Secure network design
Working within secure networks and environments has been a requirement of ArcGIS software for decades. Support for new security concepts, providers, and patterns is critical to continue aligning well to these secure networks. A few key design criteria or guidelines can be established for architects working in more secure environments. As organizations have evolved from an implicit trust posture where their network has a clear definition, into a world where users are moving between the internet, intranet, and different spaces in between, the definition of network security has changed and evolved to introduce new options and complexities.
It is generally not the role of a system architect to define network constructs, topology, or design goals, so the process of architecting ArcGIS systems is often a process of asking questions, learning about network constraints, and then ensuring the resulting system can work properly given those constraints.
ArcGIS in secure networks
ArcGIS Enterprise, ArcGIS Pro, and other ArcGIS applications and tools have been designed to work effectively within secure networks, even those that are fully disconnected from the internet. Several key considerations for ArcGIS in secure networks are provided.
- ArcGIS software components expect direct line-of-sight to other ArcGIS applications or endpoints. This applies to ArcGIS Enterprise components such as ArcGIS Server and ArcGIS Data Store, as well as desktop clients such as mobile apps, ArcGIS Pro, and ArcGIS Earth. Direct connectivity means that systems can communicate without an identity-aware proxy or other layer of authentication between the components that are operating on the same network. In secure networks, the use of forward proxies is common to provide access to other enterprise resources and endpoints or external, internet-based data, services, or applications. See forward proxies for additional considerations.
- For systems that require public-facing endpoints or host public web applications, the use of a DMZ-style deployment is recommended, along with configuration of a web application firewall or other incoming traffic detection device or software.
- More secure networks often imply more secure operating system configurations, such as use of Windows hardening processes or Security-Enhanced Linux (SELinux). These processes can introduce a wide array of configuration changes that, while generally compatible with ArcGIS systems, may introduce errors or connectivity issues that are difficult to identify or diagnose. When system hardening is involved in secure network design, work closely with your organization’s IT professionals and security experts to understand the configuration changes, and implications and testing options, to understand where an issue may have been introduced.
Resources
Specific guidance on inter-machine port requirements for ArcGIS Enterprise components is provided in the relevant software documentation. The documentation also includes a helpful diagram of port requirements for ArcGIS Enterprise components.