Portal access in the field - VPN?

DominiqueBerger · ‎05-06-2014

Hi everyone

I have recently set up Portal in house on one of our internal servers and it is running nicely. We have been playing with Collector (which you obviously can only use with AGOL or Portal) and in order to be able to connect to our Portal through collector in the field we have been using VPN on our mobile devices.

The use of VPN is not widely supported by our IT dept, due to their security concerns (I am not exactly sure what security concerns they have) and they were wondering if there is any other solution to connect to our internal Portal whilst not connected to our network. There is obviously the solution of working in a disconnected session whilst out in the field, however then we don't get the real-time updates as data is being captured.

I would be really interested to hear how others are running there Portal/Collector set up for mobile data capture.

Thanks very much
Dominique

TrevorHart1 · ‎05-20-2014

One of our customers is using Microsoft TMG/UAG to access Portal remotely from the internet. It works fine even on tablets etc.

Unfortunately it is not compatible with Collector or the ArcGIS App.

PaulDavidson1 · ‎05-18-2015

In Sept 2012, Microsoft dropped support for TMG and in Dec 2014 (or was it 2013?) said:

“We will continue to provide maintenance and support for Forefront UAG through the standard Microsoft support lifecycle, with mainstream support continuing through April 14, 2015 and extended support continuing through April 14, 2020. “

Probably fine to continue using it but perhaps not the best choice for a new implementation?

GISSupport3 · ‎05-22-2014

The following MAY give your IT people some ideas:
http://www.wiki.gis.com/wiki/index.php/System_Design_Strategies

glennhazelton · ‎04-14-2015

did you find a vpn client for the ipad that works with Collector?

LarryStout · ‎04-14-2015

We use NetMotion in Hamilton County. They have clients for iOS and Android. I have tested them on my iPhone 6 and on an older iPad and they work well.

glennhazelton · ‎04-14-2015

Larry, thanks for answering.

can you describe the policy you have setup for vpn

right now our policy limits vpn to remote desktop connection.

so I can't use the vpn to connect to our internal esri portal site.

I am guessing that would have to allow access via 443 (https).

but I don't know much about this network/vpn stuff.

LarryStout · ‎04-14-2015

I'm in the same boat. Nearly everything I know about networking is what I've heard over the cube wall from our network guys.

NetMotion requires its own server. We initially got it so that people with laptops would be restricted to our network whenever they have an Internet connection. They still have access to the Internet, but not to sites that are blocked by our filters. I won't name names, but we have lots of people who wear uniforms and drive county vehicles with laptops.

Our policy is (I think) to have NetMotion on all county laptops. Early on, I discovered I couldn't get on a lot of hotel, airport, and other public sites because NetMotion would not let my browser open their page as my home page. I'll leave out the ugly details, but the eventually gave me permissions through the NetMotion Server to bypass NetMotion. As soon as I agree to terms and conditions, I can reconnect to NetMotion and be on our county network.

Our Flex Viewer and WAB Viewer point to both our public and non-public ArcGIS Servers. When I connect to NetMotion with my iPhone, I can see the layers on our non-public server. Otherwise, I can't. Magic.

PaulDavidson1 · ‎05-18-2015

VPN is the preferred way to tunnel into the firewalls from the DMZ.

I'm having trouble figuring out how your security guys would say they have security concerns over VPN unless they just don't want any holes punched in the firewalls period. (Or don't want the headaches of running a VPN server.)

Obviously any route from the DMZ past the firewalls is a potential security breach.

If you can avoid DMZ <-> Intranet then you're lucky but good luck with that in today's world!

The more recent VPN connections that I've used that acceptable or better performance were done using VPN devices that came from the same company used in our network. I.e. Using Cisco switches, etc... use a Cisco VPN product. I don't know if that's a requirement or just that with enterprise stuff it's way easier and less of a headache to stay single solution as much as you can.

We have a lot of iPads & iPhones with Cisco's AnyConnect on them and it seems to work fine.

However, we have not used Collector (yet.) Just the stock Esri ArcGIS iOS app and Esri Explorer.