Skip To Content

Using a forward proxy server with ArcGIS Server

A forward proxy server is a computer on your LAN that allows you to connect outside the network without compromising the security of your internal network. Use of a forward proxy server is very common in perimeter networks (also known as demilitarized zones [DMZ] or screened subnets) to protect the identity of internal machines. While most ArcGIS Server services do not need to connect outside of the network, the PrintingTools service or custom geoprocessing services may need to access external web services. If your organization uses a forward proxy server to connect externally, you need to configure ArcGIS Server to use your forward proxy server.

The standard way to configure a reverse proxy server is through the use of the http_proxy environment variable. If this is already configured for the ArcGIS Server account, there are no additional steps for you to perform. To configure this environment variable and define the forward proxy server, edit the init_user_param.sh script in the <ArcGIS Server installation directory>/arcgis/server/usr directory. To do so, follow these steps:

  1. Open the init_user_param.sh script in a text editor.
  2. Locate the line export http_proxy=http://<user name>:<password>@<proxy-server-name.domain.org>:<port number>/, and modify the sample URL to match the name and port number of your forward proxy server. If a user name and password are required to connect to your forward proxy server, specify the user name and password parameters in the URL. If a user name and password are not required, delete the <user name>:<password>@ text from the URL.
  3. Optionally, you can use the no_proxy environment variable to specify a list of domains for which the default proxy is not required. To use this variable, uncomment the line export no_proxy="<local>;*.<domain>.<com>", and add entries to this list. The wildcard character * and <local> can be used when specifying the domain. Each entry must be separated by a semicolon (;).
  4. Save and close the init_user_param.sh script.
  5. For your settings to take effect, you need to restart ArcGIS Server. You can do this by running the startserver.sh script on each GIS server in your deployment.

ArcGIS Server is now configured with the forward proxy server settings specified in the init_user_param.sh script.

A forward proxy server can either tunnel encrypted traffic or it can decrypt and then re-encrypt traffic. If ArcGIS Server does not appear to be working correctly with the forward proxy, then it's likely that the proxy server is decrypting and re-encrypting traffic. A proxy server that decrypts traffic will use a root certifying authority to present certificates. ArcGIS Server will not trust the root certifying authority by default, so you must import the certificate into the operating system certificate store. You can do this by following the steps below.

  1. Place the root certificate in a location where ArcGIS Server has the correct file permissions to read it.
  2. On the machine hosting ArcGIS Server, open the init_user_param.sh script in a text editor by browsing to the <ArcGIS Server installation directory>/arcgis/server/usr directory.
  3. Locate the line export CA_ROOT_CERTIFICATE_DIR=<Location_to_CA_Root_Certificate> and specify a location where all CA root certificates are stored on the system. Note that the specified directory needs to be accessible by the account that was used to install ArcGIS Server. You'll need to uncomment the lines by removing the pound sign (#) characters.
  4. Save and close the init_user_param.sh script.
  5. Restart ArcGIS Server. You can do this by running the startserver.sh script on each machine in your site.
  6. Repeat these steps for each machine in your ArcGIS Server site.