Embed Size (px)
Citation preview
Deploying Portal for ArcGIS:Advanced Scenarios
Bill Major, Craig Cleveland
February 24–25, 2016 | Washington, DC
FedGIS Conference
Agenda
• Configuring Portal for ArcGIS in Disconnected Environments• Deploying Portal Apps in Disconnected Environments• Portal for ArcGIS Advanced Customizations• Setting up SSL Certs and Trusts• Portal for ArcGIS and High Availability• Integrating with Enterprise User Stores
- Active Directory and LDAP- Web Tier Authentication using IWA and PKI
• Running Portal for ArcGIS on AWS• ArcGIS 10.4 – New features and enhancements
Configuring Portal for ArcGIS in Disconnected Environments
Disconnected EnvironmentsNot everyone has internet access
• How many of you run disconnected today?• Many customers run ArcGIS with no access to internet resources
- No access to ArcGIS Online Base Maps- No access to http://js.arcgis.com- No access to resources such as World Geocoder, Geoenrichment Services or ArcGIS API
for JavaScript Web Optimizer
• Security often dictates running disconnected environments• Disconnected environments create unique challenges that need to be addressed in
order to take full advantage of an on-premises WebGIS platform
Custom Basemaps in Portal for ArcGIS
• Add a cached map service to Portal map viewer
• Save Web Map as a new item and share with custom group and Everyone• Specify custom group for Basemap gallery, and select a default Basemap• Esri Commercial Data Appliance (CDA) offers ArcGIS Online Basemap capabilities
Basemaps
Where will your Basemaps come from?
Enabling On-Premises Utility Services in Portal
• Printing – enable the Print Service of an ArcGIS Server and use the Export Web Map Task.
• Geocoding - World Geocoding Service On-Premises- Esri Streetmap Premium Geocode Services published on-premises- Custom Geocoding Service
• Geometry – utilize the Geometry Services of an on-premises ArcGIS Server• Routing
- Utilize Esri Streetmap Premium Routing Services published on-premises- Custom Routing Service
Demonstration
Configuring Portal for ArcGIS in Disconnected Environments
Deploying Portal Apps in Disconnected Environments
Operations Dashboard for ArcGIS
• App for monitoring, tracking, and reporting real-time data feedsand assets
• 2 platforms to work with the app:1. Windows Desktop app2. Web-browser based app (built on JavaScript)
- Included with Portal for ArcGIS
Operations Dashboard for ArcGISDeployment Utility
• Step 1 - Preparations- Download and extract deployment utility from “My Esri” - Have security certificate ready- Know your Portal URL- Have write access to Portal’s \apps\dashboard-win folder
• Step 2 – Run deployment utility
• Step 3 – Deploy to Portal- Copy output folder from step 2 to Portal’s \apps\dashboard-win folder- Create an application item of Operations Dashboard
Esri Maps for Office
• Make dynamic maps of your spreadsheet data in Excel.
• Create color-coded, point, clustered point, or heat maps.
• Share your maps with Portal, or insert them into your PowerPoint
Esri Maps for OfficePortal Resources for Esri Maps for Office
• Install Portal Resources for Esri Maps for Office- Host the JavaScript files required by Esri Maps for Office
on your network.
• Set your Esri Maps for Office ArcGIS connection topoint to your Portal for ArcGIS instance.
Authorizing ArcGIS Pro with Portal for ArcGISSimilar to ArcGIS Online, but different…
• Similar end user and provisioning process to ArcGIS Online
• Different back end to enable that experience
Authorizing ArcGIS Pro with Portal for ArcGISRequired Components
1. ArcGIS License Server Administrator
2. Named Users License File (.lic)
3. Portal Configuration File(.json)
4. Portal for ArcGIS
Portal for ArcGIS Advanced Customizations
config.js
• Located at <Portal Install Directory>\customizations\10.3.1\webapps\arcgis#home\js\arcgisonline
• Detailed in the Portal Administrator Help• Provides additional configuration of the Portal UI• You may want to do this if you're configuring a disconnected deployment or
modifying the portal's behavior to match the requirements of your organization• Use extreme caution when editing; always make a backup!
What is this?
config.js
• Set the extentService• Set the gcsBasemapService• Add Security Classification Banners• Add Footer Links• Restrict My Organization page to Portal Admins only• Enable/Disable Show Social Media Links• Enable/Disable Web Search• Enable/Disable the ability for new users to “Create Account”
Important Settings for Disconnected Environments
Demonstration
Advanced Customizations
SSL Certificates and Trusts
Setting up SSL Certificates and Trusts
• Most organizations have strict Secure Socket Layer (SSL) requirements• Portal for ArcGIS installs self-signed certificate for HTTPS port 7443
- Consuming services directly from self-signed certificates is highly discouraged.
• To overcome this, install separate Web Adaptors for Portal and ArcGIS Server and SSL-enable your web server; users only communicate with Web Server over 443.
