A forward proxy server is a computer on your LAN that allows you to connect outside the network without compromising the security of your internal network. Use of a forward proxy server is very common in perimeter networks (also known as demilitarized zones [DMZ] or screened subnets) to protect the identity of internal machines. While most ArcGIS Server services do not need to connect outside of the network, the PrintingTools service or custom geoprocessing services may need to access external web services. If your organization uses a forward proxy server to connect externally, you need to configure ArcGIS Server to use your forward proxy server.
ArcGIS Server automatically obtains information about a forward proxy server from the operating system. If the machine installed with ArcGIS Server is already configured with information about the forward proxy server, there may be nothing for you to do. To manually connect ArcGIS Server to a forward proxy server, follow these steps:
- On the machine running ArcGIS Server, log in using the ArcGIS Server account. This is an important step, since the forward proxy server settings need to be applied using this account in order for ArcGIS Server to communicate with the forward proxy server effectively.
- From the Start menu, choose Control Panel > Internet Options > Connections > LAN Settings.
- Check the box next to Use a proxy server for your LAN.
- Provide the address and port number for your forward proxy server. When you're finished, click OK.
- From the Start menu, choose Control Panel > Credential Manager.
- Click Add a generic credential, and specify the credentials to your forward proxy server. These settings will vary depending on your forward proxy server configuration. Contact your system administrator for details.
- Test the connection to your forward proxy server by opening a browser (such as Internet Explorer) and navigating to a website. If the connection is set up properly, you'll be able to access the website; if not, you'll be prompted to provide forward proxy server credentials before the website opens.
- Repeat these steps for the remaining machines in your ArcGIS Server site.
A forward proxy server can either tunnel encrypted traffic or it can decrypt and then re-encrypt traffic. If ArcGIS Server does not appear to be working correctly with the forward proxy, then it's likely that the proxy server is decrypting and re-encrypting traffic. A proxy server that decrypts traffic will use a root certifying authority to present certificates. ArcGIS Server will not trust the root certifying authority by default, so you must import the certificate into the operating system certificate store. You can do this by following the steps below.
- Place the root certificate in a location where ArcGIS Server has the correct file permissions to read it.
- Open Certificate Manager. You can do this by clicking the Start button, typing certmgr.msc in the search box, and pressing the Enter key.
- In the Certificate Manager window, click Trusted Root Certificate Authorities and click Certificates.
- On the top menu, click Action and select All Tasks > Import.
- On the Certificate Import Wizard dialog box, click Next and follow the instructions in the wizard to import the certificate.
- Repeat these steps for each machine in your ArcGIS Server site.