A brief guide to ArcGIS Server federation
With more and more organizations adopting Esri’s Web GIS solutions, one option is to deploy ArcGIS Enterprise on premises, which requires federating ArcGIS Server with Portal for ArcGIS. Some organizations currently run a standalone ArcGIS Server site and wonder where to start with this new federation model. If you feel the same way, do not worry. This “ArcGIS Server federation 101” will set you off on the right foot in no time.
Nowadays more and more organizations are adopting Esri’s Web GIS solutions, which could be ArcGIS Online, ArcGIS Enterprise on premises or a hybrid solution. To deploy ArcGIS Enterprise, you need to federate ArcGIS Server with Portal for ArcGIS.
Some organizations currently run a standalone ArcGIS Server site and wonder where to start with this new federation model. If you’re that ArcGIS Server administrator for such an organization, feel at ease. This “ArcGIS Server federation 101”, in addition to a tutorial video, will set you off on the right foot in no time.
So, what is ArcGIS Server federation exactly?
ArcGIS Server federation is a way to integrate Portal for ArcGIS’s security and sharing models. You DO NOT need to federate your ArcGIS Server with portal, unless you want to achieve the following:
- Authenticate users via Security Assertion Markup Language (SAML)
- Publish hosted layers directly from portal
- Perform spatial analysis in portal map viewer
Esri has comprehensive documentation discussing what functions become available once you federate your ArcGIS Server. Generally, there are two major changes noticed right away by the administrators and users after Server federation:
- You need to sign into ArcGIS Server Manager and REST Services Directory using portal named user credentials now, although you may still log into ArcGIS Server Administrator Directory as ArcGIS Server Primary Site Administrator.
- To control permissions for your services, you update service layers’ sharing property in portal, instead of making changes in ArcGIS Server Manager.
The comprehensive documentation also mentions a 3rd level of integration between ArcGIS Server and portal, i.e. having a hosting server. A hosting server is first a federated server and it must have a managed database, which is usually an ArcGIS Data Store. With a hosting server, users can publish services to portal directly, such as uploading a zipped shapefile to portal website and creating a feature service at the same time. Refer to the documentation for more functions provided only by a hosting server.
Okay, how to federate ArcGIS Server with Portal for ArcGIS then?
Let’s first look at the components involved in a federated site. A typical ArcGIS Enterprise site has these main pieces: Portal for ArcGIS, ArcGIS Server, ArcGIS Data Store and ArcGIS Web Adaptor. These pieces could be deployed on a single machine or distributed across multiple machines. Web Adaptors could also be replaced by your own reverse proxy.
A typical ArcGIS Enterprise deployment
To focus on federation, assume I already have a Portal for ArcGIS deployed with a configured Web Adaptor “portal”, an ArcGIS Server site with a configured Web Adaptor “server” and a configured ArcGIS Data Store. At the minimum I need to know the following URLs to complete federation:
Portal client-facing URL, e.g. https://web.domain.com/portal
Portal private URL, e.g. https://portalserver.domain.local:7443/arcgis
ArcGIS Server services URL, e.g. https://web.domain.com/server
ArcGIS Server administration URL, e.g. https://arcgisserver.domain.local:6443/arcgis
The ArcGIS Server services and portal user-facing URLs are the ones consumed by clients (e.g. browsers, 3rd party apps). The ArcGIS Server admin and portal private URLs are used by administrators, as well as by ArcGIS Server and portal to communicate with each other.
Before federation, we should also make sure ArcGIS Server and portal use the same security protocol. Portal for ArcGIS must always have HTTPS enabled. It is optional to disable HTTP access to portal and if you do so, ArcGIS Server shall be configured as HTTPS Only too. Just remember: 1) ArcGIS Server and portal should have the same security protocol; 2) The protocol could be either HTTPS Only, or HTTP and HTTPS both allowed.
Security protocol is all set. Now we need to enable trust between ArcGIS Server and portal. In other words, they need to trust each other’s SSL certificates. (If not, your federation may still go through, but users could encounter issues when they work within ArcGIS Enterprise.)
You could tell from the federation URLs that I have certificates in three places: the web server (web.domain.com) at implicit port 443, the ArcGIS Server at explicit port 6443, and portal at explicit port 7443. See below for a comparison of the certificates at web server port 443 and at portal port 7443.
Certificates applied at web server versus at port 7443
If you use widely trusted CA signed SSL certificate everywhere, you may not need to do anything at this point; however, if you use a domain signed SSL certificate or the default self-signed certificate (as shown for my 7443 URL), it may be necessary to explicitly enable trust. I will give you an example below, and you would be able to figure out the rest.
To force ArcGIS Server trust portal’s self-signed certificate, you could follow these three simple steps (refer to the diagram): 1) export the portal certificate as a .CER file using the “Copy to File” option, 2) import the certificate to ArcGIS Server using the “Import Root Or Intermediate” option in ArcGIS Server Administrator Directory and 3) confirm the certificate is imported successfully.
Export portal’s self-signed certificate and import into ArcGIS Server
Then repeat the steps above to have portal and ArcGIS Server trust each other’s certificates, as well as the web server certificate.
Great! We’re ready to federate ArcGIS Server with portal. Oh, one last thing: if you have configured Integrated Windows Authentication (IWA) with ArcGIS Server and want to keep using it with ArcGIS Enterprise, you need to revert ArcGIS Server web adaptor to anonymous authentication and configure IWA for portal. (Read more.)
Time to federate!
Log into portal as an administrator, using portal client-facing URL, e.g. https://web.domain.com/portal/home
- Go to Organization > Edit Settings > Servers, and click Add Server
- Enter the Services URL, Administration URL, ArcGIS Server administrator credential, and click “Add”
Add ArcGIS Server
- Optionally, pick the federated ArcGIS Server as a Hosting Server, assuming it has an ArcGIS Data Store configured.
Federated server and hosting server
- Save and you’re done!
Wait a minute. Where is the Portal private URL? Let’s confirm the federation registration on both sides.
- Log into Portal Administrator Directory, go to Federation > Servers > [server name]. Note “Url” corresponds to ArcGIS Server Services URL you entered, and “Admin Url” is the Administration URL entered. (Note in the diagram my “Url” and “Admin Url” point to the same server, as I have both ArcGIS Server and IIS Web Server installed on the same machine for the demo.)
Federation information at portal side
- Log into ArcGIS Server Administrator Directory, go to Security > Config, and examine the Portal properties section. Portal private URL is found as “privatePortalUrl”, and you can probably identify the other URLs listed.
Federation information at ArcGIS Server side
And we have a federated ArcGIS Server!
Additional Resources:
After reading the blog, likely you still need to spend many hours reading documentations and perhaps practicing in a development environment. Search engines would be your good friends.
For those who have a standalone ArcGIS Server in production and need to migrate contents to an ArcGIS Enterprise site, make sure you check this white paper: Migrating standalone ArcGIS Server to ArcGIS Enterprise.
For those who just want to deploy a new ArcGIS Enterprise on a single machine or would like to see how ArcGIS Enterprise looks like, you may take advantage of ArcGIS Enterprise Builder. It allows you to run a wizard, which installs all the required pieces and configures everything for you, including federation.
Hope you’ll find this guide handy and are ready to federate!