Community
Select to view content in your preferred language

Install Portal without SSL

6265
14
Jump to solution
03-04-2016 04:32 AM
JoeHershman
by MVP Alum
MVP Alum
‎03-04-2016 04:32 AM

I am installing Portal internal to a domain.  Because it is all internal there is no need for SSL.

I am finding it almost (if not completely) impossible to configure Portal without SSL.  Within Portal itself on the security page I have unchecked the 'Allow access to the portal through HTTPS only.'

The issue seems to really be with WebAdapter.  When I go to register the Portal with Web Adapter I give it the address:

http://mymachine:7080  (instead of 7443).  This works for doing the registration, however, when it registers the Portal it still gives it the Url:  https://mymachine/arcgis/homeWhat I want is the Url to be: http://mymachine/arcgis/home.

So no matter what I do it will send me to the SSL port when I try to connect.  Which then give a certificate warning

When I install WebAdapter I tell it to use Port 80.

Using version 10.4 of Server, Portal, WebAdapter

Is it possible to get this working with everything on Port 80.  I find it really annoying the esri wants me to add a level of security which is not needed and requires I either install a Windows domain Cert Authority (a complete pain), get a public certificate (expensive and requires I use public names inside my domain), or live with cert warnings (which means users call the help desk constantly).

Thanks

-Joe

Thanks,
-Joe
Tags (1)
14 Replies
JoeHershman
by MVP Alum
MVP Alum
‎03-14-2016 03:06 PM

Applying the cert is not the issue.  It is setting up the AD CA (Active Directory Certification Authority) server role that I found complicated.

I believe I am in a different implementation situation than you seem to be.  As a consultant I am not in control of what an enterprise IT department wants, can, or is willing to do.  Usually adding server roles is not something a large IT organization will easily agree to.  So if they don't already have their own domain CA it may not be a possible solution.  Jacob's initial suggestion I find may be a workable solution in situations were working with a large IT infrastructure is part of the requirement because it can be done without adding server roles.  And I agree with Randall Williams​​ in theory.  But again, there are situations when one only has so much influence on IT infrastructure and so there needs to be solutions that don't require something like adding a Domain CA.

Thanks,
-Joe
PaulDavidson1
by
Frequent Contributor
‎03-14-2016 06:59 PM

Yep, that's a very different scenario.  Our IT department is much more flexible than many organizations I've dealt with over the years.  Of course, we're only serving about 700 employees (w/ 40 in IT) so we can be more flexible.  I've been in your situation and frankly, it's no fun to be at the mercy of others.   Especially when it's a large, ponderous beast.  As the manager for our GIS and Maximo IT programs, I get to control our servers.  And I can walk a few doors down and talk to with our leads for AD, Systems, Network or even the CIO. That's very different than being at the whims of the ponderous IT group.

It used to be that Portal did not require SSL but only considered it Best Practice.  Your point is valid.  But I would think just about any IT dept in this day and age already has CA in their systems and would support your efforts for security.  But there are always the exceptions.

Best of luck

0 Kudos
PaulDavidson1
by
Frequent Contributor
‎03-14-2016 08:02 PM

Hi Jacob:

Can you expound on this statement:" just map everything to the HTTPS connection"

Are you saying, we can register an older http: map service with Portal but then just share the https connection that Portal will be serving up?

The part that I'm confused by is that I can Add Item from our older 10.1, http servers and they show up in Portal just fine.

At this point, I have the Hosting Server using HTTPS Only and Portal has Allow access to the Portal through HTTPS only.

I'm confused as to how the older non https server is able to communicate with Portal since it's not speaking Https.

I must have missed something in my reading (or I skipped over it...)

I have other things that I need to learn & understand about Portal (annotation won't import in a zipped file.gdb but will show from the old map service... etc... but I think these are hijacking this thread and belong in their own)

Thanks...

0 Kudos
JacobBoyle
by
Deactivated User
‎03-16-2016 06:52 AM

You can enable both https and http for ArcGIS Server: ArcGIS Help 10.1 .  Are you planning on making this externally accessible?  If not, just setup your 10.1 instance as a http/https, allowing both communication types, and just map your connection in portal to the HTTPS. You don't even need a web adapter to do this, you'll just map to https://server.yourinternaldomain:6443/arcgis

Steps from 10.1 help:

  1. Log in to the ArcGIS Server Administrator Directory: http://gisserver:6080/arcgis/admin.
  2. Navigate to security > config > update.
  3. For the Protocol parameter, choose the HTTPS Only option then click Update. Your ArcGIS Server site is automatically restarted. In a developer environment, you may also choose to use the HTTP and HTTPS option. With this option, users will be able to access ArcGIS Server through either HTTP or HTTPS.
PaulDavidson1
by
Frequent Contributor
‎03-17-2016 04:50 PM

Any idea why I'm able to Add Items in portal from the http server?

Portal is set to https only and our Hosting Server is https only.

The old server is set to http only.

I can use these registered map services in Portal on maps just fine in most cases.

There is one dev 10.4 server running that appears to offer up map services but then I can't put them on a map in Portal

I have not tried to make a web app yet.  I saw similar behavior in AGOL.

I could register http map services in AGOL when inside the firewall and place them on a map.

But when I tried to create a web app or look at the maps via VPN, I cold no longer see the rest endpoints.

I believe this is a well known issue with AGOL and one reason the local map widget was created.

I can of course easily set these older servers to "http or https", as referenced above.

But these are in use with mission critical stuff and are fickle.

So I hesitate to change them out.

Have you ever seen any problems from modifying the configuration  like that?

And I assume I'd have to install the domain certificate on those services in order for them to respond correctly.

Or will portal feed those servers the certificate and let them follow the chain out and use it.

I do have a test server I'll do it on first but it's just not as heavily loaded...

Thanks

0 Kudos