11.5 upgrade observations

Just putting it out there that I've seem some changes in upgrading the Web Adaptor from 11.1 to 11.5 and 11.3 to 11.5.

First, it was previously possible to disable manager/admin access via the WA.  This was something requested by many clients as I've gone through Penetration Test scenarios.  The check-box is no longer there.  This is somewhat concerning from a security standpoint.  

Second, the production upgrade that I'm in the middle of is a little odd-ball in that the client has two web servers, one that is live but will be retired imminently.  The other will be its replacement with a much more modern OS.  At 11.1, I had the portal and hosting web adaptors configured and waiting to go.  We could just roll over the DNS when we were ready.  At 11.5, I can configure the WA on the old server and all is well.  If I configure on the new web server then it forces the first to drop out.  Configuring on the old server again forces the new web adaptor to drop out of configuration.  I'd assumed this was a valid option due to HA deployments.

Finally, I got a similar experience with the two web adaptors on the ArcGIS Server (hosting).  I can install on the old server, no issues.  If I do it on the second, the configuration hangs and I get a "This page is not responding warning".  It just hangs.

I'm still only midway through the base deployment upgrade at this point, and will continue so that the client can observer, test and determine if we rollback or not.  I'll post any other findings if they come about.  

EDIT:  As further context I'm using the IIS flavour of the Web Adaptor, with it installed on Windows Server 2016 on the old web server and 2022 on the new.

POST UPGRADE LEARNINGS (edit):  My first 11.5 upgrade is now complete and is in UAT with the client.  The upgrade went very well, other than the discussion above, for which I now have greater insight with the completed upgrade. 

The Web UI is not allowing a second WA to be installed over an ArcGIS Server, but you can add a second with the command line tools.  Implementing a second WA for an Enterprise Portal, via UI or CL, will disable/disconnect the first one. This has repercussions for Highly Available installs, but I understand that many HA installs will not use WA's and may use a cloud load balancer of some description.  Possibly a moot point, but it is a change to previous versions.

The disabling of the admin access is now a 'deprecated option'.  It is now possible to manage a Map Image Layer (for example) in the Portal Items page.  This is going to centralise tasks and make admin lives easier.  To make that work, it's necessary to remove the option in the WA.  It makes total sense.  My only comment is that I've been through many Penetration Tests and C&A exercises where it was mandated that admin/manager access was disabled.  While I see the value of the new functions, I am cautious about the security aspect of this change.  This will impose a change on the secure environments that I have build and support.