restrict webadaptor services directory access

Jayanta, that doesn't work if you have the rest end point disabled, you get the error

you can add  ?f=pjson to the end to get a listing, e.g.     http://<servername>:6080/arcgis/rest/?f=pjson

But it's not the nice formatting that you would like and you can't access the javascript view direct.  We have our public services directory disabled for external use (per esri recommended steps for security).  The other option is just looking at it in catalog, but the services directory is a very handy too.  I too would like to be able to shut it off externally (i.e. web adapter) but keep it open with the <server:6080>..  I haven't looked to see if anyone has this in the ideas page yet.  Have you Duarte?

Edit:  fixed typo.  added sample link.  formatted.

Hi Rebecca,

Although the AGS help states to disable the services directory to prevent someone from finding and accessing your services, however if you have services intended for public use disabling the directory may not be the route you want to take. Instead, I would recommend securing the applicable services and/or folders via ArcGIS Server Manager which in turn prevents them from appearing in the services directory. I hope this helps

Thank you

Andy

Hi Andy,

Thanks for the insight.  I agree, but working with our network services a while back and trying to convince them we needed the SSL cert and port, they kind of got stuck on us needing to everything that was recommended in the various documents. At the time it was easier to do this than to argue that it was a maybe overkill.  But having it disabled is of course an inconvenience for us too, not just the public.  So I will probably also rethink this although sometimes I still want the rest endpoint to not be viewable even if it is a public (not secure) service.

So, for me, I would still like to have the fine tuning of having the web adapter version being blocked, but the internal machinename:6080 be viewable.  There is a case for both.  I think that is what Duarte is asking for too.  That would be the best of both worlds/environments.

Rebecca that's exactly what i'm looking for. It seems that disabling the rest dir may have been an afterthought. It doesn't make much sense as it is. Maybe there is a way to block the rest dir in the web.config of the webadaptor...

​

Rebecca, it seems so... but I still have hopes that asp.net configuration could provide a solution...

Didn't have time yet to test but maybe there's a way:

security - How to restrict folder access in asp.net - Stack Overflow

or

Use Request Filtering : The Official Microsoft IIS Site

But I'm afraid these block everything under the directory level, so all requests to all mapservices will be cut off... not sure though.

For me, I would  rather have a direct solution thru AGS. I don't think our network services folks would be happy with tweaking iis outside of their standard, so probably won't mess with either suggestion, .but if you find a solution, I'll be interested in what you figure out.

Duarte,

It don't know that we talked about this yet, but, although you can'tt see the (javascript) map, etc, you can see most of the folder/service info if you have admin rights thru

https://<servername>:6443/arcgis/admin/services

or

http://<servername>:6080/arcgis/admin/services

Depending on whether you have https, even if you have the rest service directory disabled.  You would have to be able to log in with admin privileges to see anything, but it will also list the secure folders and services. I had forgot about that option until I needed it this morning. .