I have to opportunity to re-design our ArcGIS Enterprise deployment and could use a sanity check.
Current state: ArcGIS Enterprise on 11.1, Windows, on prem, no web adaptors, F5 for load balancer, Portal and ArcGIS Server in DMZ (for field work use without VPN), other components in internal network
Future state: ArcGIS Enterprise 11.1 windows on prem (no change), new host in DMZ with multiple web adaptors installed, F5 in front of web adaptor host (IT requirement), all AGE components moved to internal network
What I think this should achieve is the ability to still connect to Portal off VPN; traffic would route to F5 > Web Adaptor host > Web Adaptor host routes to appropriate AGE servers within the internal network
We currently use the DNS alias to define routes within F5 (eg. portal.company.com/arcgis, server.company.com/arcgis). Ideally, our F5 config could be simplified by having a single VIP (eg. maps.company.com) which routes to the Web Adaptor host > and we use the URL context to define where traffic goes (map.company.com/portal, maps.company.com/server, maps.company.com/image).
Any gaping holes in this plan? Is the single web adaptor host (with web adaptor for portal, server, image server installed) advisable?