In an organization where downtime must be minimized, you can configure your ArcGIS Enterprise deployment to be highly available. For the deployment to be highly available, all components of the deployment, including the portal, must be highly available.
This topic covers configuring the portal component of a highly available deployment. You'll install the Portal for ArcGIS software on two machines, create an ArcGIS Enterprise portal on the first machine, and join the second machine to that portal.
Configuring high availability is an advanced task that requires an extensive understanding of portal administration, scripting, and networking. Before you install and configure a highly available portal, you must configure your organization's load balancer to forward requests to the portal software. Additionally, you need to set up a file server to contain the portal's content directory, and decide how ArcGIS Server will communicate with Portal for ArcGIS. It is recommended that you coordinate with your organization's information technology staff so they understand the requirements for configuring a highly available portal.
This topic primarily covers configuring and upgrading the Portal for ArcGIS component of a highly available ArcGIS Enterprise deployment; however, the ArcGIS Server sites you configure with your highly available portal should also be configured to be highly available, as should the data stores. For an overview and links to documentation for configuring the other components, see Configure highly available ArcGIS Enterprise.
Plan your highly available deployment
There are numerous general patterns that can be used to implement a highly available ArcGIS Enterprise portal. Steps to set up two general architecture patterns are described below.
In both patterns, a load balancer is configured and acts as a gateway to the organization. Users other than administrators will always use the URL defined by the load balancer to access the portal and its items. The portal has two machines to ensure high availability.
The first pattern uses web-tier authentication to secure the portal, which requires the inclusion of ArcGIS Web Adaptor. To maintain high availability, two instances of ArcGIS Web Adaptor are configured, one with each portal machine. Traffic to the portal is routed from the load balancer to ArcGIS Web Adaptor, then to the portal.
In the second pattern, the first load balancer routes traffic directly to the portal. A second load balancer is configured to handle traffic between the portal and one or more ArcGIS Server sites that are federated with the portal.
Both portal machines include system databases that store content information. The portal system database on the first machine replicates changes to the database on the second machine. An index service keeps users and item searches in sync between both machines.
Prerequisites to configure a highly available portal
The following are the components of a highly available portal:
At least one load balancer—This is a third-party component that uses a distribution algorithm to balance network traffic across both portal machines based on demand, helping to enhance the scalability and availability of the portal. It must provide high availability by detecting machine failures and automatically redistributing traffic to the available portal machine. The health check, accessed through the portal administration in ArcGIS REST API, can be used to detect machine failures in the portal. If you use ArcGIS Web Adaptor, the load context name must be the same context as the context for ArcGIS Web Adaptor (for example, https://lb.domain.com/portal if the web adaptor context is portal). A load balancer is optional if you use ArcGIS Web Adaptor as the gateway.
Note:
If you do not use ArcGIS Web Adaptor, ensure that the load balancer context name is only one level deep. For example, you can have a load balancer URL such as https://lb.domain.com/enterprise, but you cannot have a load balancer URL such as https://lb.domain.com/myorg/enterprise.
Two Portal for ArcGIS machines—You need two machines installed with Portal for ArcGIS to configure high availability. These machines must meet the minimum operating system requirements and be configured with the same Portal for ArcGIS account.
ArcGIS GIS Server—Portal for ArcGIS must have a hosting server to run services published to the portal. You can also add items from stand-alone ArcGIS Server sites, or federate other ArcGIS Server sites with your portal to make GIS web services available to others in your portal organization. Using ArcGIS Server with your portal provides many benefits.
A highly available file server—This is a third-party component that stores and shares the portal's content directory. The file directory you select must be accessible by both machines and the account that will be used to run the portal (known as the Portal for ArcGIS account). This can be a local or domain account. If it is a local account, it must exist on both portal machines.
ArcGIS Web Adaptor—This is an optional component in highly available configurations that is placed in front of each portal machine to enforce web-tier authentication. If you're not using web-tier authentication, ArcGIS Web Adaptor is not required. To learn more, see About ArcGIS Web Adaptor.
Caution:
If you plan to use ArcGIS Web Adaptor (IIS) for web-tier authentication, you need to perform some configuration steps in IIS to ensure that ArcGIS Web Adaptor works correctly with your highly available portal deployment. It's recommended that you review the configuration steps in the corresponding section to ensure that your organization can support web-tier authentication in IIS.
Configure the portal
To configure your portal to be highly available, follow these steps:
Note:
To upgrade your highly available portal to 11.2, follow the steps in the Upgrade a highly available portal section below.
