HOW TO

Set up a reverse proxy with ArcGIS 10.1 for Server on IIS ARR with SSL

Last Published: April 25, 2020

Summary

Note:
The content in this article pertains to ArcGIS versions 10.1. Later versions of ArcGIS may contain different functionality, as well as different names and locations for menus, commands and geoprocessing tools.

The instructions provided describe how to set up a reverse proxy with ArcGIS 10.1 for Server on Internet Information Services (IIS) Application Request Routing (ARR) with Secure Sockets Layer (SSL).

Note:
For guidance on setting up a standard reverse proxy without SSL, see How To: Set up a reverse proxy with ArcGIS 10.1 for Server on IIS ARR

Procedure

The following architecture is described in this document:

[O-Image] Architecture

For an HTTPS/SSL architecture to function with ArcGIS for Server with IIS ARR, SSL must be deployed end-to-end. Furthermore, IIS ARR requires a trusted certificate to exist between ARR and the web endpoint it connects to, otherwise it will return a security error and refuse to route to the back-end server, in this case the Web Adaptor.

  1. Configure Back-End ArcGIS Server Site
[O-Image] Step 1
  1. Deploy ArcGIS Server Site onto AGSHOST.DOMAIN.COM.
  2. Configure ArcGIS Server to use SSL as defined in Enabling SSL Using the Self Signed Certificate.
  1. Enable SSL on ISS
[O-Image] Step 2
  1. Deploy IIS 7.5 onto WAHOST.<DOMAIN>.COM. (This is the machine the Web Adaptor will be installed on.)
  2. Install a Trusted Certificate on the IIS server and configure HTTPS binding for the website. For more information see How to Setup SSL on IIS or visit Microsoft Support
Note:
It is not enough to configure a self-signed certificate for this server. IIS ARR must trust the certificate of any back-end servers it routes to. An example of how to set up a trusted certificate for IIS within the Esri network is shown below. Customers should seek help from their IT department or Microsoft Support on how to deploy a trusted certificate on their IIS server.

Setting Up a Trusted Certificate for IIS within an Esri Network

  1. Open ISS > Server Certificates > Create Domain Certificate.
  2. Specify Identifying Values for the server.
  3. Specify Online Certificate Authority: ESRI Enterprise Root\REDSRVRFRCA.empty.local
  4. Friendly Name: WAHOST.DOMAIN.COM
  5. Click OK.
  6. Open IIS > Default Website > Bindings.
    • Type: https
    • IP address: All Unassigned
    • Port: 433
    • SSL Certificate: WAHOST.DOMAIN.COM
  7. Click OK.
  1. Deploy and Configure Web Adaptor
[O-Image] Step 3
  1. Deploy ArcGIS Web Adaptor onto WAHOST.DOMAIN.COM as outlined in ArcGIS Server Web Adaptor for IIS.
    • Example path for Web Adaptor: WEBADAPTORURL (default=arcgis)
  2. Configure the Web Adaptor.
  3. Open URL: https://WAHOST.DOMAIN.COM/WEBADAPTORURL/WebAdaptor (This path is https://yourserver/arcgis/webadaptor by default.)
    • GIS Server URL: https://AGSHOST.DOMAIN.COM:6443
    • Other values are a matter of preference.
[O-Image] Web Adaptor
  1. Deploy IIS with SSL and ARR
[O-Image] Step 4
  1. Install IIS 7.5 on the public-facing server.
  2. Install a Trusted Certificate on the IIS server and configure HTTPS binding for the website. For more information see How to Setup SSL on IIS or visit Microsoft Support
Note:
IMPORTANT: Though you may use a self-signed certificate here, doing so will cause all clients to throw certificate errors when connecting to your server. This is not the experience that most organizations want to present to their clients. An example of how to set up a trusted certificate for IIS within the Esri Network is shown below. Customers should seek help from their IT Department or Microsoft Support on how to deploy a trusted certificate on their IIS server. 
Setting Up a Trusted Certificate for IIS within an Esri Network
  1. Open IIS > Server Certificates > Create Domain Certificate
  2. Specify Identifying Values for the server.
  3. Specify Online Certificate Authority: ESRI Enterprise Root\REDSRVERFRCA.empty.local
  4. Friendly Name: ARRHOST.DOMAIN.COM
  5. Click OK.
  6. Open IIS > Default Website > Bindings
    • Type: https
    • IP address: All Unassigned
    • Port: 443
    • SSL Certificate: ARRHOST.DOMAIN.COM
  7. Click OK.
  1. Install ISS Application Request Routing.
  1. Configure IIS ARR
[O-Image] Step 5
  1. Open IIS Manager.
  2. Right-click Server Farms and select Create Server Farm
[O-Image] ISS Manager
  1. Complete the Create Server Farm Wizard.
    • Example farm name: AGSFARM (This value is arbitrary.)
  2. Add server addresses.
    • Example server address: WAHOST.DOMAIN.COM (This must match the FQDN of the web adaptor host.)
  1. Define ARR Routing Rules
[O-Image] Step 5
  1. In IIS Manager under Server Farms, locate the newly created server farm and open Routing Rules. Reboot the server if the options shown below are unavailable.
[O-Image] AAR Routing Rules
  1. From the Advanced Routing Menu, click URL Rewrite
  2. Select and disable all inbound and outbound rules
  3. In the Actions menu, select Add Rule(s) > Inbound Rules > Blank Rule
  4. In Edit Inbound Rule, complete the form as described below.
    • Under Name: AGSRTRULE (This value is arbitrary)
    • Under Match URL: Requested URL: Matches the Pattern
    • Using: Wildcards
    • Pattern: *WEBADAPTORPATH*
    • Check Ignore case
    • Under Conditions: No values here.
    • Under Server Variables: No values here
    • Under Action: Action Type: Route to Server Farm
    • Action Properties - Scheme: http://
    • Server farm: AGSFARM (This value must match the farm name created in Step 3.)
    • Path: /{R:0}
    • Check Stop processing of subsequent rules
[O-Image] Edit Inbound Rule
  1. Set the WebContextURL Property
[O-Image] Step 7
  1. Open http://localhost:6080/arcgis/admin/system/properties/update
  2. Add the value below
Code:
{
"WebContextURL": "http://WAHOST.ESRI.COM/WEBADAPTORPATH"
}
  1. Save and close.

Supportability
Though there may be other methods of employing IIS/ARR with SSL as a reverse proxy/load balancer for ArcGIS 10.1 for Server, this is the method Esri Support provides guidance for and uses to test reported bugs. Customers seeking help using alternative methods of deploying IIS/ARR with ArcGIS for Server will be instructed to use this workflow and/or be directed to Esri Professional Services for a more tailored/customized deployment architecture.

Article ID:000011689

Software:
  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options