Community

What wrong with our ArcGIS Enterprise 10.6.1 deployment setup?

2197
11
Jump to solution
09-17-2018 02:50 PM
JuneAcosta
by
Occasional Contributor III
‎09-17-2018 02:50 PM

We set up our staging environment for ArcGIS Enterprise 10.6.1. Everything works fine when webmaps, apps, and etc. are accessed internally; however, we are not able to view any of the layers in the webmap when accessed outside of our network using the ArcGIS field apps(collector and Explorer). We get the error "a server with the specified hostname could not be found".

We have a multi-machine deployment with the VMs for the datastore and Server for ArcGIS and web adaptor inside our network. The VM with Portal for ArcGIS and the web adaptor is in the DMZ... image of setup is attached.

What is wrong or missing in this setup? 

Preview file
549 KB
0 Kudos
1 Solution

Accepted Solutions
JuneAcosta
by
Occasional Contributor III
‎07-10-2019 07:02 AM

We worked via esri professional services and they had us move the server with portal installed to the inside and only the 2 web adapters sit in DMZ. Both servers(portal and AGS) had to be exposed to our users on the outside.

Hope this helps.

Sent from my iPhone

View solution in original post

0 Kudos
11 Replies
JoshuaBixby
by MVP Esteemed Contributor
MVP Esteemed Contributor
‎09-17-2018 03:46 PM

Although outside clients/devices are able to access web maps in Portal since Portal is in your DMZ, the outside clients/devices cannot access layers in those web maps that are published from internal, federated servers since those servers are not accessible from the Internet.  Given your diagram, the results you are seeing are expected.

I don't have time, at the moment, to dive into what changes need to happen to make it work.  Overall, I suggest you open a case with Esri Support to get additional guidance because securing an ArcGIS Enterprise deployment is involved.  I don't see a reverse proxy server in your diagram, is that because there isn't one or it just wasn't included?

0 Kudos
JuneAcosta
by
Occasional Contributor III
‎09-17-2018 04:29 PM

Thanks for responding. I do have a ticket open and the 1st analyst told me to expose the federated server, but didn't have much detail on how we should do it without having to expose all of my services to the public. We decided it would be best that he forward me to the right team. In the meantime, I thought I would post the question here in case I sit in the queue for another few days. I'll wait for Esri to respond. Thanks!

0 Kudos
JoshuaBixby
by MVP Esteemed Contributor
MVP Esteemed Contributor
‎09-18-2018 06:36 AM

The common way to expose the federated server, or parts of it, are through the use of a reverse proxy.  Since reverse proxies are common in the web sphere, and commonly not managed by GIS shops, usually folks that deploy ArcGIS Enterprise will need to engage with other parts of the IT organization to have them configure the reverse proxies to support GIS server.  While you are waiting for Esri Support to get back with you, I suggest you read Configure your portal to use a reverse proxy server—Portal for ArcGIS (10.6) | ArcGIS Enterprise  and Using a reverse proxy server with ArcGIS Server—ArcGIS Server Administration (Windows) | ArcGIS Ente....

JuneAcosta
by
Occasional Contributor III
‎09-18-2018 08:30 AM

Our network team helped with setting up the servers. I now have the senior engineer from the team looking at it. She thinks the reverse-proxy was not setup the right way. Thanks for your input!

0 Kudos
JustinRay1
by
Occasional Contributor
‎10-01-2018 09:06 AM

Sorry to semi-hijack the thread, but I have a similar problem. I was under the impression that the Web Adaptor was a reverse proxy for this purpose and could handle this scenario? Are you saying a third party reverse proxy is required?

0 Kudos
DanielUrbach
by
Occasional Contributor II
‎10-01-2018 01:28 PM

You are correct, the web adaptor is a reverse proxy.  Is your ArcGIS Server web adaptor in the DMZ?  If it is, are the layers being used in your map viewer being accessed via the web adaptor URL or the internal (https://host.domain.com:6443/arcgis) address?

JustinRay1
by
Occasional Contributor
‎10-01-2018 01:58 PM

I have both web adaptors (for server and portal) in the DMZ while the server and portal themselves are in the internal network. That should still allow for internet access to both the portal and server, right?

Edit: I am still setting this up and running into some bumps along the way, so I don't have services being accessed right now. Thanks for you help.

0 Kudos
Christopher28
by
Occasional Contributor
‎10-30-2018 08:10 AM

Hello,

do you have the possibility to access a WebMap or WebApp of the portal from outside with a notebook? If yes, please activate the developer tools (e.g. in IE) and see which URL is used to access the services?  This should be a WebAdaptor URL without a port - what kind of URL is it for you?

Did you set the WebContextURL correctly?
https://enterprise.arcgis.com/de/server/latest/administer/windows/using-a-reverse-proxy-server-with-...

0 Kudos
BillLotz
by
Occasional Contributor II
‎07-10-2019 06:23 AM

June,

I am assuming you got this resolved, what was your solution?

Thanks

0 Kudos