Latest Contributions by SamLibby

@ThomasHoman  My recommendation is to use self-signed certificates for backend components (i.e. the 6443/7443 listeners of a GIS Server / Portal site) as they are not client-facing. If organizational or regulatory standards require those to be updated to CA-signed and valid certs, then that is a lot of additional management.    I do not know the content of the course you referred to, but I would say that my opinion is that statement is correct for the external-facing certs, not "all" certs. There are mostly opinions, not cut and dry facts here, unfortunately.  ... View more

Thanks for posting, I didn't realize you got here through a case already.  ... View more

If that is the case, please submit a tech support case to get that reviewed. It may already be logged as an enhancement or bug request, but your scenario helps to further the investigation. ... View more

To get specific on a few topics.  1. A Map Service is what you are publishing, results in a /MapServer or Map Service endpoint, 2. A Map Service can optionally have a capability enabled called Feature Access,  which creates a second endpoint at ServiceName/FeatureServer, a Feature Service endpoint. 3. Feature Layers can be created from either a Map Service Layer or a Feature Service Layer, i.e. /ServiceName/MapServer/0, or /ServiceName/FeatureServer/0.  These things are true of ArcGIS Server without Portal and items in the mix. When your ArcGIS Server site is federated to the Portal, publishing a Map Service results in the creation of a Map Image Layer item, the sharing of which controls access to that /MapServer/* endpoint - only users who can "see" the item in Portal can "see" the MapServer endpoint (and access it either as a dynamic map service layer, or as a feature layer from one of the layers in the Map Service. If you enable Feature Access on that Map Service, a second item is created, with a Feature Layer item type. This item should control access to the /FeatureServer/* endpoints, but has nothing to do with the Map Service endpoints.    With that context, your last line "Visit the REST endpoint: the secured feature layer is still accessible publicly" - is this referring to the Map Service endpoint or the Feature Service endpoint?     ... View more

Thanks for sharing this, it's indeed a pretty significant change. An important recommendation here is a reminder that ArcGIS Enterprise administrators can simplify their lives substantially by only applying this guidance and automation to their reverse proxy or load balancer, all client traffic routed through that endpoint would then be able to benefit from automated certificate management, and likely the software + cloud providers will have good patterns for managing cert renewal on those endpoints by that time (and already do in many cases). Applying and re-applying CA-signed and trusted certs to backend endpoints that users do not interact with is comparatively not as critical, and that distinction between 6443 + 7443 + other endpoints is important. Some users may have "end to end trust" requirements where they need every communication to be through a trusted, valid cert, but this is more uncommon in my experience.  ... View more

Hi Prashant, could you add an image suggesting what you'd like to see in this functionality? It would help to understand the specifics of what you are looking for.  ... View more

Hi Jonathan,   I worked with some folks on the development team to confirm this is not possible at this time - managing map state in another way will be required. If this continues to be of interest, please submit an Enhancement Request through the Support Site so we can track interest in adding that feature.  ... View more

Since this thread is a high Google Search result, I wanted to post an updated Tech Article that refers to issues around supporting F5 APM and other similar Identity-Aware Proxy technologies: https://support.esri.com/en/technical-article/000027787  ... View more

Sorry for the delay, all - please see this file which should give you a great starting point: https://github.com/Esri/idp/blob/main/Documentation/OpenID/AWS%20Cognito.md ... View more

Hi Keith, I think the answers are: 1. No, the ArcGIS Online hosted feature services are not deleted if Enterprise has an issue 2. Yes, collaboration will re-engage once the Enterprise comes back online. ... View more

I think this is going to be a complicated path to go down - though not impossible, it will likely require a lot of trial and error. Using tools like APIM requires a very detailed understanding of how to forward traffic / reverse-proxy traffic through that service. We do have guidance on the Trust Center at https://trust.arcgis.com on Azure WAF Rules, which may help with that tier.   In addition, note that accessing the same Portal/Enterprise deployment using two different URLs is not a supported pattern - the software assumes a consistent WebContext (eg. https://myserver.domain.com/portal) is used by all users who access the Portal.  So, I would suggest rethinking that component to identify what is driving you towards separate internal/external access and whether that can be accomplished in a different pattern. ... View more

I assume you are referring to ACM when you say 'AWS SSL Certificate"? I believe the way the CloudFormation templates work now, they expect you to have a certificate file provided. You could then later add an Application Load Balancer with an Amazon (ACM)-managed Certificate, if you wanted to switch to using that, but I don't think there is a way to roll one CF template that includes an ACM cert.  ... View more

One idea would be adding each individual layer to a web map as a feature layer (/0, /1, /2 etc.) and seeing if the features display reliably. When you say the popups have been customized, what do you mean by that? That you configured them and saved them in the web map after publishing the service? There are two relevant levels of popup configurations: 1. the web map's configuration (by saving the popup config of a specific web map) 2. the configuration of the portal item that represents the federated service (by selecting "save layer" on the layer once configured in a webmap).     ... View more

I am not sure if there is some kind of artificial floor where you cannot zoom in farther, but as I understand it...:   The scale levels of the map viewer are defined by the tile levels of the basemap layer (or should be). So I think you're on the right track with your approach, but maybe mixing the layers into the basemap made it take the smallest scale as the floor.    I'd suggest starting a new web map, adding your own tile service as the only basemap layer, and then seeing what happens at that point with the zooms. If the imagery layer is a compatible spatial reference, it should be able to be overlaid on top of that basemap as a normal layer, not as a "second basemap layer". ... View more

I don't think there is any issue deploying it to the same vnet, the only concern would be if you need to make any substantial changes to the vnet, you now have two application stacks impacted instead of one by any downtime. Since virtual networks are free in Azure, I would personally suggest a second, separate vnet for ArcGIS Enterprise unless you have a specific network or security reason for keeping them on the same vnet. ... View more