English

How To: Configure ArcGIS Server for firewalls and NAT devices

Summary

Most secure networks are behind firewalls that block as many inbound ports as possible. To allow ArcGIS Server to communicate through a firewall, it is necessary to open a range of inbound ports for DCOM communication. Instructions provided describe the DCOM port allocation process for ArcGIS Server, show how to force Windows to use a small range of ports for DCOM communication, suggest an initial location and range of ports to use for ArcGIS Server, and address configurations using DCOM-unfriendly network address translation (NAT) firewalls and routers.

Warning:
ESRI does not recommend or support firewalls or NAT devices between ArcGIS Server DCOM components. ESRI can provide only limited assistance with firewall and NAT issues encountered with ArcGIS Server.

Procedure

******************************
DCOM Port Allocation for ArcGIS Server
******************************

Each Windows process that serves DCOM objects communicates over a randomly assigned port in the range from 1024-65535. Additionally, the Windows Service Control Manager (SCM) listens to port 135 and directs incoming interface pointer requests to the port hosting the process serving the DCOM object associated with the pointer. Because ArcGIS Server Object Manager (SOM) and each ArcGIS Server Object Container (SOC) are processes that serve DCOM objects, the minimum ArcGIS Server port requirements are:

- Port 135 on the SOM machine for SCM redirection of ADF Web Application calls to the SOM.

- A randomly assigned port above port 1024 on the SOM machine (for ADF Web Application and Web services calls to the SOM process).

- Port 135 on each SOC machine for SCM redirection of ADF Web Application, Web services, and SOM calls to each SOC.

- Randomly assigned ports above port 1024 for each SOC process on the SOC machine (for ADF Web Application, Web services and SOM calls to each SOC process). Ports are also necessary for all hidden processes, such as the SDM and logging managers and Geoprocessing Synchronization instances that run as SOC processes.

- A buffer of randomly assigned ports above port 1024 for the anticipated number of Engine contexts that might be created (depends on the application).

- A buffer of ports for other processes on the machine that use DCOM.


Communication on port 667 (by default) is also required for the link to the primary domain controller (PDC) on Unix/Linux versions of ArcGIS Server prior to 9.2.

**************************
Limiting DCOM to a Range of Ports
**************************

It is possible to configure DCOM so it only uses a specific range of ports that are open on the firewall. The ports remain randomly allocated, but are within the range that was set. Detailed instructions for specifying a range of ports for DCOM for Windows 2000 or XP (not necessary for Unix/Linux) can be found in the following Microsoft Knowledge Base article:

How To Restrict TCP/IP Ports on Windows 2000 and Windows XP

********************************************
ESRI Recommendation for ArcGIS Server DCOM Port Range
********************************************

On Windows, other applications, such as SQL Server (1024-5000) often use ports less than 5000. Therefore, ESRI suggests configuring DCOM to start the port range from 5000.

It is important to remember that the DCOM port range to be set must also accommodate other DCOM applications or services running on your machine. IIS, for example, requires a minimum of five DCOM ports. The need for DCOM connections must be balanced with the need to narrow the exposed port range for security. If DCOM ports run out, the applications may fail. It is also important to note that other non-DCOM applications may fail if their port requirements conflict with the assigned DCOM port-range.

For example, for a typical dual CPU dual-core machine with all ArcGIS Server components hosting a Geoprocessing service with 16 instances, the number of required ports would be:

- 1 for Port 135
- 1 for SOM
- 1 for SDM manager
- 1 for Logging manager
- 32 for the 16 Geoprocessing Service instances (each Geoprocessing Service has a hidden associated instance for synchronizing geoprocessing results)
- 10 ports as buffer for the anticipated number of Engine contexts that might be created (depends on the application)
- 10 ports as a buffer for other processes on the machine that use DCOM

This totals 56, so the port range that must be opened for this example is from 5000 to 5056.

Increase this number as the number of anticipated SOC processes on your machine increases.

The port requirements for Unix/Linux ArcGIS Server prior to 9.2 must also include port 667 for communication with the PDC.

*****************************
Using ArcGIS Server with NAT devices
*****************************

DCOM requires an exact IP address map between the client and server and it
stores the raw IP address in the interface that marshals communication packets. It does not work if the packet traverses a network address translation (NAT) router or firewall. A commonly used solution in this scenario is to deploy a Reverse Proxy on a Web server in a perimeter network or 'Demilitarized Zone' (DMZ) to tunnel requests for Web applications and services residing on a Web server in the secure network through the secure network firewall. ArcGIS Web applications and services on the Web server in the secure network can then freely send DCOM requests to the AGS Server also in the secure network. Only an HTTP port (use something other than 80) through the firewall is required for this configuration. For more information on Reverse Proxy configuration options with ArcGIS Server, see the article "Configure a reverse proxy server system architecture with ArcGIS Server" in the Related Information section below.

Related Information