• Web Server should be configured with a properly signed certificate, e.g. Verisign
Server Certificates and Trust Stores
ArcGIS Server
Portal forArcGIS
CA SignedSSL Certificate
https://webserver.com
6443
7443
/portal
/server
Setting up SSL Certificates and Trusts
• Some organizations mandate no HTTPS with self signed certificates exist• Must update the Portal installation certificate with properly signed certificate• Portal Administrator Directory provides tools to facilitate this process• 2 paths:
- Generate a new Certificate Signing Request, have CA sign, and import response- Import an existing server certificate and private key (e.g. PFX file)
- Will need to import Trust chain if not part of the PFX
Updating Server Certificates
But, there is a whole lot more to this story…Example SSL Touch Points in on-premises WebGIS
Web Server Portal for ArcGIS
FederatedArcGIS Server
External SSLArcGIS Server
Client WebBrowser
Secure LDAP
** Client browser musttrust CA chain
** Client browser musttrust CA chain
** Web Server musttrust CA chain
** Portal must trust CA chain of sLDAP
** Portal must trust CA chainof ArcGIS Server
** Portal must trust CA chainof ArcGIS Server
** Web Server must trust CA chainIf :7443 is using CA signed
** Print TaskArcGIS Server and OS must trust CA chain to Portal, Web Server, andExternal ArcGIS Servers
Setting up SSL Certificates and Trusts
• For external trust, import Root and Intermediate certificates into the cacerts keystore• Always restart Portal after any changes to cacerts file• Help topic: Configuring the portal to trust certificates from a certifying authority
Establishing Trust with other Servers at 10.3.1
Portal for ArcGIS High Availability
Portal for ArcGIS High Availability
• Configuring high availability is an advanced task- Requires an extensive understanding of portal administration, scripting, and networking
• Professional Services engagement is strongly encouraged
Integrate with an Enterprise User StoreAD and LDAP
Active Directory or LDAP Logins – Conceptual Workflow
A
Web Server Portal for ArcGIS
ArcGIS Server
Federated
Identity StoreAD or LDAP
1. PresentCredentials
2. Validate login; get additional user information; Enterprise Groups
SSL OnlyNo Authentication
Web Tier Authentication with IWA\PKI
Integrated Windows Authentication – Conceptual Workflow
A
Web Server Portal for ArcGIS
ArcGIS Server
Federated
Identity StoreAD or LDAP
1. PresentCredentials
2. Authenticate againstIdentity Store
3. Pass user identitythrough to Portal
4. Get additional userinformation; EnterpriseGroups
PKI Client Certificate Authentication – Conceptual Workflow
A
Web Server Portal for ArcGIS
ArcGIS Server
Federated
Identity StoreAD or LDAP
1. PresentPKI Certificate
2. Authenticate againstIdentity Store
3. Pass user identitythrough to Portal
4. Get additional userinformation; EnterpriseGroups
Custom Web Tier Authentication – Conceptual Workflow
A
Web Server Portal for ArcGIS
ArcGIS Server
Federated
Identity Store?
1. PresentPKI Certificate
2. Authenticate againstIdentity Store
3. Pass user identitythrough to Portal
Custom
Demonstration
Integrating with an Enterprise User Store
Running Portal for ArcGIS onAmazon Web Services
Portal for ArcGIS and AWS
• http://server.arcgis.com/en/portal/latest/administer/windows/deploy-portal-on-aws.htm
• Use an Elastic IP or DNS name• Configure the Web Adaptor using this Elastic IP or DNS name• Consider using CloudFormation Templates • If federating an ArcGIS Server in AWS, need to follow a couple of advanced
configurations mentioned in the Help document.
ArcGIS 10.4 Improvements
6 Nice Things at 10.4 (related to this session)
• Simplified web browser-based HA Configuration- “Create Site” vs. “Join Site” concept
• Security- Import CA Root and Intermediate trust certificates via /portaladmin- Components refresh, security fixes, Windows 10 Support, Python scan utility
• Improved Federation experience with ArcGIS Server• Ability to define a Custom Role for all new users• Groups that allow members to update any shared item (owned by someone else)• Concurrent License Manager model for ArcGIS Pro 1.2• Much more…..
http://server.arcgis.com/en/portal/latest/administer/windows/what-s-new-in-portal-for-arcgis-10-4.htm
Questions???Thank you for your time!
February 24–25, 2016 | Washington, DC
FedGIS Conference
Download the Esri Events app!
Don’t forget to complete your digital session survey
Please Take Our Survey!
Select the session you attended
Scroll down to find the survey Complete Answersand Select “Submit”
Download the Esri Events app and find your event
Networking ReceptionSmithsonian National Museum of the American IndianThursday, 6:30 p.m. – 9:30 p.m.Bus pickup on L Street
Print your customized Certificate of AttendancePrint stations located in the 140/150 Concourse
GIS Solutions Expo, Hall AThursday, 10:45 a.m. – 4:00 p.m.
• Exhibitors• Hands-on Learning Lab• Demo Theaters• Esri Showcase
