Community
Select to view content in your preferred language

Using the DSC Module to install with a DMZ environment for Web Adaptors

569
8
03-18-2024 02:48 PM
julian_svcs
by
Occasional Contributor
‎03-18-2024 02:48 PM

We want to use the ArcGIS PowerShell DSC Module to deploy our ArcGIS environment. The deployment consists of a Base Deployment (Portal, ArcGIS Server and Data Store), two federated servers and the Web Adaptors (portal, hosting, fed1, fed1) deployed on a web server in a DMZ. All servers except the web server in the DMZ are domain joined.

Is there a configuration of the DSC that would be able to deploy the entire environment (including the WAs in the DMZ)?

We tried to use a DSC configuration to install the WAs in the DMZ but because it is not domain joined we got errors. We are now looking at an option to install and configure the WAs using a separate .ps1 script while using the DSC for the rest of the installations. We are looking at two options for this but not sure if they are valid.

Option 1:

  1. Install and License base deployment (DSC)
    1. portal and arcgis
  2. Install and configure Web Adaptors for portal and arcgis (.ps1)
  3. Install, License and Configure base deployment (DSC) (including federation): this should skip the installation and licensing part and go to the configuration.
  4. Install and License federated servers (DSC)
  5. Install and configure Web Adaptors (.ps1)
    1. gen and gef
  6. Install, License and Configure federated servers (DSC) (including federation)

 

Option 2:

  1. Install, License and Configure base deployment (DSC) (including federation)
    1. portal and arcgis
  2. Install and configure Web Adaptors for portal and arcgis (.ps1)
  3. Install, License and Configure federated servers (DSC) (including federation)
  4. Install and configure Web Adaptors (.ps1)
    1. gen and gef

Any ideas @CameronKroeker - thanks for any assistance with this.

8 Replies
CameronKroeker
by Esri Contributor
Esri Contributor
‎03-19-2024 08:39 AM

Hi @julian_svcs,

Yes, it is possible to deploy a base enterprise with the web server in the DMZ, however, it does require some additional environment configuration. 

- Trusted Hosts will need to be configured properly for all target nodes to establish trust (either the ip of each node and/or hostname.)

- A common Administrator account will need to be used for the Invoke-ArcGISConfiguration -Credential flag. Since the web server node isn't on the domain, a domain administrator account cannot be used. It will need to be a local administrator account. This local administrator account will need exist on all target nodes and have the same username and password. Note: If you get an access denied error check that the LocalAccountTokenFilterPolicy is configured.

Here are some helpful resources:

Here are a couple commands that can be used to test the connection between the dmz node and domain joined nodes:

WinRM HTTPS:

Test-WSMan -ComputerName TargetNodeMachineNameOrIP -Authentication default -Port 5986 -UseSSL -Credential LocalAdministratorUsername

WinRM HTTP:

New-CimSession -Port 5985 -ComputerNameTargetNodeMachineNameOrIP -Authentication default -Credential LocalAdministratorUsername

Test-WSMan -ComputerName TargetNodeMachineNameOrIP -Authentication default -Port 5985 -Credential LocalAdministratorUsername

Thanks,

Cameron K.

 

 

 

julian_svcs
by
Occasional Contributor
‎03-19-2024 09:09 AM

Awesome, thanks @CameronKroeker . I'll check it out and get back to you.

AlexBakhtin
by
New Contributor III
‎06-12-2024 06:21 AM

Thanks for writing this out! I recall having to do this a few years ago for a deployment that wasn't domain joined at all. We are in a position where we need to do something similar again.

Quick question/clarification - we would also have to use the -UseSSL argument as well when we invoke the configuration? Or is it possible to get away with using just WinRM HTTP?

Alex Bakhtin
0 Kudos
CameronKroeker
by Esri Contributor
Esri Contributor
‎06-12-2024 08:45 AM

Hi @AlexBakhtin 

I do not believe -UseSSL argument is required so as long as WinRM HTTP is properly configured on orchestrating node and all target nodes.

Thanks,

Cameron K.

0 Kudos
AlexBakhtin
by
New Contributor III
‎06-12-2024 10:27 AM

Great, thank you!

Alex Bakhtin
0 Kudos
AlexBakhtin
by
New Contributor III
‎06-14-2024 09:04 AM

Hi @CameronKroeker, wanted to post another update. We are in the process of deploying to a true DMZ architecture (web server in the DMZ, enterprise deployment on domain). The web server is not domain joined and we made sure that both servers have the same local administrator account. We are running into an issue where when we invoke the configuration:

Invoke-ArcGISConfiguration -ConfigurationParametersFile .\SV_113.json -Mode InstallLicenseConfigure -Credential gis-sa -DebugSwitch -EnableMSILogging

 We are able to get as far as installing Portal, Server, and Data Store. However it looks like we are running into an issue in getting Web Adaptor installed on the web server as we see the following error:

Trace-DSCJob : 6/14/2024 11:36:25 AM: The WS-Management service cannot process the request. The WMI service returned an 'access denied' error.
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.3.0\ArcGIS.psm1:261 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

 

Looking into the WMI Service, from what I can tell in running the code block below from the orchestrating node, I'm also getting access denied:

PS D:\DSC\config> Get-WmiObject -Query "SELECT * FROM Win32_OperatingSystem" -ComputerName <target>
Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Get-WmiObject -Query "SELECT * FROM Win32_OperatingSystem" -ComputerN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

I suspect there might be a communication issue occurring and I wasn't able to find any resolution as of yet. What I can confirm is that we  are able to establish connectivity from the orchestrating node (enterprise server) to the target node (web server in DMZ) via WinRM:

PS D:\DSC\config> New-CimSession -Port 5985 -ComputerName <target> -Credential gis-sa


Id           : 2
Name         : CimSession2
InstanceId   : 7a657e96-fe1f-4572-8a86-d658e42739ed
ComputerName : <target>
Protocol     : WSMAN

 

Do you have any thoughts or places we can start looking to troubleshoot this?

Thanks!

Alex Bakhtin
0 Kudos
CameronKroeker
by Esri Contributor
Esri Contributor
‎06-14-2024 09:46 AM

Are all the nodes same version of Windows? I found this, might be worth trying:

https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-troubleshooting?redirectedfrom=MSDN#acces...

I also just realized that when -UseSSL argument is passed in, the module passes in the -Credential to the Start-DscConfiguration using New-CimSession, whereas without -UseSSL argument New-CimSession is not used. For example:

https://github.com/Esri/arcgis-powershell-dsc/blob/4e1ea910cf3c237c378dfcfc1130a296de3c4bcb/Modules/...

Perhaps I was mistaken and -UseSSL is required so that it uses New-CimSession.

Thanks,
Cameron K.

Preview file
151 KB
AlexBakhtin
by
New Contributor III
‎06-14-2024 10:47 AM

Thanks for sending this along, we found similar documentation. We confirmed that all nodes are on the same version of Windows 2019. We will go back and configure to set it up to use WinRM HTTPS so that we can use the -UseSSL argument and I can update on how that works for us.

Alex Bakhtin
0 Kudos