Many organizations want to carefully secure their software and applications while simultaneously expanding access and enabling work-from-home, mobile device access, and field data collection. To provide external network access, ArcGIS Enterprise 11.0 and prior supports the use of device VPNs and transparent reverse proxies.
One increasingly common method that is currently not supported is use of an Identity-Aware Proxy (IAP) to front ArcGIS Enterprise. An IAP is a software or hardware application or device that authenticates incoming requests before reverse-proxying traffic to a backend application such as ArcGIS Enterprise, hosted inside a corporate network or cloud environment. In this scenario you may find that access through a web browser works, but native mobile apps, ArcGIS Pro, and similar applications fail to connect.
Note: Several of the above providers also offer similarly named transparent reverse proxies that can be used in a supported configuration and should not be confused with the IAP offerings.
While transparent reverse proxies, or load balancers, which forward external traffic directly to configured endpoints, are broadly supported and in use by many ArcGIS Enterprise deployments, the Identity Aware Proxy pattern is currently not supported for use when connections are made from Esri mobile applications (for example, Field Maps, Survey123), embedded applications (for example, ArcGIS Maps for PowerBI), or desktop applications (ArcGIS Pro and ArcMap/ArcCatalog). This is due to the way that authentication to the IAP is handled as an additional layer on top of ArcGIS Enterprise security.
While Esri is investigating options to support these patterns in the future, this pattern is not currently supported for these client applications. Web applications directly accessed from a browser, on a desktop or mobile device, may work and may be sufficient for an organization’s requirements.