Web Adaptor automatically redirecting to Portal (7443 url)

Sergio_EduardoGalindo · ‎04-02-2018

After struggling while trying to federate an ArcGIS Server Site deployed in Azure, my Web Adaptor for Portal for ArcGIS ended up always redirecting to the internal Portal url (with the 7443 port).

Everytime I try to browse my portal home at: https://vgis06.eastus.cloudapp.azure.com/waportal (through web adaptor), It automarcally re-directs to https://vgis06.eastus.cloudapp.azure.com:7443/arcgis/home/ , which is the internal Portal url.

I've tried even reinstalling web adaptor for portal with no success; somehow, Portal takes control an makes the redirect.

I've tried in every browser available, I've deleted all cookies, history and downloaded files, InPrivate tabs, etc. Same result.

Anyone have experienced something similar?

Thanks in advance

Sergio G

JonathanQuinn · ‎11-05-2018

If you install Portal with an entry in the etc\hosts file that associates the local IP address to an alias, Portal will pick up that hostname. When you create the portal site, it'll use the hostname.

There are rewrite rules that are monitoring whether certain headers are in the request, (X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Server, or a header the WA uses, and whether the URL is a certain format. For the URL piece, it checks whether the hostname matches either the Web Context URL host if you're using a reverse proxy or load balancer, or the web adaptor hostname. Next, the context must match the context used for the Web Context URL or web adaptor name. If no expected headers exist or the URL isn't correct, it'll redirect.

MuneerMajid · ‎11-07-2018

Wow, great info Jonathan. This was exactly what was happening. Luckily these were fresh deployments and we didn't have any concerns uninstalling & reinstalling the Portal. I had the etc/hosts entry prior to installation, and the webadaptor is now working as expected.

Anonymous User · ‎06-18-2020

Hi Jonathan,

I am looking for a quick help if you could help.

we would like to make use of 'privateportalurl' for administration purpose when our main load balancer url is not available. Our setup is highly available 10.8 enterprise setup (using web adaptors for portal). We already have configured privateportalurl as explained below:

1) Is below url's setting correct?

2) When i am trying to access https://gisadmin.de-prod.dk/arcgis it is routing to https://gis.de-prod.dk/portal/home as shown

Then we contacted load balancer team and they have shown me that settings at their end is allright , i mean

https://gis.de-prod.dk/portal pointing to 443 port of member machines( 6031 and 6032)

https://gisadmin.de-prod.dk/arcgis pointing to 7443 port of member machines ( 6031 and 6032)

3) Then i tried to access https://osi6031.de-prod.dk:7443/arcgis which routes me to https://gis.de-prod.dk/portal which proves point number 2 is allright in terms of load balancer settings

Questions

1) Why https://osi6031.de-prod.dk:7443/arcgis routing us to https://gis.de-prod.dk/portal ?Is this problem related to webcontexturl , how to fix this?

2) If we disable main url https://gis.de-prod.dk/portal for maintenance reason then our entire enterprise setup can still be accessible using privateportalurl ??

Please help

BR

Saurabh

RubénPérez_Planillo · ‎06-06-2018

Hello,

I had the same issue two times and finally I fixed it. Don't know exactly why, but it works.....

Reconfigure webadaptor using IP address instead FQDN and configure webcontexturl.

MuneerMajid · ‎11-05-2018

I am seeing that this behavior might have to do with the local hostname file. I have had two deployments now, one on Azure and one on a local VM where the portal web adaptor keeps defaulting to :7443/arcgis IF YOU ARE USING THE LOCAL HOSTNAME FILE TO CONFIGURE YOUR DNS

balajireddi · ‎03-27-2019

Yeah its because of host entries in etc\hosts file, Remove the host entries and restart the portal for arcgis service. Put your host entries back. it worked for me. thanks Jonathan.

pfoppe · ‎12-19-2019

We had this issue today in a portal environment that has some complexities. The FQDN for the portal resolves to a firewall up the network stack and ultimately gets routed to this server. Removing the etc\hosts entry for resolving the FQDN to the local IP + restarting the portal was successful.

However, we then had issues with the portal server unable to validate the federated servers since it was validating them on the FQDN. Basically the server has a hard time talking to itself on the FQDN since it resolves up the stack (we call this the notorious "U-Turn" problem). Adding the etc\hosts entry back in to resolve the FQDN to the local IP (without a restart) allowed the servers to properly validate again.

