I speak with many customers about different architecture options for implementing ArcGIS Online and many ask about the simplest recommended secure implementation. We’ve done several of these and I wanted to post up the architecture for your review and use:
I’ve also posted this as a PDF so you can download and print it at full resolution. This architecture includes several recommended best practices:
- Minimal exposure in the DMZ – we have a single server in the DMZ which is really acting as a proxy for the ArcGIS Server end points. This server uses ArcGIS Server Web Adaptor to enable Microsoft IIS requests to be brokered securely into the back office.
- SSL throughout – the only port exposed from the DMZ server to the internet is 443 (https). IIS isn’t typically even listening on any other ports. The 443 connection is made to IIS and ArcGIS Web Adaptor which then utilizes port 6443 through the firewall to connect to the internal-hosted ArcGIS Server instance.
- Secured ArcGIS Server Services – all services on the internal ArcGIS Server instance are secured using ArcGIS security (username/password). This server can optionally be federated using your internal Microsoft Active Directory authentication.
This is by far the simplest secure model we can put out there. The data is still all housed within your organization, behind your firewall- BUT this will enable all the wonderful aspects of ArcGIS Online to be used with your data.
We have published several other articles with variations on architecture (see related posts below) but this should be a really good starting point for any discussion. Contact us and we can guide you through modifying the achitecture to meet your IT and GIS requirements – it’s our specialty!