Portal privatePortalUrl and Federation Admin Url from Cloud Builder deployment

17096
31
07-27-2017 04:16 PM
FraserHand1
New Contributor III

I am looking for a bit of clarification on the privatePortalUrl setting in ArcGIS Enterprise / Portal for ArcGIS and the Server Admin Url in federation in a Cloud Builder context

The description of the setting in the API reference says

  • privatePortalURL—Informs the portal that it has a front end load-balancer/proxy reachable at the URL. This property is typically used to set up a highly available portal configuration.

In this thread Portal Best Practices for setup?  this comment is made

"In Portal HA, you'd also set the private portal URL for Portal, (the URL used by Server to talk to Portal) to go through a load balancer as well to make sure that even if one of the Portals go down, you can still reach the Portal." Jonathan Quinn

so is this url just for internal traffic only and doesn't need to be resolved externally? When deploying through Cloud Builder this is set to be one of the internal load balancers in front of Portal, but behind a public reverse proxy (using IIS with ARR).

The second part of this is also when deploying with Cloud Builder, the Portal / GIS Server federation has the public DNS for the services url and the internal load balancer in front of the GIS servers for the admin url.

What I see is that when using ArcGIS Pro it is very slow to share web layers etc and you can see this internal IP being exposed - there are multiple timeouts as ArcGIS Pro attempts to connect to the load balancer ip (on the admin url) - it eventually does bring up the sharing tool and does share ok but makes the experience in ArcGIS Pro very slow.

Looking at the AWS documentation it states that the services and admin url should be the same public DNS - is this the same for Azure? And why is Pro connecting to the federated admin URL anyway? Shouldn't this be faciliated by Portal? What happens if this is disabled as per portalscan / serverscan recommednations? I had thought that the admin url was another back end channel for comms between Portal and the GIS server?

So the question is if this is a private "backend" communication channel why does ArcGIS Pro attempt to connect to it? Should this setting be an external DNS? 

If anyone could provide some insight into the actual mechanics of ArcGIS Pro and the federated admin url that would be appreciated.

Thanks

Fraser

EDIT:

Deploy Portal for ArcGIS on AWS—ArcGIS Enterprise on AWS | ArcGIS Enterprise 

{"localHttpPort":"80","localHttpsPort":"443", "portalLocalHostname" : "awsportal.esri.com", "privatePortalURL" : "https://awsportal.esri.com/arcgis" }

There is another linkwith the federation whihc also has the external public DNS

31 Replies
JTessier
Occasional Contributor II

Thanks Jonathan,  anyway to change the Private Portal Url after the AGS site has already been federated?  In a config file or registry somewhere on the ags servers?

0 Kudos
JonathanQuinn
Esri Notable Contributor

We can update the documentation to indicate it's for all federated servers, including hosting server. Yes, under the Security page for the Server in the Admin API, you can update the privatePortalURL property within the JSON of the configuration. I would make sure you can reach the Sharing API in a browser through the URL you're going to use prior to updating it:

Ex.

<privatePortalURL>/sharing/rest == https://lb.domain.com:7443/arcgis/sharing/rest

VishApte
Esri Contributor

Hi Jonathan,

Can you please elaborate on <privatePortalURL>/sharing/rest == https://lb.domain.com:7443/arcgis/sharing/rest

I have setup ArcGIS Enterprise 10.7.1 with privatePortalURL as https://dnsforportal.company.com:7443/arcgis and WebContextURL as https://portaldmz.company.com/gisportal and have restarted Portal service after. Portal machine has ssl certificate including root and intermediate matching dnsforportal.company.com and browsers seems to happy when accessing https://dnsforportal.company.com:7443/arcgis/portaladmin and does not give any SSL warning. However, if I browse to https://dnsforportal.company.com:7443/arcgis/sharing/rest, it redirects to https://portalsvr.domain.com:7443/arcgis/sharing/rest where portalsvr.domain.com is the FQDN of the portal server. Same for https://dnsforportal.company.com:7443/arcgis/home, redirects to https://portalsvr.domain.com:7443/arcgis/home . I would expect that because of the privatePortalURL property, portal's web server will stay on https://dnsforportal.company.com:7443/

I am not sure X-Forwarded-Host setting is required in DNS as the documentation says not to set-it. Besides I am not sure how this can be set in DNS. Is anything else required to use DNS based url as privatePortalURL?

May be because of this redirect to FQDN, when I attempt a federation with a ArcGIS Server, server cannot register items with portal.  https://dnsforportal.company.com:7443/arcgis/sharing/rest seem to be inaccessible to the ArcGIS Server.

Thanks,

Vish

0 Kudos
JonathanQuinn
Esri Notable Contributor

Was it working prior to the restart? Try to set the system properties again and see if it still redirects. You don't need to make any changes, just go to Portaladmin > System > Properties > Update > Update Properties. Once Portal restarts, check if it redirects still. If it doesn't, restart Portal again and see if it starts redirecting. If it does, I'd suggest you contact Technical Support so they can take a look, but you have a workaround to just "update" the system properties without making any changes.

0 Kudos
VishApte
Esri Contributor

Thanks for your reply Jonathan. But couldn't get it going.

I first federated without privatePortalURL property set. Federation between server and portal worked fine. I could see SampleWorldCities and other GP services in Portal under My Contents. Server admin showed ArcGIS_Portal as a authentication provider with portal properties showing portal machine's FQDN name and not DNS name. Everything looked as it should be.

