Redirect HTTP to HTTPS using Web Adaptor

MikeSchonlau · ‎10-29-2017

I may be missing something in the documentation, but I cannot figure out how to redirect requests over port 80 to automatically redirect to my https-configured web adaptor. I can currently get to https://domain/webadaptor/rest, but do not get redirected to that url when going to http://domain/webadaptor/rest. I've tried setting up a rule in IIS with URL Rewrite, but no dice. Any advice on how to set this up? I am probably missing something obvious here because it seems like almost any organization would want this to happen. Users can't be expected to type in http:// everytime.

Thank in advance

Mike

MichaelRobb · ‎11-07-2017

My guess is that would not solve knowing that installing the Web adaptor changes IIS settings, specifically the REQUIRE SSL setting which would interfere with URL Rewrite (redirect).

I've provided an extraction out of my documentation step by step which should get Michael up and running.

CarlosColón-Maldonado · ‎11-28-2017

The whole purpose of the web adaptor is so that ports may be omitted on URLs when browsed from a client browser. Using the port is actually by-passing the web adaptor, and being unable to reach the server using the port from a client browser would likely indicate that the network policies are presenting it.

Given the pic above, your server can only be reached via HTTPS, i.e., port 6443. If you want to change that, you'd have to change the security settings via https://<server>:6443/arcgis/admin on the server:

Otherwise, to get to the server's service directory (if not disabled), you'd have to browse to https://<server>/arcgis/rest/services WITHOUT a :6443 port designation from a client browser.

MikeSchonlau · ‎11-28-2017

I am not using any ports in my url. This discussion was about the automatic behind-the-scenes http-to-https redirect. We use either http://domain/webadaptor/rest or https://domain/webadaptor/rest. ArcGIS Server is set to HTTPS only.

MichaelRobb · ‎11-30-2017

Hi Carlos,

Though this discussion had nothing to do with direct access to ArcGIS Server (ports - which are 6443/6080 by default - if your savvy can be changed to any port you want), I'd like to clarify some information.

Carlos Colón-Maldonado wrote:
The whole purpose of the web adaptor is so that ports may be omitted on URLs when browsed from a client

wrong.

The web adaptor allows integrating a web server with a GIS Site (remember, a site can have multiple GIS Machines / nodes). A web adaptor forwards calls to your ArcGIS Server nodes and will check your site to see removed or added machines.

A web adaptor also allows exposing the GIS Servers through the standard website port (80/443). Since this is a web standard, these ports are not visible from a clients perspective, but they are still there.

The web adaptor also provides the ability to restrict Desktop ArcGIS Server users from Admin and Publishing access.

And very important, the web adaptor allows leveraging enterprise security from a web-tier level.

using IWA (integrated windows authentication) MUST use a web adaptor on a web server level, the web adaptor WA (windows authentication) - e.g. NTLM or Kerberos PASSES these credentials to ArcGIS Server for all secure services. ArcGIS Server identity store would be tied to Active Directory (for example). This means, only traffic through the web adaptor can only see locked secure services with valid credentials... even if the user had access directly to arcgis server using port (e.g. 6443 - going around the web adaptor)- they would get an unauthorized response because ArcGIS Server is expecting valid credentials from traffic through the web adaptor.