Latest Contributions by ChristopherPawlyszyn

I think you're going to be fighting an uphill battle on this one, especially since this is violating two requirements of Portal for ArcGIS. The first is the system requirement for Portal for ArcGIS only supporting a single DNS. Domain name service and fully qualified domain name requirements https://enterprise.arcgis.com/en/system-requirements/latest/linux/portal-for-arcgis-system-requirements.htm#ESRI_SECTION1_EE1B77F84DAD49FB90B174D7D1FF27C2 The second would be the context configuration, which is only supposed to go one sub-page deep in the URL. Prerequisites to configure a highly available portal https://enterprise.arcgis.com/en/portal/latest/administer/windows/configuring-a-highly-available-portal.htm#ESRI_SECTION1_E9E60E7F010F42ECA1DBCC610C7D0EE3 To achieve what you are proposing, it would require the proxy action to cover every circumstance where a request coming into the IIS/ARR machine would be re-written as Portal expects it for the current WebContextURL on the local web adaptor machine. It would also require the proxy to rewrite any redirect response headers with the external URL and context(s). Even that wouldn't account for some of the pages that are initiated by other resources and would likely still use the internal Portal address to load. ... View more

I would tack onto what @NiekGoorman1 suggested with the following Admin API operation that would allow you to update the IDP username (value used to match the incoming SAML assertion Name ID attribute to the user within Portal). If the Name ID attribute is going to change, this would be a workaround that would prevent you from duplicating accounts and migrating content to the new account, but the username within Portal would not be updated. Overall I think it would depend on the number of users to determine which direction you'll take when the cutover happens. Update Enterprise User—ArcGIS REST API | ArcGIS for Developers https://developers.arcgis.com/rest/enterprise-administration/portal/update-enterprise-user.htm ... View more

You are correct, if the plan goes off without a hitch then this is a viable approach for migration to a new DBMS instance, but it does fall outside of Esri's scope of support since all the moving parts are non-Esri products/technologies. If you are using the same hostname (FQDN) then you would not need to update any of the SDE connection strings within the registered databases. I primarily wanted to expound a bit upon the supportability of such a maneuver, and outline some of the potential pitfalls along the way. In terms of recreating the user permissions/roles, the instance would have to be domain-joined to add OS-authentication users, but database users could be mirrored at any point in the process. As you've already alluded to, make sure to have a sound back-out strategy for if things go awry. ... View more

Hi @AaronLaver, This sounds like a situation where your best bet may be to open a support case so an analyst can help you directly with your specific issue. I've run into instances where the relational data store doesn't want to be registered again with the site, but a restore of the most recent backup was successful. Restore a relational data store or primary-standby mode tile cache data store after a crash That may be worth a shot depending on how recently the last backup was taken, otherwise a closer look into the configuration/site-specific files may reveal a more approachable route with less data loss. I haven't been able to track down a common theme between the few incidents that I've seen. ... View more

The 502 response from the Azure Application Gateway is usually due to the backend target health failing, so I would start in your Azure portal console to look at the status of the backend machine.   ... View more

Hi @AhmedAbdelNasser, I think the approach you are describing would be best segmented into two requirements. Restrict administrative/publishing access to a specific federated ArcGIS Server site. I believe this can be accomplished by using fine-grained access control on the federated server site: Fine-grained access control of federated servers This would be dependent on group membership, not a custom role, so a member could potentially belong to multiple groups and allowed to administer multiple ArcGIS Server sites that are federated with the Portal. Create a Portal for ArcGIS "administrator" role that only has the privileges to manage user group membership. User types, roles, and privileges—Portal for ArcGIS | Documentation for ArcGIS Enterprise Groups -> Assign Members One problem I see with this approach is an "administrator" could just add themselves to the corresponding group for fine access control on the Server site if they were wanting to access those resources unless you disallow adding/removal of group membership, so I'm not sure if those two (in combination) would fit your requirements exactly. Hope that helps! ... View more

