Questions on Reverse Proxy for REST sites
Hi,
I am in the early, investigative stages of setting up an Essentials REST site for public use over the internet, most likely using a Reverse Proxy Server. I have a few simple questions I'm hoping someone can answer for me:
1. Section 5.6 "Running Behind a Reverse Proxy" of the REST Elements Admin Guide appears to be the only reference to Reverse Proxy in the Essentials Documentation, but all it provides is a configuration to resolve an issue with returning an internal URL rather than the external URL,"depending on how the reverse proxy is configured". Is there any reference that I am missing that actually describes how the Reverse Proxy should be configured? The ESRI documentation for ArcGIS Server is extensive, providing explicit changes for Reverse Proxies using Apache, IIS7, or ISA Server, but I see nothing comparable from Geocortex. Does Essentials depend on any of those ArcGIS Server settings to be configured, or does Essentials eliminate the need for those settings by handling all the map service access, etc inside the firewall? Is it really that much simpler than the ESRI configs?
2. Can the same Essentials site be served as an internal and an external site? It appears that some of the settings for ArcGIS Server reverse proxy would break the internal usage, particularly for those intranet users who don't have internet access--is this true for Essentials as well? If this is the case, is it still possible to maintain parallel sites, internal and external, on the same Essentials/ArcGIS Server installation? (Some ArcGIS server RP settings appear to be in config files used for all sites, but maybe I'm just misreading that?)
3. Is there any preferred Reverse Proxy (e.g., Apache, IIS7, or ISA Server) for Essentials?
Thanks for any help you might be able to provide.
Jim Bergstrom
-
Jim,
More info tomorrow (my time) but in short the geocortex reverse proxy is config is the easy part, the esri side of it is where you can have some fun (esri's documentation might be extensive but i would add its far from clear although this is somewhat dependent on your environment (there's many variables that come into play & its difficult to cover them all off).
Strictly speaking (as you've inferred) esri's config will only support a single site (e.g. an external or an internal) but that's not entirely true but my recommendation is keep it simple & have a single site for all users (if possible, just push your internal users to your external site). The issue with maintaining parallel sites is the day to day management over head of managing your int/ext services etc. Technically its not that difficult but practically its a head-ache to manage.
We use IIS 7 on our r-proxy with iis 6 internally. I'm led to believe Apache is a little easier to config but IIS isn't difficult. This is coming from the esri perspective rather than the Essentials.
You may even ask yourself do you need a r-proxy. While publicly its ESRI's recommended approach, without quoting names they also state that its not necessary & in some instances creates greater security flaws. Again, depends a lot on your line of business.Hope it helps a little.
Brad
0 -
I am nearly done implementing the ESRI reverse proxy using IIS. In short, I think you will save yourself a lot of headache setting up the ESRI reverse proxy.
Anyway, I prefer the IIS implementation because I have not experience with the others that are possible. The IIS implemenation is mostly straight forward and not to complicated to setup.
I did try the Geocortex reverse proxy configuration using the ESRI reverse proxy handler but that came with trouble including double encoded query strings that were a problem at the firewall. In addition, there is a bug using the proxy configuration, the application tries to access URL's that are supposed to be run through the proxy handler.
Good Luck.
Louie0 -
Also for your reading pleasure...Related to your question.
(https://support.geocortex.com/customer/essentialsGSCForum?sub-nav=forum&main-nav=essentials&id=90660000000089eAAA) Proxy Requests, Double Encoding and the ominous Firewall
(https://support.geocortex.com/customer/essentialsGSCForum?sub-nav=forum&main-nav=essentials&id=9066000000008YfAAI) Use Proxy Handler to Site Config - How?
(edited for updated links)0 -
Depending on the services you include in your site, you may also have to deal with forward proxy issues.
We have several external map sources in our sites and Essentials would fail to load the site because it could not validate the external sources (to build the REST endpoint data). You must edit the web.config file and add the forward proxy information to the System.net section in order to allow Essentials to get to the external data. This would also affect printing since the pdf/image is generated on the Essentials server, not the client.
As far as reverse proxies, we use Apache for redirecting traffic to our internal servers. If your intranet users do not have inTERnet access then it would probably be difficult to share a site since the URL's for the AGS services would have to be the internet url's instead of intranet url's. If they do have internet access then there isn't any need for both, since they could just use the public site. We will be implementing seperate sites and AGS services for intranet only apps. The maintenance will be higher but the configuration ends up being simpler when they are totally decoupled from each other.
0 -
Thanks Brad, Louie, and Peter for your insights. I'm new to REST, Silverlight Viewers, and Publication for Public Use, so have a lot of catching up to do before I can get this up and running. I've been working with Essentials Web ADF sites internally for awhile, and the feedback has been positive enough that the demand for a public presence is increasing steadily.
So at this point I'm leaning toward creating separate sites, with separate map services, to reverse-proxy for public consumption--which makes sense for us anyway, given that we want the public site to be trimmed down considerably from what we use internally. What I'm trying to understand now is just how much of the ESRI ArcGIS Server r-proxy documentation I need to pay attention to, and how to translate it into usable configurations for Essentials. My assumption all along (at least with Web ADF) has been that Essentials depends on ArcGIS Server for map services, but that's about it. If that's the case, it seems that I could follow the ESRI directions for creating and web sharing new directories for the external site's map services (e.g., c:\arcgisserver\proxyoutput, ...proxycache, etc), and setting up the r-proxy server (my security team appears to be leaning toward ISA Server); but the information about changing settings in ArcGIS Server-specific config files (e.g., c:\Inetpub\wwroot\ArcGIS\rest\rest.config) doesn't seem directly applicable. But that leaves me wondering if there are equivalent settings I need to change in the Essentials REST config files.
I found the document "How to make a Silverlight Site available externally" in the Geocortex knowledge base, which specifies a few config changes--but it doesn't even mention reverse proxy, so I'm not sure it is applicable (or comprehensive).
Any more insights, comments, or suggestions out there?
Thanks again,
Jim
0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
5 kommentarer