A forward proxy server is a computer on your LAN that allows you to connect outside the network without compromising the security of your internal network. Use of a forward proxy server is very common in perimeter networks (also known as demilitarized zones [DMZ] or screened subnets) to protect the identity of internal machines. While most ArcGIS Server services do not need to connect outside of the network, the PrintingTools service or custom geoprocessing services may need to access external web services. If your organization uses a forward proxy server to connect externally, you need to configure ArcGIS Server to use your forward proxy server.
- Open a web browser and sign in to the ArcGIS Server Administrator Directory. The URL is formatted as https://machine.domain.com:6443/arcgis/admin.
- Click System > Properties > Update.
- On the Update Server Properties dialog box, insert the following JSON code, substituting your forward proxy server information:
{ "httpProxyHost": "forwardproxy.domain.com", "httpsProxyHost": "forwardproxy.domain.com", "httpProxyPort": 8888, "httpsProxyPort": 8888, "nonProxyHosts": "portal.domain.com" }
If your forward proxy requires authentication, the username and password need to be included in the JSON string:
{ "httpProxyHost": "forwardproxy.domain.com", "httpsProxyHost": "forwardproxy.domain.com", "httpProxyPort": 8888, "httpsProxyPort": 8888, "httpProxyUser": "username", "httpsProxyUser": "username", "httpProxyPassword": "password", "httpsProxyPassword": "password", "nonProxyHosts": "portal.domain.com" }
- Each of the above properties should always be included, even if your forward proxy server is configured to exclusively use HTTPS.
The nonProxyHosts property should always contain the machine name where your portal is installed. If you want to federate ArcGIS Server with your portal, this property should also include the name of the machine where ArcGIS Server is installed. Machine and domain items are separated using a pipe (|), for example:
"nonProxyHosts": "portal.domain.com|server.domain.com|*.domain.com"
- Click Update Properties.
ArcGIS Server uses forward proxy configuration settings from two sources: the operating system where ArcGIS Server is installed, and the system properties in the ArcGIS Server Administrator Directory. It is recommended to configure the forward proxy in both locations.
On Linux, the standard way to configure a forward proxy server is with the http_proxy environment variable. To configure this environment variable and define the forward proxy server, edit the init_user_param.sh script in the /arcgis/server/usr directory. To do so, follow these steps:
- Open the init_user_param.sh script in a text editor.
- Locate the line export http_proxy=http://<user name>:<password>@<proxy-server-name.domain.org>:<port number>/, and modify the sample URL to match the name and port number of your forward proxy server. If a user name and password are required to connect to your forward proxy server, specify the user name and password parameters in the URL. If a user name and password are not required, delete the <user name>:<password>@ text from the URL.
- Optionally, you can use the no_proxy environment variable to specify a list of domains for which the default proxy is not required. To use this variable, uncomment the line export no_proxy="<local>;*.<domain>.<com>", and add entries to this list. The wildcard character * and <local> can be used when specifying the domain. Each entry must be separated by a semicolon (;).
- Save and close the init_user_param.sh script.
- For your settings to take effect, you must restart ArcGIS Server. You can do this by running the startserver.sh script on each GIS server in your deployment.
ArcGIS Server is now configured with the forward proxy server settings specified in the init_user_param.sh script.
A forward proxy server can either tunnel encrypted traffic, or it can decrypt and then reencrypt traffic. If ArcGIS Server does not appear to be working correctly with the forward proxy, it's likely that the proxy server is decrypting and reencrypting traffic. A proxy server that decrypts traffic will use a root certifying authority to present certificates. ArcGIS Server will not trust the root certifying authority by default, so you must import the certificate into the operating system certificate store. You can do this by following the steps below.
- Place the root certificate in a location where ArcGIS Server has the correct file permissions to read it.
- On the machine hosting ArcGIS Server, open the init_user_param.sh script in a text editor by browsing to the <ArcGIS Server installation directory>/arcgis/server/usr directory.
- Locate the line export CA_ROOT_CERTIFICATE_DIR=<Location_to_CA_Root_Certificate> and specify a location where all CA root certificates are stored on the system. Note that the specified directory needs to be accessible by the account that was used to install ArcGIS Server. You'll need to uncomment the lines by removing the pound sign (#) characters.
- Save and close the init_user_param.sh script.
- Restart ArcGIS Server. You can do this by running the startserver.sh script on each machine in your site.
- Repeat these steps for each machine in your ArcGIS Server site.