Web Adaptor Reverse Proxy functionality in DMZ

VernonWoods · ‎12-05-2012

We???re setting up ArcGIS for Server 10.1 web adaptors and realizing that the reverse proxy functionality provided by the web adaptors only applies to the GIS Server Services and NOT to other GIS server web paths where the front end viewers (Silverlight and JavaScript) might reside.
Our planned model involves hosting Silverlight and JavaScript viewer apps on only one of our intranet ArcGIS web servers, and have those viewer apps accessible by Internet customers via a reverse proxy in our DMZ. We thought the web adapter provided this functionality but that doesn???t appear to be the case.

Can anyone confirm that we still need install additional reverse proxy functionality such as the URL rewrite and ARR that we used with our ArcGIS Server 10.0 reverse proxy? I don???t find updated instructions or information regarding this for 10.1

Thank you for any information you can provide

Anonymous User · ‎12-06-2012

Vernon,

While there are various techniques to expose your web apps from behind your firewall, I would go as far to say you are required a reverse proxy or url rewrite solution of one type or another if your not opening up between your external/internal directly (which i suspect you will not want to do). AGS web adaptor is purposely for handling its service service requests only.

Brad

View solution in original post

Anonymous User · ‎12-06-2012

Vernon,

While there are various techniques to expose your web apps from behind your firewall, I would go as far to say you are required a reverse proxy or url rewrite solution of one type or another if your not opening up between your external/internal directly (which i suspect you will not want to do). AGS web adaptor is purposely for handling its service service requests only.

Brad

PeterBuwembo · ‎12-12-2012

Yes, Brad is right, you will need the reverse proxy again with 10.1. Unless the server where the web adaptor is installed has access to the outside.
Configure the WA so that you can reach ArcGIS server through http://<server_name>/arcgis instead of going through the local port
6080 or 6443. Now since you had a reverse proxy configuration in 10.0 already, the rules in place should all you to access ArcGIS server from outside your domain if the URL formation is the same

Ex: If you were accessing the REST end point through
http://Reverse_proxy/arcgis/rest/services then this rule will still work with 10.1

Good luck.

VernonWoods · ‎12-21-2012

Thank you Brad and Pete for your responses.

I�??m not sure I adequately explained the crux of our question.
We can/did have a web adapter installed on a DMZ/proxy server that led to the Internet. We could use the web adapter as a reverse proxy to gain access into AGS services (via web e.g. http://server1.domain.gov/arcgis/rest/services), however that is not how our external customers will typically consume our services. They will use a viewer front end provided by us (Silverlight for example). While the Silverlight viewer front-end resides on an internal AGS server and can be accessed over http �?? it isn�??t clear how to configure the DMZ web adapter to provide reverse proxy to web paths that don�??t reside under the �?�/arcgis/ path on the internal AGS servers. For example, the Silverlight application might reside at http://server1.domain.gov/viewers/SL_app1.htm but the web adapter doesn�??t provide proxy to that path by default and we don�??t see any configuration options in the web adapter to provide customized forwarding rules. The other option we considered is that the viewer front-ends need to reside under the ../arcgis/ path on the internal AGS servers but we don�??t find any instructions/information regarding how to integrate/register the viewers into the AGS site. �??Server directories�?� (jobs,cache etc) creation doesn�??t appear to provide a place/type designed to host viewer files. A test of manually creating a new web directory underneath the ../arcgis/ directory on an internal AGS server didn�??t work. The web adapter failed to forward web requests directed to a test path that housed Silverlight viewer software underneath a created http://server1.domain.gov/arcgis/SLtestDir Silverlight test directory.
So our conclusion is that in order to provide reverse proxy into our viewer front-ends we need include a non-ESRI url rewrite/ARR functionality on the proxy server either in addition to or instead of the web adapter. We are looking for confirmation of this conclusion because we�??ve had other agencies tell us that they believe as long as we are using an ESRI provided viewer such as Silverlight or JavaScript that we can use the web adapter as the reverse proxy. Unfortunately no one can explain how that would be implemented.

I hope this helps clarify our specific question.
Thank you,