Skip To Content

Using a forward proxy server with Portal for ArcGIS

A forward proxy server is a computer on your LAN that allows you to connect outside the network without compromising the security of your internal network. Use of a forward proxy server is very common in perimeter networks (also known as demilitarized zones [DMZ] or screened subnets) to protect the identity of internal machines. If your organization uses a forward proxy server to connect externally, you can configure Portal for ArcGIS to use your forward proxy server.

  1. Open a web browser and sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is formatted as https://portal.domain.com:7443/arcgis/portaladmin.
  2. Click System > Properties > Update Properties.
  3. In the Update System Properties dialog box, insert the following JSON, substituting your forward proxy server information:
    {
        "httpProxyHost": "forwardproxy.domain.com",
        "httpsProxyHost": "forwardproxy.domain.com",
        "httpProxyPort": 80,
        "httpsProxyPort": 443,
        "nonProxyHosts": ""
    }
    • If your forward proxy server is configured to exclusively use HTTPS, remove all http properties from the JSON.

    • If you want to federate ArcGIS Server with your portal or the site does not require use of the forward proxy server, list the server machine or site in the nonProxyHosts property. Machine and domain items are separated using a pipe (|), for example:

      "nonProxyHosts": "localhost|machine012.domain.com|*.domain.com"

  4. Click Update Properties.

Portal for ArcGIS is now configured to use your forward proxy server.

A forward proxy server can either tunnel encrypted traffic or it can decrypt and then re-encrypt traffic. If Portal for ArcGIS does not appear to be working correctly with the forward proxy, then it's likely that the proxy server is decrypting and re-encrypting traffic. A proxy server that decrypts traffic will use a root certifying authority to present certificates. Portal for ArcGIS will not trust the root certifying authority by default, so you must import the certificate into the portal. See Configuring the portal to trust certificates from your certifying authority for details.