English

How To: Set up a reverse proxy with ArcGIS 10.1 for Server on IIS ARR with SSL

Summary

The instructions provided describe how to set up a reverse proxy with ArcGIS 10.1 for Server on Internet Information Services (IIS) Application Request Routing (ARR) with Secure Sockets Layer (SSL).


Note:
For guidance on setting up a standard reverse proxy without SSL, see How To: Set up a reverse proxy with ArcGIS 10.1 for Server on IIS ARR

Procedure

The following architecture is described in this document:
[O-Image] Architecture
For an HTTPS/SSL architecture to function with ArcGIS for Server with IIS ARR, SSL must be deployed end-to-end. Furthermore, IIS ARR requires a trusted certificate to exist between ARR and the web endpoint it connects to, otherwise it will return a security error and refuse to route to the back-end server, in this case the Web Adaptor.

Step 1 - Configure Back-End ArcGIS Server Site


[O-Image] Step 1
A. Deploy ArcGIS Server Site onto AGSHOST.DOMAIN.COM.

B. Configure ArcGIS Server to use SSL as defined in Enabling SSL Using the Self Signed Certificate.

Step 2 - Enable SSL on ISS


[O-Image] Step 2
A. Deploy IIS 7.5 onto WAHOST.<DOMAIN>.COM. (This is the machine the Web Adaptor will be installed on.)

B. Install a Trusted Certificate on the IIS server and configure HTTPS binding for the website. For more information see How to Setup SSL on IIS or visit Microsoft Support.

Note:
It is not enough to configure a self-signed certificate for this server. IIS ARR must trust the certificate of any back-end servers it routes to. An example of how to set up a trusted certificate for IIS within the Esri network is shown below. Customers should seek help from their IT department or Microsoft Support on how to deploy a trusted certificate on their IIS server.


Setting Up a Trusted Certificate for IIS within an Esri Network

i. Open ISS > Server Certificates > Create Domain Certificate.
ii. Specify Identifying Values for the server.
iii. Specify Online Certificate Authority: ESRI Enterprise Root\REDSRVRFRCA.empty.local
iv. Friendly Name: WAHOST.DOMAIN.COM
v. Click OK.
vi. Open IIS > Default Website > Bindings.
• Type: https
• IP address: All Unassigned
• Port: 433
• SSL Certificate: WAHOST.DOMAIN.COM
xi. Click OK.

Step 3 - Deploy and Configure Web Adaptor


[O-Image] Step 3
A. Deploy ArcGIS Web Adaptor onto WAHOST.DOMAIN.COM as outlined in ArcGIS Server Web Adaptor for IIS.
• Example path for Web Adaptor: WEBADAPTORURL (default=arcgis)

B. Configure the Web Adaptor.

C. Open URL: https://WAHOST.DOMAIN.COM/WEBADAPTORURL/WebAdaptor (This path is https://yourserver/arcgis/webadaptor by default.)
• GIS Server URL: https://AGSHOST.DOMAIN.COM:6443
• Other values are a matter of preference.


[O-Image] Web Adaptor

Step 4 - Deploy IIS with SSL and ARR


[O-Image] Step 4
A. Install IIS 7.5 on the public-facing server.

B. Install a Trusted Certificate on the IIS server and configure HTTPS binding for the website. For more information see How to Setup SSL on IIS or visit Microsoft Support.

Note:
IMPORTANT: Though you may use a self-signed certificate here, doing so will cause all clients to throw certificate errors when connecting to your server. This is not the experience that most organizations want to present to their clients. An example of how to set up a trusted certificate for IIS within the Esri Network is shown below. Customers should seek help from their IT Department or Microsoft Support on how to deploy a trusted certificate on their IIS server.


Setting Up a Trusted Certificate for IIS within an Esri Network

i. Open IIS > Server Certificates > Create Domain Certificate.
ii. Specify Identifying Values for the server.
iii. Specify Online Certificate Authority: ESRI Enterprise Root\REDSRVERFRCA.empty.local
iv. Friendly Name: ARRHOST.DOMAIN.COM
v. Click OK.
vi. Open IIS > Default Website > Bindings.
• Type: https
• IP address: All Unassigned
• Port: 443
• SSL Certificate: ARRHOST.DOMAIN.COM
xi. Click OK.

C. Install ISS Application Request Routing.

Step 5 - Configure IIS ARR


[O-Image] Step 5
A. Open IIS Manager.

B. Right-click Server Farms and select 'Create Server Farm'.
[O-Image] ISS Manager
C. Complete the Create Server Farm Wizard.
• Example farm name: AGSFARM (This value is arbitrary.)

D. Add server addresses.
• Example server address: WAHOST.DOMAIN.COM (This must match the FQDN of the web adaptor host.)


Step 6 - Define ARR Routing Rules


[O-Image] Step 5
A. In IIS Manager under Server Farms, locate the newly created server farm and open ARR Routing Rules. Reboot the server if the options shown below are unavailable.
[O-Image] AAR Routing Rules
B. From the Advanced Routing Menu, click URL Rewrite.

C. Select and disable all inbound and outbound rules.

D. In the Actions menu, select Add Rule(s) > Inbound Rules > Blank Rule.

E. In Edit Inbound Rule, complete the form as described below.

Name
• Name: AGSRTRULE (This value is arbitrary.)

Match URL
• Requested URL: Matches the Pattern
• Using: Wildcards
• Pattern: *WEBADAPTORPATH*
• Check 'Ignore case'

Conditions
No values here.

Server Variables
No values here.

Action
• Action Type: Route to Server Farm
• Action Properties - Scheme: http://
• Action Properties - Server farm: AGSFARM (This value must match the farm name created in Step 3.)
• Action Properties - Path: /{R:0}
• Check 'Stop processing of subsequent rules'
[O-Image] Edit Inbound Rule

Step 7 - Set the WebContextURL Property


[O-Image] Step 7
A. Open http://localhost:6080/arcgis/admin/system/properties/update.

B. Add the value below:

Code:
{
"WebContextURL": "http://WAHOST.ESRI.COM/WEBADAPTORPATH"
}

C. Save and close.

Supportability

Though there may be other methods of employing IIS/ARR with SSL as a reverse proxy/load balancer for ArcGIS 10.1 for Server, this is the method Esri Support provides guidance for and uses to test reported bugs. Customers seeking help using alternative methods of deploying IIS/ARR with ArcGIS for Server will be instructed to use this workflow and/or be directed to Esri Professional Services for a more tailored/customized deployment architecture.

Related Information