how to setup F5 Big-IP and ArcGIS Server 10.8.1, no web adaptors, to allow print service to work, windows

JaniceBaird · ‎12-28-2020

I have 2 virtual machines with windows 2019 and ArcGIS Server 10.8.1. I am trying to implement a F5 Big-IP load balancer in place of web adaptors. We have all three servers in the DMZ. I have a geoprocessing service which is used for printing a map. The geoprocessing service works when I browse to the rest endpoint and select "execute task". This is the Export Web Map task and I provide a json string with the map information, a string for the output format (PDF), and a paper size (Letter ANSI A Landscape). The task works and creates a PDF of the map as long as I do not include any map layers from my gis server site. The server log has the following error messages:

SEVERE Dec 28, 2020, 9:53:45 AM Error executing tool. Export Web Map Geoprocessing/BasicPrinting.GPServer
SEVERE Dec 28, 2020, 9:53:45 AM Error executing tool. Export Web Map : Layer "layer2": Unable to connect to map server at https://<loadbalancer>/arcgis/rest/services/Assessor/PropertyMap_CU_Inside/MapServer/. Failed to execute (ExportWebMap). Failed to execute (Export Web Map). Geoprocessing/BasicPrinting.GPServer
WARNING Dec 28, 2020, 9:53:45 AM A connection with the server could not be established (WinINet Error while using HTTPS security, 12029), URL = https://<loadbalancer>/arcgis/rest/services/Assessor/PropertyMap_CU_Inside/MapServer?f=json Geoprocessing/BasicPrinting.GPServer
WARNING Dec 28, 2020, 9:53:44 AM A connection with the server could not be established (WinINet Error while using HTTPS security, 12029), URL = https://<loadbalancer>/arcgis/rest/info?f=json Geoprocessing/BasicPrinting.GPServer

Has anyone been able to set-up and use an F5 load balancer with ArcGIS Server 10.8.1 stand-alone site and still be able to use the Export Web Map service?

JoshuaBixby · ‎12-29-2020

Fundamentally this is a Windows error code and Windows issue. ArcGIS Server is the symptom here, not the problem. Error Messages (Wininet.h) - Win32 apps | Microsoft Docs

ERROR_INTERNET_CANNOT_CONNECT
12029
The attempt to connect to the server failed.

If you are seeing the load balancer URL in the logs, than the URL translations between GIS Server and the F5 are working, which is good. Since these servers are in a DMZ, I am guessing the F5 is blocking their connection back to the F5. I assume if you log into the console of one of these machines and try to connect using a browser to https://<loadbalancer>/arcgis/rest/info, it will fail.

View solution in original post

JoshuaBixby · ‎12-29-2020

Fundamentally this is a Windows error code and Windows issue. ArcGIS Server is the symptom here, not the problem. Error Messages (Wininet.h) - Win32 apps | Microsoft Docs

ERROR_INTERNET_CANNOT_CONNECT
12029
The attempt to connect to the server failed.

If you are seeing the load balancer URL in the logs, than the URL translations between GIS Server and the F5 are working, which is good. Since these servers are in a DMZ, I am guessing the F5 is blocking their connection back to the F5. I assume if you log into the console of one of these machines and try to connect using a browser to https://<loadbalancer>/arcgis/rest/info, it will fail.

JaniceBaird · ‎12-30-2020

Joshua,

That is exactly correct. I cannot browse to the rest services from the arcgis server through the F5. I can browse all day from other computers. Do you have any idea how to correct this issue?

Thanks,

Janice.

JonathanQuinn · ‎12-31-2020

One option is to set up a forward proxy, then configure the forward proxy at the OS level as well as in ArcGIS Server. Server will then reach external endpoints via the forward proxy.

https://enterprise.arcgis.com/en/server/latest/deploy/windows/using-a-forward-proxy-server-with-arcg...

JaniceBaird · ‎01-04-2021

Hi Jonathan,

Thanks for the reply. My IT department tells me that we do not use a forward proxy. I am guessing that you are saying that we should use a forward proxy. I am working with the IT department at this time but it is not going quickly. They are not comfortable with the gis servers and I know nothing about the load balancer configuration. I am unable to browse from my gis server to the load balancer but can browse to it from my workstation. Are there settings that need to be updated on the gis server to allow it to talk to the load balancer? I did follow one technical article about running IE as the arcgis service account and making sure the LAN settings were unchecked and the load balancer url was added to the intranet zone sites. This did not improve my situation. I do have a case open with technical support but this is going slow as well.

Thanks,

Janice.

JoshuaBixby · ‎01-04-2021

This isn't a GIS Server issue, it is solely a network infrastructure issue. DMZs are commonly locked down to prevent unapproved port and IP traffic, both inbound and outbound. You will need to work with your IT folks to configure the firewalls and/or load balancer to allow the servers to connect back to themselves through the load balancing interface.

JaniceBaird · ‎01-04-2021

Hi Joshua,

Thanks for the reply. Unfortunately, my IT folks say it is a GIS Server issue because the server log files say that the GIS Server is not allowing the connection... This is getting pretty messy! I am sorry. If we get it figured out, I will post the solution.

Thanks,

Janice.

JonathanQuinn · ‎01-05-2021

As @JoshuaBixby mentioned, it's a networking problem. It just so happens that the machine with the problem has ArcGIS Server running on it.

"I cannot browse to the rest services from the arcgis server through the F5."

This is the indication it's not a software problem; take the software out of it, and you still see issues. ArcGIS Server is making the same connection that you are attempting manually. If you can't connect in a browser, Server can't either.

You'll need to look into a forward proxy to allow outbound connections, or modify firewall rules to allow that connection.

JaniceBaird · ‎01-05-2021

I have marked JoshuaBixby as providing the solution. He is right about it being a network issue and not a GIS Server issue. The Network folks did something with an external listener which allowed the gis servers to access themselves through the load balancer. I don't have the exact terminology but could probably provide more info if anyone is interested.

Thanks to Jonathan and Joshua for sticking with me.

Janice.