Hi @BrettSanders, I think the major hurdle with the workflow you're suggesting is there are a number of areas where things can go wrong, and all the steps in the process are achieved outside of Esri software. While it is absolutely true that a new but "identical" SQL instance could run the services, there are a number of caveats including using the same FQDN (or SPN from an OS-authentication perspective), the same security/users/passwords configured on the instance, and no other underlying data changes compared to the original machine/database. With that being the case, it's difficult from an Esri Support perspective to recommend workflows that are not officially documented, even if the workflow could technically work if implemented correctly. If you were to push forward with this plan, I would recommend having a plan to revert to the original stack in case anything along the way goes awry, which is made difficult since in an AD environment/domain having the same computer name twice within a domain is not possible. There is another option to update the registered data store connection with a new SDE file when a new instance is stood-up and the data/security migrated to that new instance. The documentation only mentions password updates, but it works for hostname changes as well (documentation enhancement is in the works already). This would be a band-aid to prevent immediately needing to republish all referenced services, but the Service Workspace information would not be updated within Server Manager so it is worth republishing when the opportunity arises. Register your data with ArcGIS Server using Server Manager—ArcGIS Server | Documentation for ArcGIS Enterprise https://enterprise.arcgis.com/en/server/latest/manage-data/windows/registering-your-data-with-arcgis-server-using-manager.htm#ESRI_SECTION1_01665D7E33384062B6A57DE89A52C2FA Hope that helps, Chris ... View more

Hello @yaronmmichlm, I came across a request to simplify the process on the Microsoft Azure Networking improvement site, but currently the only method to reduce cost would be to stop the Azure Application Gateway via the Azure CLI when not in use, then start it before use using the CLI. This blog post gives a solid explanation of how to do so. How to stop Azure Application Gateway – UseIT | Roman Levchenko https://rlevchenko.com/2020/07/28/how-to-stop-azure-application-gateway/ Start and stop Application Gateway on Azure portal – Customer Feedback for ACE Community Tooling https://feedback.azure.com/forums/217313-networking/suggestions/34819891-start-and-stop-application-gateway-on-azure-portal Hope that helps! ... View more

Hello @lvargas, I'm surprised since I am seeing no redirection to 7443 on any of the endpoints of my ArcGIS Enterprise deployment behind this proxy. What if you try appending the correct X-Forwarded-Host header after the 'ProxyAddHeaders Off' statement according to our documented needs for Portal's WebContextURL? Something like 'Header set X-Forwarded-Host dnsalias.domain.com' in the same section may work. ... View more

Hello @lvargas, I think I understand the behavior now and have amended my /portal location configuration, let me know how it fares for you. <Location "/portal/"> ProxyPreserveHost On RedirectMatch ^/portal/$ https://machine.domain.com/portal/home/ RedirectMatch ^/portal/portaladmin$ https://machine.domain.com/portal/portaladmin/ ProxyPass https://machine.domain.com:7443/arcgis/ ProxyPassReverse https://machine.domain.com:7443/arcgis/ </Location>   ... View more

Hello @lvargas,   I did some testing on an HTTPD reverse proxy installed on a CentOS VM and did not see the effect you are describing, I've attached a sanitized snippet of my HTTPD ssl.conf file with the relevant information. According to the Apache documentation (linked below) the X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server headers are all appended by default to the request when using the ProxyPass directive. mod_proxy - Apache HTTP Server Version 2.4 https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers Have you confirmed the WebContextURL is configured for the Portal site?   RewriteEngine On SSLProxyEngine On <Location "/portal"> ProxyPass https://machine.domain.com/portal/home </Location> <Location "/server"> ProxyPass https://machine.domain.com/server/rest/services </Location> <Location "/portal/"> RedirectMatch ^/portal/$ https://machine.domain.com/portal/home/ ProxyPass https://machine.domain.com:7443/arcgis/ ProxyPassReverse https://machine.domain.com:7443/arcgis/ </Location> <Location "/server/"> RedirectMatch ^/server/$ https://machine.domain.com/server/rest/services ProxyPass https://machine.domain.com:6443/arcgis/ ProxyPassReverse https://machine.domain.com:6443/arcgis/ </Location> ... View more

Hello @mody_buchbinder,   Can you elaborate a bit further on the shared storage in-use on your ArcGIS Server site? I have seen some performance issues with the standard Azure Files shares as they are not quite responsive enough to host the config-store and directories. The premium shares did alleviate the issues I faced when deploying a multi-machine site, or you may consider hosting a network share on one of the Azure VMs you have deployed already or using a dedicated file server depending on your architecture needs. ... View more

The System Log Parser application will reach out over the network to the Server Admin endpoints for each site it's capturing logs from, so network connectivity to the Admin endpoint (using either the web adaptor or directly via 6443) would be required. That means that the software can run on any machine with the ability to connect to the ArcGIS Server site over port 6443, or 443 if administrative access isn't disabled at the web adaptor level. ... View more