Installing device certificate in a H.A ArcGIS Enterprise with a third-party NLB

AzinSharaf · ‎08-23-2017

I am deploying a highly available Portal and ArcGIS Server based on the following diagram. We use KEMP Virtual as the network load balance. Since we would like to have all the transaction to use HTTPS protocol only and we use third party NLB, where should we install device certificate? Only on web server (IIS and also importing them in ArcGIS Server and Portal admin pages as we do in a regular deployment) or on NLB? or both?

PayneRingling · ‎04-24-2018

How was your deployment? We are trying out a free trial of KEMP's load master but are having difficulty configuring it to to get access to our ArcGIS Server site. It will hit our IIS landing page, and even load balance web pages that we have on each GIS Server, but no matter what we do, we can't get it to access our rest catalog

JonathanQuinn · ‎04-24-2018

What URL are you requesting? Ex https://kemp-machine.domain.com/server/rest/services?

What is the error response?

Are you using the web adaptor, or going straight from the load balancer to 6443?

PayneRingling · ‎04-24-2018

I'm starting to see some functionality.....

I haven't started putting certs on anything yet, I'm just looking at functionality of the KEMP Product while we have a free trial. Currently, I have been able to access the server directories only under the given parameters....

The virtual IP of the load balancer is listening on port 80

The GIS Servers have been added to the load balancer cluster via port 6080

Load Balancer: KEMP.domain.net

GIS Server 1: gis-s1.domain.net/arcgis

GIS Server 2: gis-s2.domain.net/arcgis

URL to Directories: http://kemp.domain.net/arcgis/rest/services

I can get access to, and consume services this way. It works even when I disable one or the other GIS Server machines.

I don't know if the issue is simply ArcGIS Server wanting to default to 6443 when trying to access the ArcGIS Manager site and neither the Load Balancer or either of the ArcGIS Server machine have https self-signed certs on them, but it is basically inaccessible via the load balancer. I've tried almost conceivable combination of URL's to try and get it to push through....

http://kemp.domain.net/arcgis/manager

http://kemp.domain.net:6080/arcgis/manager

http://kemp.domain.net/gis-s1/manager

I know eventually, you don't want any administrative access through the LB at all, and want to static allow the IP of your machine. But I figured that it would allow management/admin access by default during set-up.

EDIT: I will mention, if I go to http://kemp.sarasotagov.net/arcgis/.... I get the landing page of ArcGIS Server with no login window... just the background image.

EDIT 2: I am coming to believe this is simply an error with http/https. When I try and access the manager site directly on either of the ArcGIS Server machines, it automatically corrects it to https and 6443. Even if I explicitly state http and port 6080 (which is what the load balancer would be listening on), it corrects it to https and 6443, and shoots an "unsafe website error". If I try going to kemp.sarasotagov.net:6443/arcgis/manager - it fails because it is only listening on port 80/6080. I'll put certs on all three machines tomorrow and continue testing functionality.

Any help is always appreciated!

Thanks

JonathanQuinn · ‎04-24-2018

If your browser is redirecting to 6443 when you go to http://server.domain.com:6080/arcgis/manager, then that same redirect will happen when the LB sends the request to the back end server. In your case, you don't have https enabled, so that request will fail. I'd say once you get your certificates straightened out, and start handling https traffic, you'll see better results.

PayneRingling · ‎04-25-2018

I currently have both GIS Servers set to "HTTPS Only", and am using the default self-signed cert that comes with the install. I still get an error in my URL bar when I connect directly via https://gis-s1.domain.net:6443/arcgis/manager that the site is not secure (though I believe this is expected behavior when using a self-signed, I'll have to figure out how to get rid of that).

Problem now is....

I can't access https://kemp.domain.net:6443/arcgis/services

It just says the site can't be reached.

My LB settings are...

GIS-S1 - port 6443

GIS-S2 - port 6443

When I set my LB's viritual IP to listen on 6443, nothing will connect in the KEMP health check monitoring. When I change the LB Virtual IP to port 6080 and leave the GIS Servers on 6443, nothing will connect in the KEMP health check monitoring.

When I change all three machines to 6080, the KEMP health check shows them as up and connected. But when trying to connect to the REST Directories, it will automatically redirect it to 6443 and fail.

Kind of at a confused stand-still. The GIS Machines are up and running, communicating over 6443 only. when I change the LB to 6443, everything breaks. Do I have to import the GIS Server self-signed certs onto the LB's IIS certification management console? Is that where the communication failure is?

Thanks!

Edit: It appears I have it working. To be quite honest, I don't know why. Which is worrisome. But it is working.

Edit 2: I figured out the root cause of my problem. I was following this documentation Using a reverse proxy server with ArcGIS Server—ArcGIS Server Administration (Windows) | ArcGIS Ente... and specified the X-Forwarded-Host Header on the LB as outlined. The moment I removed that, the request went through and I was able to access our ArcGIS Server services,manager,admin pages without issue. I actually haven't done a single thing that is outlined in the documentation, and I am able to access everything with expected functionality (when I access manager through LB and drill down to service level URL, it is using the LB name in the URL, see image). I'm not sure if that is simply because the LB Software I am using is inherently handling that all behind the scenes or what, but it seems to be working.