Restarting the portal (with the etc\hosts entry) was then causing the re-direct again. So...... we have a little conundrum...

Options:

1) Disable etc\hosts so the server can startup correctly, but ANY server side requests to the FQDN will fail

2) Enable the etc\hosts after the server is started so that server side requests to the FQDN are successful, but future reboots will cause an outage

3) Fix the notorious U-Turn problem (no confidence in this as this has been present for over 5 years with no acceptable resolution)

#2 is not palatable as there are many patches that get sent in the middle of the night, multiple times a week, and some of those cause the OS to restart.

Unsure why this started happening. This portal has been running for over 2 years already and this is the first time we have experienced this. We did recently add a new federated arcgis server site. We are running 10.6.1

Thanks!

JonathanQuinn · ‎12-30-2019

Can you describe the original purpose of setting up Portal with the etc\hosts entry set?

I think you should be able to remove the etc\hosts entry, check where Portal redirects to when you go to https://localhost:7443/arcgis/sharing/rest, (when you're on the machine), and then update the privatePortalURL in the System properties for Portal to point to the URL it redirected to. This should be pushed to the Server. If it's not, you can update the server privatePortalURL property manually, (see step 9 in the doc here)

pfoppe · ‎01-08-2020

Hi Jonathan Quinn‌,

The Esri portal for arcgis product sometimes makes server side requests to its fully qualified domain name (FQDN). Things like map printing, validating federated servers, etc. We also register our web-adaptors using the FQDN and setup server federation with the FQDN.

With our agencies DMZ configuration, we have issues when the server in the DMZ needs to talk to itself (or other apps in the DMZ) on the FQDN. The FQDN resolves to an external IP address hosted on a content inspection web-application firewall (WAF) WAN interface. Traffic is terminated, then inspected. Validated traffic is then routed through a back-end internal (LAN) interface on that WAF. I dont have the full technical details/knowledge here, but I reached out to the network team, and they provided me this information:

DMZ Application would like to access other DMZ application but using the DNS gives the IP address of the application Virtual interface on the Web Application Firewall. This can causes an issue with the Traffic reaching the external interface of the WAF but having the "client" residing on the internal interface. This create what is call asynchronous routing where the flow back and forth does not follow the same path and can cause issue (in this case the WAF receive on one interface IP and send on another thus looking like two different people ).

So, as a work-around to this "asynchronous routing" issue, we typically did 1 of 2 things:

Option 1 - Add a local etc/hosts entry on the 'client' server to resolve the FQDN to the actual server in the DMZ (usually to just itself, but sometimes to other applications/services hosted in the same DMZ). We also had to upload SSL Certificates to the DMZ servers with their FQDN as a SAN to deal with SSL trust issues. We do have issues with option 1 if there are routing rules sending traffic on a certain FQDN to multiple back-end servers (since these routing rules are not on the actual DMZ servers themselves).

Option 2 - Add a local route on the 'client' server to resolve the FQDN to the private interface of the WAF. This was the preferred approach, but was only discovered a short time ago (so most legacy applications were still using option 1).

For this specific environment, we actually moved it to a new DMZ environment that no longer has the same async routing issue (different story there). So our etc\hosts entry is no longer required. I do have a few other apps in the legacy DMZ environment (with the async routing issue), but this issue in this thread (re-direct to 7443) has not popped up there yet. Crossing my fingers it doesnt...

---

From the local machine, When I access the https://localhost:7443/arcgis/sharing/rest, it re-directs me to the https://machine.domain:7443/arcgis/sharing/rest

I do NOT currently have a privatePortalURL property set, and I think I'm going to keep it empty for now. Per the System properties—ArcGIS REST API: Administer your portal | ArcGIS for Developers -

privatePortalURL—Specifies the internal URL that ArcGIS Server should use to communicate with the portal. This property is typically used when you have a highly available ArcGIS Enterprise deployment, or if the server cannot communicate directly with the portal machine.

We do not have a highly available deployment, and our server machines can communicate with the portal on its FQDN.

I'll look at this again if this (or another issue) crops up. Thanks!!

JoshKing · ‎04-24-2019

Removing the web context url and setting it to nothing {} did the trick on my 10.7 set up.