Forward proxies
A forward proxy is a type of software-based proxy application that forwards and controls “outbound” requests, sent from a client out to an external or remote endpoint or server. In the wide variety of application architectures and network configurations, the definition of “outbound” may vary significantly, but a forward proxy is generally seen as a component that enables, secures, controls, or denies requests from a client, server, or service to external URLs and resources. External can mean:
- Any URL outside of the local system
- Any URL outside of the local network zone
- Any URL outside of the WAN, for example, internet addresses
Forward proxies are generally services that receive HTTP or HTTPS requests at a specific address and network port, and proceed to:
- In some cases, decrypt the request, inspect the contents, and re-encrypt the subsequent request to the destination
- Inspect the request, sometimes denying or allowing requests based on destination or requested server hostname, URL contents, headers or other request properties
- If allowed, forward the request to the originally requested URL so a response can be returned
- If required, inspect the response from the remove server, and either return it unchanged, edit the response or cancel the request based on response contents
A forward proxy can be implemented through various technology patterns and may be visible or transparent to the user depending on network design and client, browser, or operating system configuration.
Forward proxy considerations for ArcGIS
Many ArcGIS software components make requests to other components or to internet sources, and proper implementation of a forward proxy, where it is required, is essential. ArcGIS, if properly configured, can be compatible with most forward proxy scenarios, and though some configuration may be required, workflow-specific issues are usually resolved through more specific configuration of the proxy itself or of the proxy configuration within the ArcGIS software. Authenticated forward proxies are supported if a basic user and password is the only authentication requirement.
- For ArcGIS Pro, the system-defined forward proxy is used (configured in the Windows operating system’s Internet Options).
- ArcGIS Earth supports configuration of a proxy in the administrative settings file.
- For ArcGIS mobile applications, the system-defined proxy is used (configured in either the iOS or Android operating system settings).
- For ArcGIS Enterprise components, each component may need to be configured separately to use a forward proxy, covered in the ArcGIS Server documentation and Portal for ArcGIS documentation
Related resources:
Forward proxies can create configuration challenges, which depend on the specific network design and proxy settings for a piece of software or system, but the following general guidance may be useful:
- When configuring a forward proxy, be sure to work closely with an IT team to understand the implications. If certain URLs are blocked or not accessible, or a forward proxy is not required for those URLs, then this may affect your proxy configuration or non_proxy_hosts settings.
- Forward proxies generally are not used to request resources on the “local network” of a system – for example, other servers and services that are in the same domain or subdomain of DNS and in the same area of a WAN.
- Many forward proxies filter outbound requests based on hostname or destination IP addresses. For requests from ArcGIS software to ArcGIS Online (for example, for basemaps as part of a printing process), the forward proxy must allow access to those URLs or paths. The document Domain Requirements for ArcGIS Online, on the ArcGIS Trust Center, provides additional recommendations for this topic.
- When Python processes are involved, additional considerations may be required to ensure that the Python code makes requests through the forward proxy correctly. This includes Python Notebooks, ArcGIS Notebook Server, and other deployments of Python code.
- If the forward proxy decrypts and re-encrypts traffic, be sure that the root certificate for the TLS certificate used by the proxy is trusted by the software component making the request.