- Set up the portal content directory on a file server
- Install and configure the first portal machine
- Install and configure the second portal machine
- Install and configure the first ArcGIS Web Adaptor
- Configure load balancers
- Install and configure the second ArcGIS Web Adaptor
- Configure web-tier authentication in IIS
- Configure a hosting server for your portal
- Federate additional ArcGIS Server sites
Set up the portal content directory on a file server
In a highly available configuration, the portal's content directory is shared between both machines.
- On the file server, create a directory for the portal's content directory, and share it so that it can be accessed by both portal machines. For example, \\share\portal\content.
- Grant the Portal for ArcGIS account Full control level file permissions to the folder.
- Verify that the directory can be accessed by the Portal for ArcGIS account on both machines.
If you need to change the content directory location once your portal has been configured, see Changing the portal content directory.
Install and configure the first portal machine
- Ensure that the firewall rules on the portal machines allow communication over the necessary ports for highly available deployments. Highly available deployments use these ports for communication and synchronization between machines.
- Install Portal for ArcGIS on the first machine. For instructions, see Installing Portal for ArcGIS.
- Open the portal website and create a portal. The URL to the website is formatted https://p1.domain.com:7443/arcgis/home. When you create a portal, you define information and credentials for the initial administrator account and specify the location for the content directory. Ensure that the content directory location can be accessed by both portal machines. The initial administrator is not an operating system account, and
it has no relation to the
Portal for ArcGIS account. To learn more about the Portal for ArcGIS account, see Portal for ArcGIS account. You can change this account by following the instructions in Change the Portal for ArcGIS account.
For your portal to be highly available, the content directory must be placed on a highly available file server.
- When the portal is created, a message stating that the portal will be restarted appears. Click OK.
Install and configure the second portal machine
- Ensure that the firewall rules on the portal machines allow communication over the necessary ports for highly available deployments. Highly available deployments use these ports for communication and synchronization between machines.
- Install Portal for ArcGIS on the second machine. For instructions, see Installing Portal for ArcGIS.
- Open the portal website and join this portal to the one you created on the first machine. The URL to the website is formatted https://p2.domain.com:7443/arcgis/home. You cannot join a portal through ArcGIS Web Adaptor. Ensure that both portal machines are at the same version of Portal for ArcGIS.
- Click Join existing portal.
- Enter the Portal URL for the existing portal you want to join. This URL is formatted https://p1.domain.com:7443.
- Enter an Administrator Username and Administrator Password for the existing portal.
- Click Join.
- Optionally, define the portal's failover properties. A highly available portal checks whether a failure has occurred with the portal machines. You can define the interval in seconds and frequency for checking machine status using the steps below. These properties must be changed on each machine in the portal and must be the same on both machines.
- Go to <installdir>\ArcGIS\Portal\framework\etc and open portal-ha-config.properties.
- Edit the portal.ha.monitor.interval property to set the time between checks. The default is 1 second.
Legacy:
In versions earlier than 10.8, the default interval was 30 seconds. - Edit the portal.ha.monitor.frequency property to define the number of times the check will occur before failover. The default is three.
Legacy:
In versions earlier than 10.8, the default number of checks was five. - Save the portal-ha-config.properties file.
- Restart the portal to pick up the changes.
- Repeat these steps on the second portal machine.
Note:
Use the same failover properties on both portal machines.
Install and configure the first ArcGIS Web Adaptor
If you'll be using web-tier authentication or want to use the web adaptors in your deployment architecture, it's recommended that you install the two ArcGIS Web Adaptor instances, which must be on separate machines. The ArcGIS Web Adaptor can exist on the Portal for ArcGIS machine or on a stand-alone web server. You can only use the instances of ArcGIS Web Adaptor with web server port 443. Using other ports is not supported. If you're not using web-tier authentication, ArcGIS Web Adaptor is not required.
- Install the ArcGIS Web Adaptor on the first web server machine. For instructions, see the installation topic for IIS or Java (Windows).
- Configure the web adaptor on the first web server machine. When specifying the Portal URL parameter, enter the URL of one of the portal machines, for example, https://p1.domain.com:7443. For instructions, see the configuring topic for IIS or Java (Windows).
Note:
You cannot create or join a portal through ArcGIS Web Adaptor. Use the portal website URLs in the format https://portal.domain.com:7443 to create or join the portal.
Configure load balancers
You must configure at least one load balancer with your highly available portal to handle external traffic. If you are setting up web-tier authentication for your portal, it's recommended that you configure a second load balancer to handle internal traffic, such as administrative API requests. You can use ArcGIS Web Adaptor or a third-party load balancer in either location.
The following steps describe how to set up the first load balancer for external traffic:
- If you use ArcGIS Web Adaptor, set the load balancer context name to be the same as the ArcGIS Web Adaptor WebContextURL. If you're not using ArcGIS Web Adaptor, provide a load balancer context name, and configure the load balancer to use it.
