Skip to content

Troubleshooting Windows Firewall + Docker NAT Issues on ArcGIS Notebook Server

Last Updated: 27 Jan 2026
Author: Joel McCune, Sr. Technical Consultant

Overview

When running ArcGIS Notebook Server on Windows Server (2022+), Docker containers may start successfully, yet the Notebook Server cannot reach the Jupyter service inside the container (default port 8888).

When launching, the Notebook Server UI will hang at 60% progress, and eventually time out. The Notebook Server logs may show repeated connection failures, with a message similar to the following.

ArcGIS Notebook Server is not yet ready to receive requests for
https://127.0.0.1:30003/nb/notebooks/41aa784e7be84e1a8e060bc2b09033fd/api/sessions/.

Retrying...

Info

This is a FINE level log message indicating that the Notebook Server cannot connect to the Jupyter service inside the Docker container, and will be repeated in the logs. Hence, to determine if this is the issue, you need to enable FINE (or DEBUG) logging for the Notebook Server.

A common root cause is that Docker’s NAT network adapter is assigned to the Public firewall profile, and the organization applies CIS Benchmark policies that cause the Public profile to ignore locally created firewall rules. When this happens, manually created firewall rules never take effect, and connectivity fails until a GPO‑delivered allow rule is deployed.

Tip

A clear test is to temporarily disable the Public firewall profile. If connectivity is restored, if you are able to successfully launch a Notebook, you have confirmed that the Public profile is blocking required traffic.

This KB provides a repeatable diagnostic and remediation workflow.

What CIS Benchmarks Are

The Center for Internet Security (CIS) publishes widely adopted security baselines for operating systems and applications.

🔗 https://www.cisecurity.org/cis-benchmarks/

For Windows Server, CIS Benchmarks often enforce:

  • Ignoring locally created firewall rules on the Public profile
  • Mandatory use of centrally managed GPO firewall rules
  • Highly restrictive inbound policy defaults
  • Alignment with NIST, ISO 27001, and Zero Trust frameworks

Info

If your organization implements CIS Level 1 or CIS Level 2 benchmarks, local firewall rules may not apply, and only GPO-sourced rules will be honored.

What GPO Firewall Rules Are

A Group Policy Object (GPO) is a centrally managed configuration package distributed through Active Directory.

A GPO firewall rule:

  • Is enforced by domain controllers
  • Overrides locally created rules
  • Ensures consistent, auditable security policy
  • Is required for systems hardened under CIS baselines

If your Public profile ignores local rules, GPO rules are the only rules that apply.

1. Determine the Active Windows Firewall Profile

PowerShell

Get-NetFirewallSetting -PolicyStore ActiveStore |
  Select-Object -ExpandProperty ActiveProfile

Command Line

netsh advfirewall show currentprofile

If Public is active, continue.

Reference: KB0015997 – Determine Active Windows Firewall Profile
🔗 https://esri.service-now.com/api/now/table/kb_knowledge_base/0122d41adba8a700951dab8b4b9619ed

2. Detect Whether Local Rules Are Being Ignored (CIS/GPO Behavior)

Check Public Profile Settings

Get-NetFirewallProfile -Profile Public |
  Select-Object Name, DefaultInboundAction, AllowLocalFirewallRules, AllowLocalIPsecRules

If AllowLocalFirewallRules = False, the machine is enforcing CIS-like restrictions.

Check Effective Rule Sources

Get-NetFirewallRule -PolicyStore ActiveStore |
  Select-Object DisplayName, Enabled, Direction, Action, Profile, PolicyStoreSource

If only GroupPolicy rules appear for the Public profile, local rules are being ignored.

Reference: KB0015998 – Domain Profile Not Selected (NLA Troubleshooting)
🔗 https://esri.service-now.com/api/now/table/kb_knowledge_base/0122d41adba8a700951dab8b4b9619ed

3. Resolution Options

Create a GPO-delivered inbound allow rule:

Setting Value
Profile Public
Protocol/Port TCP 8888
Optional Port range 30001–31000 for Notebook → Docker mappings
Rule Source Group Policy

This is the correct solution when local rules are ignored.

Option B — Change the Docker NAT Adapter to Private

If allowed by IT/security policy, this lets local firewall rules apply.

Identify the adapter:

Get-NetConnectionProfile | Format-Table Name, InterfaceAlias, NetworkCategory

Change the category:

Set-NetConnectionProfile -InterfaceAlias "vEthernet (nat)" -NetworkCategory Private

Re-check the active firewall profile after making the change.

Option C — Diagnostic Only: Temporarily Disable Public Firewall

Set-NetFirewallProfile -Profile Public -Enabled False

If everything works immediately, you have confirmed that the Public profile was blocking required traffic.

4. Validate End-to-End Connectivity

Test host-to-container connection:

Test-NetConnection -ComputerName 127.0.0.1 -Port 8888

Validate NAT port mappings:

Get-NetNatStaticMapping

Check effective rules (GUI):

Open wf.msc → Monitoring → Firewall → Effective Rules

  • Confirm the rule appears
  • Confirm Policy Source = GroupPolicy if using Option A
  • Establish whether Docker NAT should be treated as Private or remain Public + GPO rules.
  • If CIS Benchmarks are active:
    • Assume local rules do not apply
    • Always apply ports through GPO
  • Required Notebook Server ports:
    • 8888 (Jupyter)
    • 30001–31000 (ephemeral mapping range)
  • Follow ArcGIS Enterprise Hardening practices.

Hardening Guides (Internal Files)

  • ArcGIS_Enterprise_Hardening_Guide.pdf
  • ArcGIS_Enterprise_Hardening_Guide_March_2025.pdf

(These are internal SharePoint/OneDrive assets accessible in the Esri environment.)

6. Quick Command Reference

# Active firewall profile
netsh advfirewall show currentprofile

# Public profile settings
Get-NetFirewallProfile -Profile Public

# Effective firewall rule sources
Get-NetFirewallRule -PolicyStore ActiveStore

# Change Docker NAT to Private
Set-NetConnectionProfile -InterfaceAlias "vEthernet (nat)" -NetworkCategory Private

7. Additional Useful References