ArcGIS Enterprise Tokens and Brightly Integration

KnickMoschella

Hello. I am not an ArcGIS person, I am an IT person trying to help my ArcGIS person. We're looking to integrate our ArcGIS Enterprise 11.3 installation (hosted on five on-site servers) into Brightly's Asset Essentials tool. I've got a token generation URL here: https://domain.gov/server/rest/services/Brightly_Service_Enterprise_Publisher_MIL1/MapServer and I've added the URL and credentials to the Brightly page, but the token won't generate automatically. When I visit the page manually from a computer inside the firewall, it generates fine. When we set this up I was told that it was fine that it was only accessible from in-house.

1) Am I experiencing feature creep? They're looking to access Brightly from on-prem devices, but the token generation happens AT Brightly, which is to say off-network?

2) How difficult is it to make token generation internet-facing without making the entirety of Enterprise public-facing? Again, these systems are hosted on servers that are behind my firewall. Do I need to move a server to the DMZ, and if so, which one?

Thank you very much for any assistance.

JakeSkinner

Hi @KnickMoschella,

Do you have Windows Authentication enabled for ArcGIS Enterprise? For example, when you got to the below URL, are you automatically signed in:

https://domain.gov/server/rest/services/Brightly_Service_Enterprise_Publisher_MIL1/MapServer

Or, do you have to present credentials?

Is the Brightly Application on the same internal network as ArcGIS Enterprise? If it is an external application, outside your network, you will need to enable ArcGIS Enterprise to be externally accessible as well. This would require moving the ArcGIS web adaptor applications to a Web Server that is externally accessible (i.e. your DMZ).

Note: if moving the web adaptor to your DMZ changes the DNS alias to access Enterprise, additional steps will be needed to update Enterprise.

KnickMoschella

Hi Jake! We use SAML for ArcGIS authentication, but it's not automatic - when I go to that URL I'm presented with a Microsoft login prompt and then have to enter creds and then 2FA in order to actually sign in.

Brightly is an external app, so ... yeah. I was afraid of that. What-all is involved in moving the Web Adaptor machine to the DMZ? Can I just do the network changes, or are there ESRI settings involved that I need to modify as well? Are there any other benefits of moving the Web Adaptor to be outward-facing? I read your link but I don't know that I would neccessarily need to update the URL. Would I?

JakeSkinner

If you are moving the existing server to the DMZ and the URL is not changing, there should be no further changes required on the ArcGIS side of things.