Signing in to Collector with Enterprise?

1789
8
Jump to solution
01-30-2020 09:04 AM
ChristopherBertrand
Occasional Contributor

Our Portal is not accessible from outside the organization's domain.  Normally this is fine, except I'd like to use Collector for the remote collection of data.  Networks and network security are not my bailiwick.  What do I need to do to make the server visible to devices (just these devices?) with Collector?  If this something that isn't something that can be changed just within the ArcGIS Enterprise software, what are the questions I need to bring to our IT department to better understand the situation?  Can this be done without making our system "public"?

0 Kudos
1 Solution

Accepted Solutions
DerekLaw
Esri Esteemed Contributor

Hi Christopher,

> Networks and network security are not my bailiwick. .... what are the questions I need to bring to our IT department to better understand the situation?  Can this be done without making our system "public"?

Please review this esri whitepaper to get some background on the topic,

ArcGIS Secure Mobile Implementation Patterns whitepaper

It will give you some background, security basics, and get the discussion started with your IT group.

Hope this helps,

View solution in original post

0 Kudos
8 Replies
MichaelTorbett
Occasional Contributor II

Hey Christopher,

Does your company also have an ArcGIS Online Org account? If so, you can setup a Collaboration between ArcGIS Online and Portal. If you're not familiar with Collaborations, see the link below to get you started. I've had to do this in the past when my portal wasn't shared outside of  the network.

 Distributed collaboration—ArcGIS Online Help | Documentation 

ChristopherBertrand
Occasional Contributor

I'm afraid not.   We get our software licenses through an ELA that doesn't offer Online.

0 Kudos
MichaelTorbett
Occasional Contributor II

Got it. I'm not a networking expert, but I think your portal needs to be public facing. In other words, you need to be able to ping it without being connected to the network. In my agency we have a internal facing router and a public facing router. To get mine to work I had my IT Staff point our Portal/GIS Server to the public router. Hope this helps.

0 Kudos
DavidColey
Frequent Contributor

Hello - your IT security team has to make the server hosting your portals' web adaptor visible to the outside.  If you are not using web adaptor, and/or are using web authentication through IIS, and/or are only using the base deployment, then I don't know that anything else I add below applies.

Our org uses F5, a type of proxy server that controls external web traffic to our org. The server hosting the web adaptor is then given an alias name like "ags.yourorg.net" (or .org or .com, whatever you use) and assigned our organizations CA-signed certificate, because you must use https.

Each server hosting the other components of enterprise, such as portal, server and data store, must also be aliased using DNS, like gis1.yourorg.net, gis2.yourorg.net, etc and also assinged your org's CA-signed certificate. 

If you don't have these alias names in place and an assigned CA cert on all your machines then collector will fail to update any data.

You then disable anonymous access to your portal.  This forces everyone trying to connect to ArcEnterprise externally to login through portal's security. So instead of everyone connecting http://machinename:7443/arcgis/home they are connecting to https://ags.yourorg.net/portal where portal is the name of your web adaptor.  

ChristopherBertrand
Occasional Contributor

Thanks David.  Most of that does look familiar.  We have a single server with a base deployment.  The Portal has been set to utilize Windows Active Directory and anonymous access has been disabled.  I'll have to look in the certificates issue further.

When asking IT about making the server visible to the outside, what's the terminology I need to use to make myself clear what I'm looking to do?

0 Kudos
KellyNeumeier
New Contributor II

We are still in the testing phases but our portal is internal only and we are going to be using Collector for field data collection/editing.  We are logging into our own internal network to download the web maps and data and then go offline, syncing edited data when we come back.  Collector is designed to do this.  

DerekLaw
Esri Esteemed Contributor

Hi Christopher,

> Networks and network security are not my bailiwick. .... what are the questions I need to bring to our IT department to better understand the situation?  Can this be done without making our system "public"?

Please review this esri whitepaper to get some background on the topic,

ArcGIS Secure Mobile Implementation Patterns whitepaper

It will give you some background, security basics, and get the discussion started with your IT group.

Hope this helps,

0 Kudos
JeffShaner
Esri Regular Contributor

Christopher,

There are 2 main approaches taken:

1. As David mentions above, your IT group can expose the Portal outside of your firewall. Here is a documentation topic that you can point them to: Configure your portal to use a reverse proxy server—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Ent... 

2. If your organization uses an MDM or would consider deploying Collector through an MDM (there are several options), then you can utilize per-app VPN. This is essentially providing a solution where Collector will automatically VPN into your network using a cellular or wifi connection and access the portal. 

Good luck and as Derek points out, please have them give the Secure Mobile Patterns whitepaper a read.

Thanks


Jeff