Portal, ArcGIS Server are on the Web Server right?

JanieGoddard · ‎02-08-2019

Hi Derek,

You said in this link:

https://community.esri.com/thread/195693-how-many-ca-certificates-do-i-need

Also, I typically have the web server (with the web adaptors), GIS Server, and Portal all running on the same machine - so I only have to get 1x CA certificate.

So all of this is on the forward facing web server isn't it?

Your SQL Server in this setup is on an internal server behind the firewall.

I'm trying to use Enterprise Builder to install Enterprise 10.6.1 on a new machine in a DMZ.

I just want to make sure I understand this configuration.

Thanks,
Janie

JonathanQuinn · ‎02-08-2019

Well, my recommendation would be to narrow the ports that need to go through your firewall. 443 and 80 are standard. If you use the Enterprise Builder and put everything in the DMZ, but you have SQL Server on an internal machine, you need to make sure port 1433 is open through your firewall. If you wanted to reach Portal or Server via 7443 or 6443 from an internal machine, you'll need to open those ports as well.

You can certainly put everything on the DMZ machine using the Enterprise Builder, just be aware of the implications.

View solution in original post

JonathanQuinn · ‎02-08-2019

Ideally, you should install the web adaptors on your web server in the DMZ and apply the CA signed certificates there. On an internal machine, you'll have Portal, Server, and Data Store. These can use the self-signed certificates that are included with the install of the software.

If you split up where the web adaptors are and where the rest of the components are, then you only need ports 443/80 through your firewall instead of 443, 80, and 1433, (as SQL Server uses port 1433).

JanieGoddard · ‎02-08-2019

Hi Jonathan,

Thanks for answering! Thanks for telling me what port SQL Server uses. I couldn't find any documentation on SQL Server other than SQL Express on 10.6.1.

The way you are suggesting means I can't use Enterprise Builder 10.6.1, right?

Thanks,
Janie

JonathanQuinn · ‎02-08-2019

Well, my recommendation would be to narrow the ports that need to go through your firewall. 443 and 80 are standard. If you use the Enterprise Builder and put everything in the DMZ, but you have SQL Server on an internal machine, you need to make sure port 1433 is open through your firewall. If you wanted to reach Portal or Server via 7443 or 6443 from an internal machine, you'll need to open those ports as well.

You can certainly put everything on the DMZ machine using the Enterprise Builder, just be aware of the implications.

JanieGoddard · ‎04-12-2019

Hi Jonathan,

Do we need Port 1433 open both ways for our SQL Service access? We have it open from the DMZ to the Internal server that has SQL Server on it. Do we need Port 1433 open going back from the Internal Server to the DMZ with the Server and Portal on it?? We are having trouble Registering the SQL database. I was able to create an Administrative Connection from desktop to the DMZ. I was able to create a DB Connection to the SQL Instance using the FQDN internal server address with the instance name. Now using that DB Connection with the FQDN instance, I'm unable to register the data base using Desktop NOR with Server (Enterprise) Manager.

Here is the error message I am getting:

Message:    The connection property set was missing a required property or the property value was unrecognized. Failure to access the DBMS server
Source:         DataValidator.GPServer
Method Name:    ValidateServerDataStore.Execute

Do I need to have port 9876 open for the Relational data store?

Thanks,

Janie

JanieGoddard · ‎02-08-2019

Hi Jonathan,

Thanks again for answering. I appreciate the port numbers for Portal and Server.

I appreciate your answer. I'll be sure to make my manager aware of the implications.

Thanks again,

Janie

JanieGoddard · ‎02-28-2019

Hi Jonathan,

I just noticed the License Manager is on the same internal machine as my SQL Server databases. Do I need to open a different port for the License Manager behind the Firewall to get to ArcGIS Enterprise on a Server in my DMZ zone?

I was reading over this "Configure ArcGIS License Manager to work through a firewall".

Configure ArcGIS License Manager to work through a firewall—License Manager Guide | ArcGIS Desktop

It is using port 27004 in the example. I'm confused about what Port to use in the PORT=1234.

On the VENDOR line, add PORT=####, where #### is a specific port number designated by you, to lock the vendor daemon to that specific port (for example, 1234). After making the changes, your service.txt file should look something like this:

SERVER this_host ANY 27004		 VENDOR ARCGIS PORT=1234USE_SERVER FEATURE ACT ARCGIS 1 permanent 1 vendor_info=7KNJDRHFHBK4CFDMJ214 SIGN="052E ABFC 32DD \ 	2473 DEFD E276 4BF3 E0DB 87EB 2203 5A30 C014 19A1 C35E 2154 \ 	08B1 9460 A2B9 6701 DC4D CAF2 E2FE 1347 0E36 90FA 4F3B E864 \ 	BEC8 D3A2 A615"

So bottom line do we need to open Port 27004 and whatever port I should use for Port=1234?

Thanks for your help!
Janie

JonathanQuinn · ‎03-01-2019

License Manager is only used for ArcMap and Pro. I imagine all of your desktop clients are within your network, so you shouldn't need to open your firewall to the License Manager port. To be honest, I'm not sure what the documentation is referring to. If you're in a situation where your desktop clients are outside of your network, I'd suggest you contact Support for clarification. If you're not, then no need to worry as you don't need to do anything.

JanieGoddard · ‎03-01-2019

Hi Jonathan,

Thanks so much! This means I'm in the clear. Thanks, Janie