I then unfederated the server using portaladmin. Unfederate was successful. Manually removed SampleWorldCities and other GP services in Portal under My Contents as these will be orphaned. Confirmed ArcGIS server has gone back to "GIS Server" as a security provider. Everything looked as it should be.

I then went to portal admin and added privatePortalURL property set to portal's https://dnsname.domain:7443/arcgis. Manually restarted Portal service after this, though I believe update of the portal property does it. Confirmed privatePortalURL is still set to DNS. 

I then federated the server again with Portal. No error but the "status" glyph beside server admin url remained as "?" even after validate. Went to My Contents in Portal and found nothing there. Was expecting SampleWorldCities and other GP services in there. Went to ArcGIS Server Manager and found that Sharing icon was not available for the SampleWorldCities and other GP services. Went to server admin and found that server has ArcGIS_Portal as a authentication provider with portal properties showing DNS name for the portal and not FQDN name. Server and Portal log had nothing meaningful. 

Restarted Portal and Server services. Still no sign of federation of services. ArcGIS Server still had ArcGIS Portal as authentication provider. Browsed to https://dnsname.domain:7443/arcgis/home Got redirected to https://servername.domain:7443/arcgis/home Browsed to https://dnsname.domain:7443/arcgis/portaladmin/ and this time no redirect. So somewhere Portal has not registered privatePortalURL.  

Am I missing a step here?

Support ticked is logged. ArcGIS Enterprise 10.7.1 and all Windows 2016 Datacenter servers. 

Cheers,

Vish

0 Kudos
VishApte
Esri Contributor

Hi Jon,

We got it worked out. It seems that the privatePortalURL must be set first and then WebContextURL should be added. If we set both in one go, somehow, privatePortalURL doesn't get registered completely. We could repeat this in 3 environments. So the steps are;

1. Install SSL certificate on port 7443 that matches DNS name for the portal.

2. Change the default self signed certificate to above.

3. Set privatePortalURL to DNS based URL using portaladmin.

4. Test privatePortalURL based URL for Portal Home in a browser and confirm it does not redirect to a server name based URL.

5. Configure Web Adaptor for Portal.

7. Add WebContextURL that matches Web Adaptor using portaladmin

8. Test Portal home via WebContextURL and via privatePortalURL and confirm it works without redirection.

9. Perform federation.

Not sure if this is as designed or a bug.

Cheers,

Vish

Sheh
by
New Contributor

Vish,

Did you create base deployment using Cloudbuilder?  Did you use layer 4 loadbalancer for private Portal? Deployment was on Azure or AWS?

How is it possible to set private portal url before WebContextUrl using cloudbuilder?

Thanks,

0 Kudos
by Anonymous User
Not applicable

Hi Vish,

Could you please help me with this information... We have high available setup with 2 portal machines

Your Comment above 

"We have setup ArcGIS Enterprise 10.7.1 with privatePortalURL as https://dnsforportal.company.com:7443/arcgis and WebContextURL as https://portaldmz.company.com/gisportal and have restarted Portal service after"

Questions??

1) What does this url in your load balancer points to https://dnsforportal.company.com:7443/arcgis

Does it point to 7443 port of high available portal machines or it points to 443 port of arcgis webadaptor of portal machines??

In our case privateportalurl points on 7443 ports as shown? Is it right or we should point it to webadaptor instead with 443 port?

2) What does this url in your load balancer points to https://portaldmz.company.com/gisportal

Does it point to 7443 port of high available portal machines or it points to 443 port of webadaptor of portal machines??

If in both cases above you're routing requests to webadaptor of highly available setup then can we use same url for both when we only have single load balancer ????

Please help we are very confused with these 2 urls

BR

Saurabh

0 Kudos
JonathanQuinn
Esri Notable Contributor

There are a variety of different deployment scenarios for an HA portal. The WebContextURL will always be set to 443, but the privatePortalURL can be set to either 443 or 7443, or any other port, in reality. All that matters is that it can send traffic to the backend portal machines, and check the health of those machines. Our cloudformation templates set the WebContextURL and the privatePortalURL to the same URLs. On the other hand, if you configure your environment with Windows Authentication, that would be set at the web adaptor tier. In this case, the privatePortalURL can't be set to a URL that hits the web adaptors, because it can't authentication against the 401 challenge.

Deployment scenarios for a highly available ArcGIS Enterprise—Portal for ArcGIS (10.8) | Documentati...

Ultimately, your decision to use  the same URL or different URL can come down to:

1) Security - do you need to bypass the 401 challenge at the web tier

2) Network traffic - do you mind if internal traffic between Server and Portal goes through the same endpoint as client side traffic?

There is no right answer. Your requirements will dictate what your topology looks like.

by Anonymous User
Not applicable

Hi Jonathan,

Can you please also help me in defining owning system url for relational and spatio temporal datastores . This is what we have currently for relational

and spatiotemporal

server is the WA context for hosting highly available servers. Now we are not sure from where these datastores have picked up these owning system url and why for relational it has picked up server as context and whereas for spatio-temporal it has picked up direct url of one of the hosting server.

Instead it should be https://gis.de-prod.dk/arcgis which is our LB url pointing to 6443 ports of hosting servers without WA.

Q/A?

1) Are these url's ok or we need to fix this, we are assuming it should NOT be dependant on single machine? If need to fix then how to change them?

2) Can we remove web adaptors installed for our hosting servers because we are not using them but don't know how relational datastore picked it up for owning system url.

BR

0 Kudos