Skip To Content

Configure a portal to use a reverse proxy server

A reverse proxy server is a computer that is deployed within a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet) that handles requests from the internet and forwards them to the machines in your internal network. The forwarding of requests on behalf of the reverse proxy server masks the identity of the machines behind your organization's firewall, thus protecting internal machines from being attacked directly by internet users. Additional security functions can be implemented in the reverse proxy server to further protect your internal network from outside users.

If your reverse proxy server supports a health check function, you can use the Portal for ArcGIS heath check endpoint to determine whether the portal is available to receive requests. This is useful to quickly determine whether there's a software or hardware failure in the site. For more information, see the portal Health Check topic in the ArcGIS REST API.

Caution:

The configuration detailed in this topic must be performed before federating any ArcGIS Server site with your ArcGIS Enterprise portal. Unfederating an ArcGIS Server site has several significant consequences and is not easily undone. To learn more, see Administer a federated server.

Add Portal for ArcGIS to a reverse proxy server

Before adding Portal for ArcGIS to your organization's reverse proxy server, you must complete the following:

  • Configure HTTPS (HTTP and HTTPS or HTTPS-only) on the reverse proxy server. Portal for ArcGIS requires HTTPS for some communication. Consult the product documentation for your proxy server to learn how to set up HTTPS.
    Note:

    Portal for ArcGIS does not support SSL offloading through a reverse proxy server/load balancer. Therefore, if your configuration uses a reverse proxy server, it must forward traffic to either the ArcGIS Web Adaptor or directly to Portal for ArcGIS over HTTPS.

  • Configure ArcGIS Web Adaptor with your portal if your portal will use Integrated Windows Authentication. Portal for ArcGIS requires the use of ArcGIS Web Adaptor for this purpose, and this will allow the reverse proxy server to communicate with your portal correctly. For full instructions, see the configuration topics for IIS, Java (Windows), or Java (Linux).

Verify that the proxy server supports gzip encoding and is configured to allow the Accept-Encoding header. This header allows HTTP 1.1 responses to be compressed using gzip encoding. For example, if the header is allowed, a request to load Map Viewer will return a compressed response of approximately 1.4 MB to the browser. If the header is not allowed or ignored, the request will return an uncompressed response of approximately 6.8 MB to the browser. If your network speed is slow, it may take a long time for Map Viewer to load if responses are not compressed. Esri recommends that you allow this header as part of your reverse proxy server configuration.

Add ArcGIS Web Adaptor to proxy server directives

After configuring ArcGIS Web Adaptor with Portal for ArcGIS, ArcGIS Web Adaptor can be used with your organization's reverse proxy server by adding the components directly to proxy server directives. For example, if you're using Apache as a reverse proxy server, you need to add ArcGIS Web Adaptor to the ProxyPass directives in the Apache web server configuration file httpd.conf:

ProxyPass /webadaptorname https://webadaptorhost.domain.com/webadaptorname
ProxyPassReverse /webadaptorname https://webadaptorhost.domain.com/webadaptorname

The ProxyPass directives must match the name designated for ArcGIS Web Adaptor (/webadaptorname in the sample above). If the URL to your site does not end with the default string /arcgis, specify the nondefault name of ArcGIS Web Adaptor (for example, /myorg).

Add an X-Forwarded-Host header to your proxy

In the load configuration of the reverse proxy server, set an X-Forwarded-Host header. Portal for ArcGIS expects to see this property set in the header sent by the reverse proxy and will return requests that match the reverse proxy server's URL. For example, a request to the Portal for ArcGIS REST endpoint (https://reverseproxy.domain.com/arcgis/sharing/rest) will be returned to the client as the same URL. If the property is not set, Portal for ArcGIS may return the URL of the internal machine where the request was directed (for example, https://portal.domain.com/arcgis/sharing/rest instead of https://reverseproxy.domain.com/arcgis/sharing/rest). This is problematic, as clients will not be able to access this URL (commonly noted as a browser 404 error). Also, this gives the client access to some information about the internal machine.

Set the WebContextURL property

The portal's WebContextURL property helps it construct the correct URLs on all resources it sends to the end user.

Note:

If you do not use ArcGIS Web Adaptor in your deployment, be sure that the reverse proxy server's context name only goes one URL level deep. For example, you can have a reverse proxy URL such as https://proxy.domain.com/enterprise, but you cannot have a reverse proxy URL such as https://proxy.domain.com/myorg/enterprise.

Do the following to change the WebContextURL:

  1. Open a web browser and sign in to the ArcGIS Portal Directory as a member of the default administrator role in your portal organization. The URL is formatted https://portal.domain.com:7443/arcgis/portaladmin.
  2. Click System > Properties > Update Properties.
  3. On the Update System Properties dialog box, insert the following JSON, substituting your own reverse proxy server or DNS alias URL as seen by users outside your organization's firewall.
    {
       "WebContextURL": "https://reverseproxy.domain.com/enterprise"
    }
    Note:

    You cannot use a nonstandard port (that is, a port other than 443) when setting the WebContextURL property.

  4. Click Update Properties.

Redo administrative tasks

Once you've configured the reverse proxy server with your portal, you'll now access your portal through the reverse proxy server URL instead of the ArcGIS Web Adaptor URL. Anything you access in the portal website or the ArcGIS Portal Directory will return the reverse proxy server URL.

The following administrative tasks should be redone using the reverse proxy server URL:

If you've previously added secured services as items in your portal, you'll need to delete the original items and add them again. This is because the original items use the ArcGIS Web Adaptor URL instead of the reverse proxy server URL. For instructions, see Connect to secure services.