A forward proxy server is a computer on your LAN that allows you to connect outside the network without compromising the security of your internal network. Use of a forward proxy server is very common in perimeter networks (also known as demilitarized zones [DMZ] or screened subnets) to protect the identity of internal machines. While most ArcGIS Server services do not need to connect outside of the network, the PrintingTools service or custom geoprocessing services may need to access external web services. If your organization uses a forward proxy server to connect externally, you need to configure ArcGIS Server to use your forward proxy server.
- Open a web browser and sign in to the ArcGIS Server Administrator Directory. The URL is formatted as https://machine.domain.com:6443/arcgis/admin.
- Click System > Properties > Update.
- On the Update Server Properties dialog box, insert the following JSON code, substituting your forward proxy server information:
{ "httpProxyHost": "forwardproxy.domain.com", "httpsProxyHost": "forwardproxy.domain.com", "httpProxyPort": 8888, "httpsProxyPort": 8888, "nonProxyHosts": "portal.domain.com" }
If your forward proxy requires authentication, the username and password need to be included in the JSON string:
{ "httpProxyHost": "forwardproxy.domain.com", "httpsProxyHost": "forwardproxy.domain.com", "httpProxyPort": 8888, "httpsProxyPort": 8888, "httpProxyUser": "username", "httpsProxyUser": "username", "httpProxyPassword": "password", "httpsProxyPassword": "password", "nonProxyHosts": "portal.domain.com" }
- Each of the above properties should always be included, even if your forward proxy server is configured to exclusively use HTTPS.
The nonProxyHosts property should always contain the machine name where your portal is installed. If you want to federate ArcGIS Server with your portal, this property should also include the name of the machine where ArcGIS Server is installed. Machine and domain items are separated using a pipe (|), for example:
"nonProxyHosts": "portal.domain.com|server.domain.com|*.domain.com"
- Click Update Properties.
ArcGIS Server uses forward proxy configuration settings from two sources: the operating system where ArcGIS Server is installed, and the system properties in the ArcGIS Server Administrator Directory. It is recommended to configure the forward proxy in both locations.
To configure or review the Windows forward proxy settings used by ArcGIS Server, follow these steps:
- On the machine running ArcGIS Server, log in using the ArcGIS Server account. This is an important step, since the forward proxy server settings need to be applied using this account for ArcGIS Server to communicate with the forward proxy server effectively.
- From the Start menu, choose Control Panel > Internet Options > Connections > LAN Settings.
- Check the box next to Use a proxy server for your LAN.
- Provide the address and port number for your forward proxy server. When you're finished, click OK.
- From the Start menu, choose Control Panel > Credential Manager.
- Click Add a generic credential, and specify the credentials to your forward proxy server. These settings will vary depending on your forward proxy server configuration. Contact your system administrator for details.
- Test the connection to your forward proxy server by opening a browser (such as Internet Explorer) and browse to a website. If the connection is set up properly, you'll be able to access the website; if not, you'll be prompted to provide forward proxy server credentials before the website opens.
- Repeat these steps for the remaining machines in your ArcGIS Server site.
A forward proxy server can either tunnel encrypted traffic, or it can decrypt and then reencrypt traffic. If ArcGIS Server does not appear to be working correctly with the forward proxy, it's likely that the proxy server is decrypting and reencrypting traffic. A proxy server that decrypts traffic will use a root certifying authority to present certificates. ArcGIS Server will not trust the root certifying authority by default, so you must import the certificate into the operating system certificate store. You can do this by following the steps below.
- Place the root certificate in a location where ArcGIS Server has the correct file permissions to read it.
- Open Certificate Manager. You can do this by clicking the Start button, typing certmgr.msc in the search box, and pressing the Enter key.
- In the Certificate Manager window, click Trusted Root Certificate Authorities and click Certificates.
- On the top menu, click Action and select All Tasks > Import.
- On the Certificate Import Wizard dialog box, click Next and follow the instructions in the wizard to import the certificate.
- Repeat these steps for each machine in your ArcGIS Server site.