- Configure HTTPS on the load balancer.
This is necessary because Portal for ArcGIS requires HTTPS for client communication. Consult the product documentation for your load balancer to learn how to set up HTTPS. The load balancer listener must be configured with a trusted, CA-signed certificate. For more information, see Enable HTTPS on your web server.
- Configure a load balancer to distribute requests to both portal machines (p1.domain.com and p2.domain.com). If appropriate for your deployment, you can also configure a second load balancer for high availability in the communication between your servers and portal.
- In the load configuration, set an X-Forwarded-Host header to the host name of the load balancer. Portal for ArcGIS expects this property to be set in the header sent by the load balancer and will return requests to the load balancer that match the load balancer URL. If you aren't using ArcGIS Web Adaptor with the portal, set the Host header to match the host name of the machine where Portal for ArcGIS is installed. For example, a request to the ArcGIS Portal Directory (https://lb.domain.com/arcgis/sharing/rest) will be returned to the client as the same URL. If the property is not set, Portal for ArcGIS may return the URL of the internal machine where the request was directed (for example, https://p1.domain.com/arcgis/sharing/rest instead of https://lb.domain.com/arcgis/sharing/rest). This is problematic, as clients will not be able to access this URL (commonly noted as a browser 404 error). Also, the client will have access to some information about the internal machine. If you are not using the ArcGIS Web Adaptor, additionally ensure that the load balancer sets the Host header to the machine running Portal for ArcGIS. You can use the Machines API to validate the host name of the Portal for ArcGIS machine.
- If you're not using web-tier authentication, configure the load balancer to distribute requests to port 7443 (HTTPS). By default, Portal for ArcGIS uses this port for communication; you need to include it as part of the configuration. For example, on Apache, the port is specified in the httpd.conf and httpd-ssl.conf configuration files. To learn more, see Ports used by Portal for ArcGIS.
- If you're using web-tier authentication, configure the load balancer to distribute requests to port 443 (HTTPS). You can only use ArcGIS Web Adaptor with this port. Update the health check URL to expect a 401 response from ArcGIS Web Adaptor instead of a 200 response.
- Set the load balancer context name (the WebContextURL property).
- Open a web browser and sign in to the Portal Administrator Directory as an administrator of your organization. The Portal Administrator Directory URL is formatted https://portal.domain.com:7443/arcgis/portaladmin.
- Click System > Properties > Update Properties.
- On the Update System Properties dialog box, insert the following JSON, substituting your own load balancer URL:
{ "WebContextURL": "https://lb.domain.com/arcgis" }
- Click Update Properties.
- Set the privatePortalURL property.
Note:
This property allows federated servers, including the hosting server, to communicate with participating portals. Since federated servers cannot authenticate against a web tier challenge, this URL should provide unauthenticated access. The example below uses port 7443, but the privatePortalURL can be configured to use any port that the load balancer can listen on.- Open a web browser and sign in to the Portal Administrator Directory as a member of the default administrator role in your organization. The Portal Administrator Directory URL is formatted https://portal.domain.com:7443/arcgis/portaladmin.
- Click System > Properties > Update Properties.
- On the Update System Properties dialog box, insert the following JSON, substituting your own load balancer URL:
{ "privatePortalURL": "https://lbprivate.domain.com:7443/arcgis" }
Note:
If the privatePortalURL is different from the WebContextURL, do not set the X-Forwarded-Host header for this URL.
- Click Update Properties.
- Configure the load balancer to use a health check URL. This ensures that the load balancer checks each portal machine to detect whether a machine is unavailable.
Install and configure the second ArcGIS Web Adaptor
If you'll be using web-tier authentication or want to use the web adaptors in your deployment architecture, it's recommended that you install the two ArcGIS Web Adaptor instances, which must be on separate machines. The ArcGIS Web Adaptor can exist on the Portal for ArcGIS machine or on a stand-alone web server. You can only use the instances of ArcGIS Web Adaptor with web server port 443. Using other ports is not supported. If you're not using web-tier authentication, ArcGIS Web Adaptor is not required.
- Install the ArcGIS Web Adaptor on the second web server machine. For instructions, see the installation topic for IIS or Java (Windows).
- Configure the web adaptor on the second web server machine. When specifying the Portal URL parameter, enter the URL of one of the portal machines, for example, https://p1.domain.com:7443. For instructions, see the configuring topic for IIS or Java (Windows).
Note:
You cannot create or join a portal through ArcGIS Web Adaptor. Use the portal URLs in the format https://portal.domain.com:7443 to create or join the portal.
