What are the issues to consider when accessing ArcGIS Enterprise from Field apps and ArcGIS Pro through Identity-Aware Proxies?

Answer

Many organizations want to carefully secure their software and applications while simultaneously expanding access and enabling work-from-home, mobile device access, and field data collection. To provide external network access, ArcGIS Enterprise 11.0 and prior supports the use of device VPNs and transparent reverse proxies.

One increasingly common method that is currently not supported is use of an Identity-Aware Proxy (IAP) to front ArcGIS Enterprise. An IAP is a software or hardware application or device that authenticates incoming requests before reverse-proxying traffic to a backend application such as ArcGIS Enterprise, hosted inside a corporate network or cloud environment. In this scenario you may find that access through a web browser works, but native mobile apps, ArcGIS Pro, and similar applications fail to connect.

Examples of IAP technology

• F5 BIG-IP APM
• Google Cloud IAP
• Azure Active Directory Application Proxy
• Citrix NetScaler
• Oracle Access Manager

Note:
Several of the above providers also offer similarly named transparent reverse proxies that can be used in a supported configuration and should not be confused with the IAP offerings.

While transparent reverse proxies, or load balancers, which forward external traffic directly to configured endpoints, are broadly supported and in use by many ArcGIS Enterprise deployments, the Identity Aware Proxy pattern is currently not supported for use when connections are made from Esri mobile applications (for example, Field Maps, Survey123), embedded applications (for example, ArcGIS Maps for PowerBI), or desktop applications (ArcGIS Pro and ArcMap/ArcCatalog). This is due to the way that authentication to the IAP is handled as an additional layer on top of ArcGIS Enterprise security.
While Esri is investigating options to support these patterns in the future, this pattern is not currently supported for these client applications. Web applications directly accessed from a browser, on a desktop or mobile device, may work and may be sufficient for an organization’s requirements.

Potential Error Messages

• Survey123 for ArcGIS may return an error message of “Invalid response from host” when attempting to add an ArcGIS Enterprise deployment secured through an Identity Aware Proxy.
• ArcGIS Pro may return an error “Unable to establish connection to <portal_url>”
• ArcGIS Field Maps may return an error “Connection Error” when attempting to add a connection to ArcGIS Enterprise.
• When sending an HTTP request to https://<externalhostname>/<contextname>/portal/sharing/rest?f=json, a HTTP 302 redirect may be returned instead of valid JSON, which will redirect the user to a login page of some type. This indicates an Identity Aware Proxy may be in place.