![Page 1: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/1.jpg)
Hosted by Esri
Official Distributor
Building Secure Applications
Andrew Sakowicz
Esri European User Conference October 15-17, 2012 | Oslo, Norway
![Page 2: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/2.jpg)
ArcGIS Server 10.1 security architecture
![Page 3: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/3.jpg)
ArcGIS Server 10.1 Physical architecture - High availability configuration
![Page 4: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/4.jpg)
GIS Tier
ArcGIS Server 10.1 security Logical architecture
GIS Services
Data Tier
Internal Network DMZ Web
HTTPS LAN
Service Authorization
HTTPS
GIS Servers
Built-in store
ArcGIS Server Site
Web Tier Application Tier
Wizard builder
Identity manager
IIS
Web Adaptor
Enterprise Geodatabase
![Page 5: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/5.jpg)
ArcGIS Server 10.1 security architecture Single firewall
• Port 80 opened • GIS and data server reside in the secure internal network
![Page 6: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/6.jpg)
ArcGIS Server 10.1 security architecture Multiple firewall
• Port 80 and 6080 • Web adapter acts as reverse proxy • GIS and data server reside in the secure internal network
![Page 7: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/7.jpg)
ArcGIS Server 10.1 security architecture Integrating an existing proxy
• Add your ArcGIS Server site to proxy directives, e.g. apache httpd.conf
- ProxyPass /arcgis http://myserver:6080/arcgis ProxyPassReverse /arcgis http://myserver:6080/arcgis
![Page 8: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/8.jpg)
ArcGIS Server 10.1 security architecture Integrating an existing proxy
• To select your port, install the Web Adaptor on another web server
![Page 9: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/9.jpg)
Securing data Production and Publication geodatabase
• Pros: - Better security - Improved performance - Additional hardware capacity
• Cons: - Requires replication - Additional hardware
Editors
1-Way Replication
or unregister as
versioned
Publication
(Read only)
Production
(Versioned GDB)
Viewers
Viewers
![Page 10: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/10.jpg)
Securing data Internal and external web editing
• Pros: - Better security - Improved performance - Additional hardware capacity
• Cons: - Requires replication - Additional hardware
Editors
2-Way Replication Geodata Service
External (Versioned GDB)
Internal (Versioned GDB)
Web editors
Viewers
![Page 11: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/11.jpg)
Managing ArcGIS Server users and roles
![Page 12: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/12.jpg)
ArcGIS Server Account
• Domain account easier to manage • Update password with Configure
ArcGIS Server Account utility
![Page 13: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/13.jpg)
Primary Site Administrator
• Specify when you first create a site • Not an operating system user • Disable after configuring admin role in identity store
![Page 14: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/14.jpg)
Primary Site Administrator Restrict file permissions
![Page 15: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/15.jpg)
Supported identity store configurations
![Page 16: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/16.jpg)
Supported identity store configurations
• ArcGIS Server authentication - Built-in users and roles (token authentication) - LDAP or Windows Domain - LDAP or Windows Domain and the built-in store
• Web server authentication - Any identity store for which the web server has built support
![Page 17: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/17.jpg)
What Architecture is Right for Me?
Capability Security Store Authentication Tier
Authentication Method
Application Tier
Encryption (HTTPS)
Single Sign On Active Directory Web Tier (IIS) Integrated Windows (IIS)
Any w/ SSO Support
Optional
Enterprise Users & Roles
Active Directory, LDAP
Any Any Any * Recommended
Web Editing Any Any Any Any * Recommended
Mobile Applications
Any Any Any Any * Recommended
SharePoint Any Any Any Any * Recommended
Enterprise Users & Built In Roles
Active Directory, LDAP
Any Any Any * Recommended
Linux LDAP, Built-In Any Any Any * Recommended
ArcGIS Online Any Any Any Any * Recommended
* Silverlight & SharePoint require use of Proxy Page for token management.
![Page 18: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/18.jpg)
ArcGIS Server's built-in store
![Page 19: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/19.jpg)
ArcGIS Server's built-in store Roles
![Page 20: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/20.jpg)
ArcGIS Server's built-in store
![Page 21: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/21.jpg)
ArcGIS Server's built-in store Users
![Page 22: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/22.jpg)
Demo: Securing services
![Page 23: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/23.jpg)
Web tier single-sign-on at 10.1
![Page 24: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/24.jpg)
GIS Tier
Web tier single-sign-on at 10.1
GIS Services
Data Tier
Internal Network DMZ Web
HTTP LAN
Service Authorization
HTTP
GIS Servers
ArcGIS Server Site
Web Tier Application Tier
Single sign-on
IIS
Web Adaptor
Enterprise Geodatabase
Shared key
Active Directory security store
![Page 25: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/25.jpg)
LDAP or Windows domain users
![Page 26: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/26.jpg)
LDAP or Windows domain Authentication Tier
• GIS Server Tier - Esri's proprietary ArcGIS token-based authentication
• Web Tier - use single sign-on or a custom authentication mechanism - Requires Web Adapter - HTTP basic and digest
![Page 27: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/27.jpg)
LDAP or Windows domain Web server authentication
• requires installing the ArcGIS Web Adaptor
![Page 28: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/28.jpg)
Windows domain – web tier authentication
![Page 29: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/29.jpg)
Enable windows authentication
![Page 30: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/30.jpg)
Generating token
![Page 31: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/31.jpg)
Generating token
• Automatically manages ArcGIS tokens
• Flex API & Viewer 2.5.1+ (works with ArcGIS 10.0 SP-1+)
Web App
Token Secured Service
Token Secured Service
![Page 32: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/32.jpg)
Generating token Shared key
![Page 33: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/33.jpg)
Generating token
![Page 34: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/34.jpg)
Secure Web Applications with HTTPS
![Page 35: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/35.jpg)
![Page 36: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/36.jpg)
Demo: https
![Page 37: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/37.jpg)
Building secure web application
![Page 38: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/38.jpg)
Building secure applications ArcGIS Viewer for Flex
![Page 39: Building Secure ApplicationsArcGIS Server 10.1 security architecture . Multiple firewall ... Securing data . Internal and external web editing ... -LDAP or Windows Domain and the built-in](https://reader031.vdocument.in/reader031/viewer/2022011910/5f75c7614065493b5d71c09b/html5/thumbnails/39.jpg)
Demo: Building secure web
applications