Firewalls and ArcGIS Server

What does a firewall do?

Every computer has thousands of ports through which other computers can send information. A firewall is a security mechanism that limits the number of ports on your machine through which other computers can communicate. When you use a firewall to restrict communication to a small number of ports, you can closely monitor those ports to prevent an attack. Also, you can configure the firewall to restrict communication to a port known only to you.

Firewalls can be implemented through hardware, software, or a combination of both. Firewalls work best in detecting attacks that could enter or leave your system through an open port, such as worms and some Trojan horses. They do not protect you from viruses attached to e-mails or from threats inside your network. Therefore, although firewalls are important, they should not be the only component of your overall security strategy. Antivirus software and solid authentication and authorization techniques are examples of other security strategies that should be deployed in conjunction with firewalls.

Protecting a GIS server with firewalls

ESRI does not recommend or support firewalls between ArcGIS Server components. This includes firewalls between the Web ADF and the GIS Server as well as firewalls between the server object manager (SOM) and the server object container (SOC). The recommended technique for protecting an ArcGIS Server system with firewalls is to configure a reverse proxy Web server within a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet). In this scenario, the reverse proxy Web server receives incoming HTTP requests through a firewall that restricts traffic to a known port (usually port 80). It then sends the request through another firewall—using a port unknown to the end user—to the ADF Web server in a secure internal network. The ADF Web server is then free to establish unrestricted DCOM communications with the other ArcGIS Server components. In this way, the entire GIS server operates within a secure internal network and does not require firewalls between its components.

Here's a closer look at each component in this scenario:

• A perimeter network consists of machines that Internet users can access through a firewall but are not part of your secure internal network. The perimeter network isolates all components of the ArcGIS Server system, including the ADF, SOM, and SOC, from direct Internet client access.
• The reverse proxy Web server in the perimeter network receives Internet requests through a common port, such as port 80. A firewall prevents access through any other ports. Then the reverse proxy server sends the request to the secure internal network through another firewall, redirecting it through a port unknown to the original client.
• The Web server hosting the ADF, the SOM, SOC, and data servers all compose part of the secure internal network. A request entering the secure network must come from the reverse proxy server and pass through a firewall. A response leaving the secure network returns to the client the same way it arrived. First, the response passes back through the firewall to the reverse proxy server. Then the reverse proxy server sends it through another firewall to the client.

ESRI Knowledge Base article 32634 describes a procedure for configuring ArcGIS Server for the Microsoft .NET Framework to work with a reverse proxy Web server.