Do I need WebAdapter for Server?

LisaT · ‎09-08-2016

Hi, I am trying to outline an infrastructure for a new ESRI Suite deployment. We are currently on 10.0 and so instead of doing an upgrade we are just going to start fresh with new servers and downloads. We would like to use Portal. Our current thoughts are to put Server and Portal on one machine with a Data Store on a separate machine. I know that Portal needs a Web Adapter, but am trying to decide if I should also install a Web Adapter for Server. From what I understand, Portal with a Web Adapter will essentially do most of what a stand-alone (without Portal) Server with Web Adapter will do and so my initial thought is to NOT install a separate web adapter for Server. However, we will also need to migrate our in-house web application to use the new 10.4 setup. Currently, our in-house web application uses the Javascript API and REST to expose published 10.0 MapServices. Since we do not have time to rewrite the whole web application right now, I will want to continue doing this. Does anyone know if I can still access the MapSevices directly using the Portal with Web Adapter, or will I need to install a separate WebAdapter for Server? If it is just a matter of changing the URL signature then that is doable, but I don't want to have to completely rewrite the code that accesses it. Any thoughts or pros/cons will be helpful!

RebeccaStrauch__GISP · ‎09-08-2016

Derek Law‌ might be a good one to answer this, but I'll give you what I understand.

If I remember correctly, you typically need different web-adapters for AGS vs (internal) Portal (I think Derek mentioned that in another thread). Portal is typically internal only, and not exposed to the public, so if you plan to have public web services, for security purposes, you would want to have a web adapter installed.

AGS help About the ArcGIS Web Adaptor—Installation Guides (10.4.1) | ArcGIS for Server

But in the meantime, here are a few resources that may help:

/blogs/eric/2014/06/26/when-is-the-arcgis-web-adapter-needed (from 2012, but probably still helpful)
ArcGIS Security—Trust ArcGIS | ArcGIS
Setting up a Proxy | Support Services Blog
/blogs/HackingArcSDE/2015/07/30/summary-of-arcgis-server-ssl-issues

Security is the key of course.

If at some point you are looking at getting into Web AppBuilder developer edition, check out my blog page /blogs/myAlaskaGIS/2016/03/09/web-appbuilder-developer-edition-customization-resource-list?sr=search...‌ which has links to many of those resources. WAB is one of the nice benefits of using a portal (AGOL or Portal), but of course reliance on a portal is also a downside....but that's life. Custom JS apps don't have that reliance on a portal, so if you've got 'em...

DerekLaw · ‎09-08-2016

Hi Lisa,

> Our current thoughts are to put Server and Portal on one machine with a Data Store on a separate machine.

We recommend that you install Server and Portal in separate machines. In this way, if Server is really active or busy, it will not affect the performance of Portal.

> Portal with a Web Adapter will essentially do most of what a stand-alone (without Portal) Server with Web Adapter will do

Not quite true. Portal for ArcGIS requires a Web Adaptor to work, while the GIS Server can optionally use the Web Adaptor. Reasons why you would may want to use the Web Adaptor:

- enables web-tier authentication

- provides more flexibility to control access to the Server site

- you can leverage web server features

- it is conceptually like a reverse proxy for the Server site

> Does anyone know if I can still access the MapSevices directly using the Portal with Web Adapter, or will I need to install a separate WebAdapter for Server?

This will greatly depend on the security model you configure for your Server site and for Portal for ArcGIS. To be clear, Server and Portal have 2 separate security models, you can optionally "federate" your Server site with Portal so that it uses the same security model as Portal.

Within the context of your situation where you have an existing web app that is currently referencing web services directly from the Server site, you can "switch" it to access web services from your new 10.4 Server site, but Portal would not be a factor in your deployment. If you decide to change the web app to work with Portal, then you should evaluate what security you would like to set for the Server site.

A good starting point for understanding Server/Portal security:

ArcGIS Server and Portal for ArcGIS: An Introduction to Security | Esri Video

Hope this helps,

Anonymous User · ‎09-09-2016

check this one also

Configure ArcGIS Web Adaptor after installation—Installation Guides (10.4.1) | ArcGIS for Server

LisaT · ‎09-09-2016

Thank you all! Let me read through some of these resources and get back to you. I'm sure I will have more questions. As a note, the website that I am referencing is currently an internal intranet website that is not exposed outside of our network. We have plans to play with Azure and/or another portal deployment that would be exposed to external users...but one step at a time! We are a global company and have purchased licenses so that we can play with an Azure deployment in the near future. I am in a bit of a hard spot because our IT department is not the best and I only have 1 other person helping me with the deployment. I am trying to find a good mix so that we can quickly deploy a system that works with our current setup, but is scalable and doesn't depend on the IT department too much (my manager really wants to go with Azure for this reason...sad, I know). We want to use portal, have external users, and completely update the above referenced internal website within the year.

LisaT · ‎09-09-2016

Ok, I am running into another snag while trying to make this decision. I am confused about the authentication. We use Active Directory. If I read this:

http://server.arcgis.com/en/portal/latest/administer/linux/use-your-portal-with-ldap-and-web-tier-au...

it seems that I have to deploy both of the adapters (Portal and Server) on a Java machine. However there is also this:

http://communityhub.esriuk.com/technicalsupport/2014/10/24/arcgis-server-authentication-vs-web-tier-...

that seems as if we can just set up windows authentication in IIS. The last link is kind of old, but I have found references to it in other places, too. So, what gives? Is the Java implementation somehow doing a different job? I just want my users to be able to log into their computer and not have to log in again to use portal (windows authentication). Will the Java implementation only come into play when we start publishing websites with external access? Does anyone know a good link to explain the difference between setting up the adapter on an IIS machine with windows authentication vs a Java machine with LDAP?

Thanks for your help! I am slowly muddling through everything...

Anonymous User · ‎09-09-2016

As shown above you can use web adapter on same machine or different also,

while using LDAP based authentication you need to configure on ArcGIS server manager

We are using single machine configuration with web adapter and NLB,

Services have LDAP based ArcGIS Server Security....

DerekLaw · ‎09-11-2016

Hi Lisa,

> ... it seems that I have to deploy both of the adapters (Portal and Server) on a Java machine.

No. If you're using Windows OS for your Server and Portal installations, then you don't need to install anything on a Java machine.

> I just want my users to be able to log into their computer and not have to log in again to use portal (windows authentication).

Yes, you can set-up security for your GIS Server site with windows authentication, help topic:

Configuring ArcGIS Server's authentication tier—Documentation (10.4) | ArcGIS for Server

As I stated previously, by default the GIS Server and Portal for ArcGIS have 2 separate security models. You can keep them separate, or you can federate your Server site with Portal. It depends on if you want a single-sign on user experience when someone logins into Portal, then can access secure web services on the Server site. Please watch the UC tech session video I referenced in my earlier post.

Hope this helps,

LisaT · ‎09-12-2016

Thanks Derek and Avinash. Good to hear that I can use Windows OS for Windows Authentication/Active directory. Some of the verbiage in the installation docs is confusing! I will continue looking at this, and then I plan to start looking closely at federating Server. I am a little apprehensive that it will change our current structure too much, though. I am primarily concerned with how the aforementioned internal website will need to change. As long as I can still access the MapServices in the same way with the JavaScript REST API then I think it will be OK. However, since Server will now be a layer under Portal then I am going to guess there will be some code changes. After I have documented some notes on the current train of thought (not federating and using Windows OS security) I will take a look at federating to compare which may be better. Have other companies had a lot of problems with fitting their current infrastructure into a federated infrastructure?