Select to view content in your preferred language

11.5 upgrade observations

4440
19
Jump to solution
05-30-2025 12:21 PM
Scott_Tansley
MVP Regular Contributor

Just putting it out there that I've seem some changes in upgrading the Web Adaptor from 11.1 to 11.5 and 11.3 to 11.5.

First, it was previously possible to disable manager/admin access via the WA.  This was something requested by many clients as I've gone through Penetration Test scenarios.  The check-box is no longer there.  This is somewhat concerning from a security standpoint.  

Second, the production upgrade that I'm in the middle of is a little odd-ball in that the client has two web servers, one that is live but will be retired imminently.  The other will be its replacement with a much more modern OS.  At 11.1, I had the portal and hosting web adaptors configured and waiting to go.  We could just roll over the DNS when we were ready.  At 11.5, I can configure the WA on the old server and all is well.  If I configure on the new web server then it forces the first to drop out.  Configuring on the old server again forces the new web adaptor to drop out of configuration.  I'd assumed this was a valid option due to HA deployments.

Finally, I got a similar experience with the two web adaptors on the ArcGIS Server (hosting).  I can install on the old server, no issues.  If I do it on the second, the configuration hangs and I get a "This page is not responding warning".  It just hangs.

I'm still only midway through the base deployment upgrade at this point, and will continue so that the client can observer, test and determine if we rollback or not.  I'll post any other findings if they come about.  

 

EDIT:  As further context I'm using the IIS flavour of the Web Adaptor, with it installed on Windows Server 2016 on the old web server and 2022 on the new.

 

POST UPGRADE LEARNINGS (edit):  My first 11.5 upgrade is now complete and is in UAT with the client.  The upgrade went very well, other than the discussion above, for which I now have greater insight with the completed upgrade. 

The Web UI is not allowing a second WA to be installed over an ArcGIS Server, but you can add a second with the command line tools.  Implementing a second WA for an Enterprise Portal, via UI or CL, will disable/disconnect the first one. This has repercussions for Highly Available installs, but I understand that many HA installs will not use WA's and may use a cloud load balancer of some description.  Possibly a moot point, but it is a change to previous versions.

The disabling of the admin access is now a 'deprecated option'.  It is now possible to manage a Map Image Layer (for example) in the Portal Items page.  This is going to centralise tasks and make admin lives easier.  To make that work, it's necessary to remove the option in the WA.  It makes total sense.  My only comment is that I've been through many Penetration Tests and C&A exercises where it was mandated that admin/manager access was disabled.  While I see the value of the new functions, I am cautious about the security aspect of this change.  This will impose a change on the secure environments that I have build and support.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
1 Solution

Accepted Solutions
Scott_Tansley
MVP Regular Contributor

As a wrap up of this discussion I raised a case with my local distributor under Esri Case #03919078.  I understand that the ability to disable manager/admin access has been removed by design and that the documentation will be updated to reflect this.  

With regard to the multiple web adaptors not configuring, I have asked them to close the case.  It's an extraordinary situation that I'm unlikely to face again.  The upgrade has been accepted into use and it's not possible for me to make some of the required configuration changes to get screengrabs and such like.   Therefore, I'm unable to provide further information to the support consultant.

I've put the case number out there should anyone see a similar situation.   

Scott Tansley
https://www.linkedin.com/in/scotttansley/

View solution in original post

19 Replies
Brian_McLeer
Frequent Contributor

@Scott_Tansley I had an issue going through the upgrade on my development system. After installing the WA on port 443 I logged into Portal and it was normal. I then logged into Server, and it said it was HTTP unsecured and not HTTPS, then went back to Portal and it also showed unsecured HTTP. I noticed that it wiped out my most recent SSL certs for both server/portal and I had to import them again, which did not resolve the HTTP issue. Do you encounter anything like this during your upgrade process? I am going from 11.2 to 11.5. 

Brian_McLeer_0-1748633224570.png

 

Scott_Tansley
MVP Regular Contributor

Hey Brian, thanks for reaching out, not seeing anything of that nature.   IIS is behaving itself.  Are you using IIS or the Java Approach? 

I sort of raced through my dev environment which was 11.3.  I didn't apply the rigour that I do with a client upgrade and missed this.  I've gone back and checked and seen 'my' issues going from 11.1 and 11.3, to 11.5. 

Scott Tansley
https://www.linkedin.com/in/scotttansley/
Brian_McLeer
Frequent Contributor

Thanks for the reply Scott. Using IIS. I created a support ticket this morning, but figured I would chime in since 11.5 is only a few days old. 

0 Kudos
Scott_Tansley
MVP Regular Contributor

It's good information.  Thanks for confirming it's IIS.  It's something for me to watch for.  I've taken a slow approach to my upgrade program this year.  Doing this one and then a break of 6-7 weeks before the next.  

 

Scott Tansley
https://www.linkedin.com/in/scotttansley/
DavidColey
MVP Frequent Contributor

Hi @Brian_McLeer - in prepping for my 11.4 - 11.5 upgrade, the only thing I'm noticing here is that I have always let the WA install default to port 80 (not port 443 as you mention earlier) and then just make sure the https only update settings for portal and sever are in place . . .

0 Kudos
Brian_McLeer
Frequent Contributor

Thank you @DavidColey, I had a call with Esri and realized my missed step. For my upgrade, after it removed the Web server SSL Certificate it reverted it back to a cert from 2023. I had to update back to the current certs in Portal and Server and it resolved the issue. 

Portal:

Brian_McLeer_0-1748884653048.png

Server:

Brian_McLeer_1-1748884706750.png

 

 

DavidColey
MVP Frequent Contributor

that's good info thanks @Brian_McLeer 

0 Kudos
Scott_Tansley
MVP Regular Contributor

I thought I'd resolved this by using the command line, and indeed I can now configure a second web adaptor on the servers by using the command line approach (rather than the web interface).  However, it is not possible to disable the admin/manager functionality and reviewing the doco:

https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server....

The <AdminAccessEnabled> parameter is no longer.  It is clearly documented in 11.3 but not 11.4/5.  It appears this may be an intended function.

However there is a disparity between the web UI instructions which says disabling is possible and the command line which no longer lists it as an option.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
Joshua-Young
Honored Contributor

I did an upgrade from 11.4 to 11.5 this weekend on Windows Server 2022. The only issue I ran into was after uninstalling the 11.4 ArcGIS Portal IIS web adaptor and installing the 11.5 version my IIS service was stopped. That did not happen with the ArcGIS Server IIS web adaptor.

@Scott_Tansley in regard to the enable admin access option being gone at 11.5, have you seen the "Allowed Admin Access IP's" on the ArcGIS Server Security Configuration page in the ArcGIS Server Administrator Directory? Maybe that could help you harden ArcGIS Server at 11.5. I have not used it, so I am not entirely sure how it works.

https://developers.arcgis.com/rest/enterprise-administration/server/securityconfig/ 
JoshuaYoung_1-1748877900328.png

 

"Not all those who wander are lost" ~ Tolkien