Configure web-tier authentication in IIS
If you have two web adaptors (IIS) behind your load balancer, you need to perform additional configuration steps in IIS to ensure that web-tier authentication works correctly with your highly available portal deployment. For more information about web-tier authentication, see Use Integrated Windows Authentication.
For instructions, see technical article 000012357 on the Esri Support website.
If you don't have two web adaptors (IIS) behind your load balancer, skip this step.
Configure a hosting server for your portal
Portal for ArcGIS requires a hosting server to allow members to perform such tasks as publishing hosted web layers and adding files to Map Viewer or Map Viewer Classic in the portal. A portal can have one hosting server.
To create a highly available ArcGIS Enterprise deployment, the hosting server and any federated server should also be highly available. To learn more, see Configure multiple-machine ArcGIS Server sites. Set up a second load balancer to allow communication between the hosting server and portal to be highly available, and set the GIS Server site as the portal's hosting server.
Review the deployment scenarios for a highly available ArcGIS Enterprise to understand the different configurations for load balancers.
- If you set up a second load balancer, it will send requests directly to port 7443 on both portal machines. Ensure that the load balancer is configured to recognize the context used in the URL. Additionally, configure the URL to send requests to the Server machines
In the example in step 5 above, the context was set to arcgis, so the load balancer context name must be arcgis; for example, https://lbprivate.domain.com:7443/arcgis.
- Federate the ArcGIS Server site with your highly available portal.
- Configure the server as the portal's hosting server
Federate additional ArcGIS Server sites
You have the option to federate additional GIS Server sites with the portal, or federate other ArcGIS Server sites, such as ArcGIS GeoAnalytics Server, ArcGIS GeoEvent Server, and ArcGIS Image Server. These additional sites can use the second load balancer to communicate with the portal.
Upgrade a highly available portal
Follow the steps in the sections below to upgrade a highly available portal to 11.2. You will install the 11.2 software on both portal machines first, then start the upgrade process on either machine. Upgrade Portal for ArcGIS outlines additional considerations when upgrading your deployment to 11.2
Install Portal for ArcGIS on both machines
To begin the upgrade of your highly available portal, install Portal for ArcGIS 11.2 on both portal machines. You can run the upgrade process for both machines simultaneously.
Continue portal upgrade
When Portal for ArcGIS 11.2 has been installed on both machines, continue the upgrade. This will take a few minutes to complete.
- Open the portal website on either portal machine, provide the path to your current license file, and choose Continue portal upgrade. The URL of the portal website is formatted https://portal.domain.com:7443/arcgis/home.
- When the upgrade completes, a message appears stating that the portal will be restarted. Click OK.
- Once the portal has restarted and is accessible, sign in to either the home or portaladmin endpoint and run the post-upgrade operation. These steps include upgrading ArcGIS Living Atlas of the World content, re-indexing content, and updating the association between portal machines in a highly available portal.
Note:
After the upgrade is complete, run the postupgrade operation on the same machine (primary or standby) where the upgrade operation was initiated. You can then run a health check on both machines.
Replace root certificates
If you upgraded from Portal for ArcGIS 10.3 or 10.3.1 and your portal was configured to trust the certificates between the primary and secondary portal machines, you must import the certificate again to both the primary and secondary portal machines after you upgrade.
If you upgraded from Portal for ArcGIS 10.4, 10.4.1, or 10.5 and your portal was configured to trust the certificates between the primary and secondary portal machines, you must import the certificate again to the secondary machine after you upgrade.
Install and configure web adaptors
If you use ArcGIS Web Adaptor, follow the steps below to install and configure new web adaptors with the portal.
Note:
If you are upgrading from version 10.3 or 10.3.1 and used a load balancer in front of your highly available portal, unregister the web adaptors configured with the portal, and update the system properties to add a WebContextURL property pointing to the load balancer URL.
- Install ArcGIS Web Adaptor 11.2 on a web server machine. For instructions, see the installation topic for IIS or Java (Windows).
- Configure the Web Adaptor with the portal. When specifying the Portal URL, enter the URL of one of the portal machines, for example, https://p1.domain.com:7443. This URL will be used to discover both of the machines in the highly available configuration and to register them with ArcGIS Web Adaptor. For instructions, see the configuring topic for IIS or Java (Windows).
- Install the second ArcGIS Web Adaptor and configure it with your portal, as in the previous two steps.
Upgrade remaining ArcGIS components
Upgrade the remaining ArcGIS components in your deployment to 11.2.
- ArcGIS Server (run the 11.2 setup to upgrade)
- ArcGIS Data Store (run the 11.2 setup to upgrade)