Community

Using the DSC Module to install with a DMZ environment for Web Adaptors

245
2
03-18-2024 02:48 PM
julian_svcs
by
Occasional Contributor
‎03-18-2024 02:48 PM

We want to use the ArcGIS PowerShell DSC Module to deploy our ArcGIS environment. The deployment consists of a Base Deployment (Portal, ArcGIS Server and Data Store), two federated servers and the Web Adaptors (portal, hosting, fed1, fed1) deployed on a web server in a DMZ. All servers except the web server in the DMZ are domain joined.

Is there a configuration of the DSC that would be able to deploy the entire environment (including the WAs in the DMZ)?

We tried to use a DSC configuration to install the WAs in the DMZ but because it is not domain joined we got errors. We are now looking at an option to install and configure the WAs using a separate .ps1 script while using the DSC for the rest of the installations. We are looking at two options for this but not sure if they are valid.

Option 1:

  1. Install and License base deployment (DSC)
    1. portal and arcgis
  2. Install and configure Web Adaptors for portal and arcgis (.ps1)
  3. Install, License and Configure base deployment (DSC) (including federation): this should skip the installation and licensing part and go to the configuration.
  4. Install and License federated servers (DSC)
  5. Install and configure Web Adaptors (.ps1)
    1. gen and gef
  6. Install, License and Configure federated servers (DSC) (including federation)

 

Option 2:

  1. Install, License and Configure base deployment (DSC) (including federation)
    1. portal and arcgis
  2. Install and configure Web Adaptors for portal and arcgis (.ps1)
  3. Install, License and Configure federated servers (DSC) (including federation)
  4. Install and configure Web Adaptors (.ps1)
    1. gen and gef

Any ideas @CameronKroeker - thanks for any assistance with this.

2 Replies
CameronKroeker
by Esri Contributor
Esri Contributor
‎03-19-2024 08:39 AM

Hi @julian_svcs,

Yes, it is possible to deploy a base enterprise with the web server in the DMZ, however, it does require some additional environment configuration. 

- Trusted Hosts will need to be configured properly for all target nodes to establish trust (either the ip of each node and/or hostname.)

- A common Administrator account will need to be used for the Invoke-ArcGISConfiguration -Credential flag. Since the web server node isn't on the domain, a domain administrator account cannot be used. It will need to be a local administrator account. This local administrator account will need exist on all target nodes and have the same username and password. Note: If you get an access denied error check that the LocalAccountTokenFilterPolicy is configured.

Here are some helpful resources:

Here are a couple commands that can be used to test the connection between the dmz node and domain joined nodes:

WinRM HTTPS:

Test-WSMan -ComputerName TargetNodeMachineNameOrIP -Authentication default -Port 5986 -UseSSL -Credential LocalAdministratorUsername

WinRM HTTP:

New-CimSession -Port 5985 -ComputerNameTargetNodeMachineNameOrIP -Authentication default -Credential LocalAdministratorUsername

Test-WSMan -ComputerName TargetNodeMachineNameOrIP -Authentication default -Port 5985 -Credential LocalAdministratorUsername

Thanks,

Cameron K.

 

 

 

0 Kudos
julian_svcs
by
Occasional Contributor
‎03-19-2024 09:09 AM

Awesome, thanks @CameronKroeker . I'll check it out and get back to you.