritelog (so i can debug and log the rewrites if needed). This is my collected rules over the past time. First i only include one ProxyPassReverse at the end as: ProxyPassReverse / http://SRV_X This way i assume that every coming back from the server should be rewritten as is, which is usually fine. Also note that i skipped the trailing /, in some line this is included and adds an additional / to the returning URL and sometimes (really rare actually) introduces some additional issues with webviewers. I definitely want some security as not to allow external users on the manager page and warn them, while at it. RewriteRule ^/arcgis/manager(|/.*) /noaccess.html [nocase,last] I rewrote the (.*) as (|/.*) as to match the following: nothing or a / followed by 0 or more characters. This way i can 404 any string that follows manager without the / Next the arcgisoutput/jobs/cache directories. I leave them intact as the services will all be available, just being lazy here. Replace where needed with the proxy equivalents RewriteRule ^/((arcgiscache|arcgisoutput|arcgisjobs)(|/.*))$ http://1.2.3.4/$1 [nocase,proxy,last] Next i only want to allow /arcgis/rest and /arcgis/services to pass as i don't necessary need the other virtual directories RewriteRule ^/(arcgis/rest(|/.*))$ http://1.2.3.4/$1 [nocase,proxy,last] RewriteRule ^/(arcgis/services(|/.*))$ http://1.2.3.4/$1 [nocase,proxy,last] Lets say i want to secure specific services but allow both the rest and the service itself. I leave you to figure out the inner workings ;-) RewriteRule ^/((ArcGIS/(|rest/)services/SERVICENAME)(|/.*))$ http://128.2.1.127/$1 [nocase,proxy,last] Or secure to a service with an Apache authentication, you will need a locationmatch first. In this case use:

Rating:

By Anonymous - 03/15/2011 8:23 AM

I have suggested related resources/links that can enhance this article. See below.

We (SysAdmin) maintain a few Apache-based reverse proxies for ArcGIS. We found we were encountering 502 errors from time to time. This stemmed from the Checkpoint firewalls having a 3600 second session tiemout, whereas Apache leaves backend connections open "indefinitely". The solution was to configure the ProxyPass directives with the keepalive=On directive, and then to configure the underlying Linux OS with net.ipv4.tcp_keepalive_time set to 60 (via sysctl). -rvandolson@esri.com

Rating:

By Anonymous - 02/11/2010 10:29 AM

The article needs to be updated.

I step 8 the SOAP url should read http://myexternalserver/arcgis/services?wsdl

Rating:

By Anonymous - 01/05/2010 1:05 PM

The article needs to be updated.

The ariticle can be more useful if the informatin Regarding Step G) Configure support for SSL (https) is complete. 1) for Apache running in Windows Environment, the path to the certificate in the httpd-ssl.conf file should be double-quoted 2) the value for SSLSessionCache directive should also be double-quoted 3) Provide the path to the SSLCertificateChinaFile as well if it is provided from CA 4) Remove passphase from the key because Apache on Windows does not support encryped key 5) If the communication between the external server and internal server supports SSL, then the SSLProxyEngine should be turned on by inserting the following directive into the httpd-ssl.conf file within the directive: # SSL Proxy Engine Switch: # Enable/Disable SSL for this virtual host. SSLProxyEngine on ......

Rating:

By Anonymous - 04/02/2009 11:49 AM

I followed the article’s instructions, but experienced another problem. I’ve provided details below.

We have followed the instructions provided in this article to create a proxy (in Apache) with our ArcGIS Server 9.3 install. The instructions worked great for our map services with one exception. When we query the map using the javascript 1.2 or 1.3 API no results are returned. We have not yet figured out the resolution to this problem. When we kick off a query we simply get back: dojo.io.script error Error: timeout exceeded dojoType=timeout message=timeout exceeded

Rating:

By Anonymous - 03/13/2009 10:18 AM

I followed the article’s instructions, but experienced another problem. I’ve provided details below.

When reverse proxying SSL services in Apache, it is important to make the link between Apache and ArcGIS server also secure, firstly because the traffic may traverse the network unencryted. Secondly, because J2EE app servers like Tomcat and WebLogic will not write out SOAP documents in a sensible way. For example, if your Apache HTTPS server proxies to http://localhost:8399/arcgis, the client makes a request to https://server/arcgis, but the WSDL response will contain a URL like https://server:8399/arcgis, which is not only the wrong port, but the wrong protocol for that port anyway. Clients using this application-level redirection will break. In order to correctly proxy the Secured URL, Apache must act as an SSL client. This requires several things: 1)SSLProxyEngine on This will enable the SSL Proxy Engine. Add other optional security directives such as the following (which was specified by our security auditor): SSLProxyProtocol all -SSLv2 SSLProxyCipherSuite HIGH:MEDIUM 2)SSLProxyMachineCertificateFile /path/to/machineCert.pem This is the keypair Apache will use as a client. To create it, you can simply cat the private key and the public certificate together into a single file. Be sure this file is not world-readable, same as the apache private key file. 3) ProxyPass /arcgis https://127.0.0.1:8343/arcgis ProxyPassReverse /arcgis https://127.0.0.1:8343/arcgis This of course is the reverse proxy. 4)To specify one's own keypair for Tomcat's SSL port 8343, the only luck I had was in creating a new java keystore, with a password of "tomcat", with a single key whose alias is "tomcat", with a key password of "tomcat". I was able to use the same keypair that Apache uses by using a java GUI tool called Portecle (on sourceforge) to import the machineCert from step 2. Just make sure that server.xml and the tomcat.keystore file are both non-world-readable.

Rating: