11.5 upgrade observations

Scott_Tansley · ‎05-30-2025

Just putting it out there that I've seem some changes in upgrading the Web Adaptor from 11.1 to 11.5 and 11.3 to 11.5.

First, it was previously possible to disable manager/admin access via the WA. This was something requested by many clients as I've gone through Penetration Test scenarios. The check-box is no longer there. This is somewhat concerning from a security standpoint.

Second, the production upgrade that I'm in the middle of is a little odd-ball in that the client has two web servers, one that is live but will be retired imminently. The other will be its replacement with a much more modern OS. At 11.1, I had the portal and hosting web adaptors configured and waiting to go. We could just roll over the DNS when we were ready. At 11.5, I can configure the WA on the old server and all is well. If I configure on the new web server then it forces the first to drop out. Configuring on the old server again forces the new web adaptor to drop out of configuration. I'd assumed this was a valid option due to HA deployments.

Finally, I got a similar experience with the two web adaptors on the ArcGIS Server (hosting). I can install on the old server, no issues. If I do it on the second, the configuration hangs and I get a "This page is not responding warning". It just hangs.

I'm still only midway through the base deployment upgrade at this point, and will continue so that the client can observer, test and determine if we rollback or not. I'll post any other findings if they come about.

EDIT: As further context I'm using the IIS flavour of the Web Adaptor, with it installed on Windows Server 2016 on the old web server and 2022 on the new.

POST UPGRADE LEARNINGS (edit): My first 11.5 upgrade is now complete and is in UAT with the client. The upgrade went very well, other than the discussion above, for which I now have greater insight with the completed upgrade.

The Web UI is not allowing a second WA to be installed over an ArcGIS Server, but you can add a second with the command line tools. Implementing a second WA for an Enterprise Portal, via UI or CL, will disable/disconnect the first one. This has repercussions for Highly Available installs, but I understand that many HA installs will not use WA's and may use a cloud load balancer of some description. Possibly a moot point, but it is a change to previous versions.

The disabling of the admin access is now a 'deprecated option'. It is now possible to manage a Map Image Layer (for example) in the Portal Items page. This is going to centralise tasks and make admin lives easier. To make that work, it's necessary to remove the option in the WA. It makes total sense. My only comment is that I've been through many Penetration Tests and C&A exercises where it was mandated that admin/manager access was disabled. While I see the value of the new functions, I am cautious about the security aspect of this change. This will impose a change on the secure environments that I have build and support.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

Scott_Tansley · ‎06-02-2025

I’ve rarely but randomly seen the stopping of iis in the past. Seems to be luck of the drawer.

i will take a look at the white listing of IPs thank you. May be hard to manage in some situations but I like having the option. Thank you.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

Galada · ‎06-02-2025

@Scott_Tansley Just upgraded ArcGIS Enterprise from 11.2 to 11.5 and everything is working as expected inside the VM. However, can't externally access the ArcGIS Server Manager over the Web Adaptor (..../server/manager) but can access the portal. Error: 502 Bad Gateway

No changes were made to the inbound rules, App Gateway.

What might have gone wrong, because all was fine before the upgrade?

Scott_Tansley · ‎06-02-2025

So before rh upgrade you could be on the internet and get to server/manager but now you can’t?

Does it work from all machines inside of your internal/cloud environment?

I normally build with routing direct to the Web Adaptor for internal users and external users go via the app gateway. This allows me to know if the 502 is an Esri thing or an infrastructure thing. ArcGIS Enterprise is pretty binary. It works or it doesn’t. If the internal users can hit the web adaptor and get to server manager then the issue is in the web app gateway or other cloud/IaaS. I’m not aware of specific changes in URLs that could have changed but confirming where it breaks would be useful at this point.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

Scott_Tansley · ‎06-03-2025

As a wrap up of this discussion I raised a case with my local distributor under Esri Case #03919078. I understand that the ability to disable manager/admin access has been removed by design and that the documentation will be updated to reflect this.

With regard to the multiple web adaptors not configuring, I have asked them to close the case. It's an extraordinary situation that I'm unlikely to face again. The upgrade has been accepted into use and it's not possible for me to make some of the required configuration changes to get screengrabs and such like. Therefore, I'm unable to provide further information to the support consultant.

I've put the case number out there should anyone see a similar situation.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

AndresEcheverri · ‎07-28-2025

Hi @Scott_Tansley
Esri updated the documentation indeed. We were in the middle of an infra uplift and now reviewing to include a WAF-Load Balancer in the equation. I've seen some architecture patterns including DMZ (F5-WebAdaptor)+Private(Portal+Server+DataStore).

Web Adaptor | Other web gateway options

And thanks for sharing your experience with the upgrade and the Edge bug too.
Andres

Scott_Tansley · ‎07-28-2025

My pleasure, I hadn't checked the doco - but it's great that it's been done. Very few of my clients are of a scale that they can use a WAF. They're usually small NZ councils with limited budgets capability. I use the Web Adaptor because it's supported and documented. It's well known, and while it's rudimentary I put a massive amount of effort into increasing the security and encryption of the IIS deployment above it.

I could create rules to block admin access, and was tempted, but it will remove functionality and cause bugs/issues because 'things' won't work as described. I've seen the same done in WAF's by over-zealous security consultants as well.

It's a really interesting space but can get a bit complicated in places.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

Scott_Tansley · ‎07-28-2025

And sorry, just to add. I've built using that pattern of F5 - WA - application component. The pure reason being that the IaaS/Cloud guys then know what they're supporting, and I know what I'm supporting. I can test my bit because there's a web adaptor there. If everything works via the WA, and there's an issue then it's the IaaS team. If it doesn't work via the WA, then it's my support task. The downside is that the system will be marginally slower as it has more layers to pass through. However, my key clients who have taken this approach have never complained about performance. I completely see where Esri are coming from in making this recommendation, but as a sole-trader, I have to think who can pick this up and support it if I fall under a bus. Everything is clearly documented, known and understood in my old-skool way of working.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

AndresEcheverri · ‎07-28-2025

You're completely right. We are in the same space. We sort of got used to work with the ArcGIS Enterprise components. But now trying to understand the implications of that extra layer and how we are getting the support from our IT team.

becyr · ‎09-04-2025

@Scott_Tansley Hi Scott, I would like to get your feedback on what you think is the best way to upgrade an enterprise environment is.

We Just completed our upgrade to 10.9.1 which was quite a hassle. It included multiple projects - SQL upgrade, parcel fabric, tools, and the server upgrade itself. I plan to upgrade to either 11.5 or 11.3 on spring 2026. What will be the best way to do it. Starting a fresh install in a different environment while keeping our current environment until all apps have been migrated?

Scott_Tansley · ‎09-04-2025

Hi - that's a tough question to answer without knowing more specifics and if there is room to introduce 'improvements' from a new design. Since I went self-employed, every client I have has been able to upgrade in-situ by me knowing the environment in detail before the upgrade and then making and approach to start with a side-by-side or an in-situ. Once that decision was made the in-situ route has been trivial. I recently took a client from 10.8.1 to 11.3, which is the same number of versions as you propose. No major issues. But you need to be able to keep all the moving parts of your system in check, and drivers/Sql Server and Enterprise Geodatabase versions would be key.

As a rule of thumb, if you're having multiple issues (performance/reliability) then a start again and a 'migration' may have benefits.

Scott Tansley
https://www.linkedin.com/in/scotttansley/