Select to view content in your preferred language

Collaboration with ArcGIS Online through firewall

536
6
07-31-2024 04:21 AM
SimonSchütte_ct
Frequent Contributor

I created a collaboration between ArcGIS Enterprise and ArcGIS Online.
I can see the Items from ArcGIS Enterprise in the ArcGIS Online Group.

My ArcGIS Enterprise deployment is not accessible from the internet, but ArcGIS Enterprise has access to the internet (otherwise the collaboration would not have worked).

"The guest organization doesn't need to be publicly exposed to participate in the collaboration. It can be behind a firewall, in a local intranet, and still join the collaboration, as long as the guest organization can access ArcGIS Online over HTTPS (port 443)." Create a distributed collaboration—ArcGIS Online Help | Documentation

Now I want to open a service in ArcGIS Online, that is referenced to ArcGIS Enterprise.
However, I get an authentication prompt to log in to ArcGIS Enterprise. What do I need to change to access the referenced ArcGIS Enterprise content without Enterprise authentication prompt in ArcGIS Online?

Based on this question, this should be possible: https://community.esri.com/t5/arcgis-enterprise-questions/distributed-collaboration/m-p/1506327
however "Figure 7 - ArcGIS Online and Registered Services" only shows this working with reverse proxy.

"The guest organisation doesn't need to be publicly exposed to participate in the collaboration" is this still true for sharing content in both directions?

6 Replies
A_Wyn_Jones
Esri Contributor

Hi @SimonSchütte_ct,

Regarding this statement "Now I want to open a service in ArcGIS Online, that is referenced to ArcGIS Enterprise." 

You'll need to expose your ArcGIS Enterprise to your ArcGIS Online organisation for this to work. Since you have access to your Portal on your device - it appears to be working for you. Outside of your network this can't work without the necessary access. If you do decide to open the network to your ArcGIS Online Org, please see advice below.

You should be authenticating into your Enterprise with referenced collaboration items, you could avoid this by setting the items to public in your Enterprise. Of course, to any member of the public/3rd party org trying to access this data, the network won't allow it as your Enterprise is internal facing only (with the exception of your ArcGIS Online org).

You could use the below method to create a Proxy item in ArcGIS Online (I personally call these proxy items - not official nomenclature). Be sure to Save credentials with this item in ArcGIS Online, as per screenshot below).

A_Wyn_Jones_0-1722521407937.png

 

https://enterprise.arcgis.com/en/portal/latest/use/connect-secured-services.htm

 

This will allow you to share the "Proxy item" publicly/ with various groups, while you have a secured item internally. 

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."
0 Kudos
SimonSchütte_ct
Frequent Contributor

@A_Wyn_Jones Thank you for the reply! The documentation on this topic is really sparse and lacking details. 
I´ll follow up with some more questions tomorrow.

0 Kudos
SimonSchütte_ct
Frequent Contributor

Based on the description "The guest organization doesn't need to be publicly exposed to participate in the collaboration. It can be behind a firewall, in a local intranet, and still join the collaboration, as long as the guest organization can access ArcGIS Online over HTTPS (port 443)"
I would expect to be able to create a collaboration between ArcGIS Enterprise and ArcGIS Online without opening up the ArcGIS Enterprise machine to the internet. From what I understood, ArcGIS Enterprise will initiate the communication with ArcGIS Online and since we did the invitation key exchange, there should be a steady "tunnel" be established.

In fact I can see Items in ArcGIS Online that originate from ArcGIS Enterprise, but I can not load them in a map. When I add a new Item on the Enterprise side to the synced group it will show up in ArcGIS Online, too. So what do I have to do to get the services working in ArcGIS Online without additionally authenticating to ArcGIS Enterprise?

0 Kudos
A_Wyn_Jones
Esri Contributor

Hi @SimonSchütte_ct ,

 

Can you please set your collaboration to be by copy only - this will allow you to use your collaborated items in ArcGIS Online. This will consume storage credits in ArcGIS Online as the collaboration is making copies of the layers/maps/apps from your Enterprise to your ArcGIS Online. Once in ArcGIS Online, you can change the sharing level independently from your Enterprise i.e. set to public so no authentication required to view the layers.

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."
0 Kudos
SimonSchütte_ct
Frequent Contributor

@A_Wyn_Jones Thanks, I have tried that, however it does not sync correctly: "Failed for one or more participants."

Setting this aside, can you confirm, that I understand it correctly?

A) When ArcGIS Enterprise is not accessible from the internet, but can initiate contact with ArcGIS Online (443), layer can be shared through a collaboration (copy only).
-> Is authentication from ArcGIS Enterprise Users to ArcGIS Online required when accessing the shared data from the group? (content shared in the sync group from ArcGIS Online to ArcGIS Enterprise (Sharing level: Personal/Org+sync group))

B) Only when ArcGIS Enterprise is exposed to the internet, references from ArcGIS Enterprise shared through collaboration to ArcGIS Online can be accessed.
-> Is authentication from ArcGIS Enterprise Users to ArcGIS Online required?

C) "Proxy item" creation:

- Only works for Feature Services?

- Does not work, if 2FA is enforced in the deployment the service originates from

- Does not work in ArcGIS Online, if the source deployment is not exposed to the internet

0 Kudos
A_Wyn_Jones
Esri Contributor

@SimonSchütte_ct there are some requirements for Collaboration via copy, essentially the "sync" capability of each feature layer used in the collaboration needs to be enabled.

 

For referenced data e.g. a SQL feature class, see: https://pro.arcgis.com/en/pro-app/latest/help/data/geodatabases/overview/prepare-data-for-collaborat...

You then need to enable sync on the Feature service.

For hosted feature layers see this documentation: https://doc.arcgis.com/en/arcgis-online/manage-data/manage-editing-hfl.htm#ESRI_SECTION2_D884E7592F5...

 

A) Yes by copy only

-> No - the user that sets up the collaboration on ArcGIS Enterprise, needs to have access to all data involved (place this user in the sync group/owner of the group). Once the copy is complete, this will create new items in your ArcGIS Online which will be shared with the ArcGIS Online Sync group by default - you can then update the sharing model of these items in ArcGIS Online independently from ArcGIS Enterprise (the item must always remain in the Sync group for collaboration to work).

 

B) Yes - you can think of Collaboration reference items as "shortcuts" to the item in your ArcGIS Enterprise. Any user accessing this data will need to authenticate with your Portal.

C) Works for Map image layers, geocoding and Network analysis layers. 

I'm not sure whether Maps or Apps can also be created as "proxy items" - I don't have a external facing Portal at the moment to test this.

- Does not work, if 2FA is enforced in the deployment the service originates from - Correct I don't think this would work. You can however disable 2FA for certain accounts https://enterprise.arcgis.com/en/portal/latest/administer/windows/manage-members.htm#ESRI_SECTION1_E...

- Does not work in ArcGIS Online, if the source deployment is not exposed to the internet - Correct 

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."