Internal ONLY Web Map Sharing Issues

Yes, still not working.

Do you have a setup like this? Have you had any issues with it?

Not sure, depends on your sharing and hosting.  For me, if I am trying to expose a developer edition WAB hosted on my web server and shared organization-wide but not public, then all I need in my rules array is my orgs address and the proxy address.  The proxy needs the org address and either a user-password or client id secret id.  This of course does not protect the app, webmap or feature layers if someone stumbles across the url but it does allow anyone in our county org to access the app when we share the url.

In doing this however, and if using the Add Data widget, any organization-wide shared layers would be visible to the Add Data widget even if you configure the add data widget to only show AGOL layers

That’s pretty much what I’m trying to do, when I share with Everyone the app works good but I need to limit it to the organization for sensitive data purposes. That’s where the proxy comes in, and if it worked that would be ideal. Plus if I can host it on my internal web server then even better.

The other thing I’m trying to do, but I’m not sure if it’s possible, is to use Portal for the internal stuff. I installed Portal 10.5 on a test server, and have published layers to it that are shared with everyone, since it will be an internal server no one from the outside should be able to access it. I don’t know, however, if Web Appbuilder dev edition can be used with that. I’m trying to set it up but so far no success.

The ideal thing would be to use my ArgGIS server services directly, like I do in Silverlight. That could be done, I guess, with custom javascript apps.

Well, one thing you could try is to un-register your published wab with your org.  The wab is still hosted on your server along with your proxy.  Since the wab is no longer registered it no longer has a clientid and clientsecret.  Then in the rules array of the config, you only need to put a reference to your org and the proxy.  In the proxy config ServerURL tag, add an org user and password for your orgs url, doesn't have to be your credentials, just a viewers credentials that can read the map.

This way, the webmap is secure and the map services or feature layers populating the webmap can be secure.  Since the app is not registered on AGOL, it won't be found in searches there. I have an a wab running this way now.  

I don't know about Portal yet, we are going there at 10.5 but aren't moving to 10.5 until we refresh a bunch of servers this summer.

David,

That could work, but if I unregister wab from my org, I wouldn’t be able to develop any other apps with it?

I am looking now at adding the services from my local internal server, instead of my external web server thru the web adaptor. That way I can share the map with everyone, but the services are on the local server which would not resolve to the external world.

The internal portal would probably work best for me if that’s a possibility. The way ESRI explained it to me, the ArcGIS online environment is always at the latest release, so I could install Portal 10.5 and use that along with the AGOL. I am at 10.3.1 with everything now, but was able to install Portal 10.5 on a test server. My ArcGIS server will stay at 10.3.1 for now, which isn’t a problem, I can connect to it fine from portal, I just can’t federate portal with AGS, but that’s fine, I don’t need that.

Sorry Jeff I don't think I was clear, my fault.  You can't unregister your developer app, that has to stay registered.  I meant that any app, after configuration and you have downloaded it, unzipped it and have added it to your external web server, you do not need to register that app.  

I personally do not and would not add services or feature layers to AGOL through my internal server machine names (if that's what you're saying?), only through the external web adaptor name - webadaptor.scgov.net - But I first secure my services in server manager using an ArcServer viewer role, then add (register) my feature layers with our org and store the credentials.  That way my services are always secure and then the AGOL permissions controls who can see the map. But I agree with everything else you are saying.  

Thanks for the Portal info, as what I'm doing will change when we federate and designate a hosting site.  Then Portal permissions will control services permissions, at least that's how I understand it so far.

Brain,

  As I told you I have this working for a webmap that is private in my organization. and a registered ap that is public. Unless you have something else in the mix that I do not then it is likely this will be on of those hand plants to the face because you missed something simple.

That's what I'm afraid of. I have been pulled off of webmaps for so long lately that I'm learning everything all over again. Maybe I just need to start from scratch?! Hmmmmmm....

I'm going to give that a try...

I appreciate your time Robert.