Running webgisdr tool and getting this during DataStore backup:
2020-10-14 14:48:07 DEBUG [pool-2-thread-5] com.esri.arcgis.webgis.component.service.impl.DataStoreDRService - The second response for DataStore createSnapshot: {"error":{"code":498,"details":["Token would have expired, regenerate token and send the request again.","If the token is generated based on the referrer make sure the referrer information is available with every request in header."],"message":"Invalid Token."}}
DataStore server can access portal at load balancer site (name in WebContextURL portal property) on 443
DataStore server cannot access portal server at servername:7443
Does this error suggest that the datastore servers need to access the portal servers directly on 7443 to request a token and do not request a token from the load balancer site? We have our network segmented so that Proxy/load balancer is in 1 zone; portal/ags servers in 2nd zone; datastore servers in 3rd zone. We have firewall rules that allow access for the portal and federated servers to communicate and all ArcGIS Enterprise functionality is available. I've had to add at least 1 firewall rule so that webgisdir works (DataStore to portal WebContextURL on 443 so that a token could be requested at an earlier point in webgisdr run).
I haven't found any documentation that suggests that webgisdir needs additional communication paths from the working ArcGIS Enterprise/Portal paths. It appears webgisdr does use additional communication paths than a working portal/federated server use. Is this true? If so, what are those additional communication paths?
Environment:
10.7.1
Windows 2016 Standard
2 portal servers (HA), 3 AGS sites federated including 1 hosting site (each has 2 AGS servers), 2 DataStore servers with a relational DataStore only
