ArcGIS Server installation at 10.5.1 is very similar to installation at 10.4 and will be a familiar process for many.
The following is a high-level overview of some of the more important system and hardware requirements of ArcGIS Server 10.5. Consult the official ArcGIS Server 10.5 online documentation for further information and an exhaustive list of all requirements.
ArcGIS Server is supported on Windows Server 2012 R2 Standard and Datacenter; Windows Server 2012 Standard and Datacenter; Windows Server 2008 R2 Standard, Enterprise, and Datacenter; and Windows Server 2008 Standard, Enterprise, and Datacenter. Flavors of Windows 10, 8.1, and 7 are also supported for basic testing and application development only, not for production environments. Throughout this book, we will focus on ArcGIS Server on Windows.
ArcGIS GIS Server, GeoEvent Server, Image Server, or Business Analyst for Server are recommended to have 8 GB of RAM per unique license role in a production environment. ArcGIS Server requires a minimum of 10 GB of available disk space.
ArcGIS Server requires several ports be open to allow communication with machines both externally on the internet and internally on an intranet. The following ports need to be allowed on your firewall:
- HTTP port
6080. - HTTPS port
6443: If HTTPS is enabled, ArcGIS Server uses port6443by default. - Ports
4000-4002: These ports are used for communication between ArcGIS Servers. - Internally used ports: Other ports such as
1098,6006,6099, and others are used by ArcGIS Server to start processes with each ArcGIS Server machine. These ports do not have to be open for access by other machines.
ArcGIS Server comes preconfigured with a self-signed secure socket layer (SSL) certificate. Although not required, it is highly recommended that you purchase and install an SSL certificate from a trusted certificate authority (CA) or a local domain CA. SSL provides encryption of sensitive information (such as usernames and passwords for logging in to ArcGIS Server and Portal) and authentication to ensure that information is being sent where it is intended to go, and not to an imposter. The downside to SSL is that certificates do cost money, but at the time of this writing, SSL certificates can be purchased for around $70 USD, a small price to pay for peace of mind for you and your end users. See the SSL certificate installation section, discussed later in this chapter, for more information.
For the latest system requirements, please consult the ArcGIS Enterprise online help.
There are several ways that ArcGIS Enterprise can be deployed. These range from simple single-machine deployments to more complex multi-machine scenarios. Prior to ArcGIS Enterprise 10.5, a base deployment consisted primarily of ArcGIS Server and the ArcGIS Web Adaptor. At 10.5, a base deployment consists of the four main components of ArcGIS Enterprise--ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store, and ArcGIS Web Adaptor, all working together.
In a single-machine deployment, all components of ArcGIS Enterprise are installed in one single machine, either physically or virtually. This means the one machine acts as a database server, application server, and web server. This is a minimalist configuration that can be used in a production environment, but it is better suited for a testing or development environment. For the purposes of this book, we will use a single-machine deployment in Amazon Web Services. In a minimalist, conceptual form, a single-machine deployment would look like the following diagram:
Esri recently released ArcGIS Enterprise Builder, which provides a simple installation and configuration experience for a base ArcGIS Enterprise single-machine deployment.
The multi-machine, or multi-tiered (where each machine is a tier), is the most common deployment scenario. Here, each component of ArcGIS Enterprise is installed on a separate virtual or physical machine. This means that there is a separate machine for each of the following:
- ArcGIS Web Adaptor (web server)
- Portal for ArcGIS
- ArcGIS Server
- ArcGIS Data Store
- Enterprise geodatabase
Note
If absolutely necessary, Portal and the Web Adaptor can reside on one server, with ArcGIS Server and Data Store on another. Bear in mind that, for performance reasons, this is not what is recommended for production environments.
Although more complex than the single-machine deployment, the multi-tiered deployment allows for isolation of the different components and distribution of the workload. A multi-machine configuration would conceptually look like the following diagram:
Note
Hardware virtualization, utilized today by even the smallest of organizations, makes having and utilizing a multi-tiered deployment feasible.
Within the multi-tiered deployment, it is possible to have multiple ArcGIS Server machines functioning as a single logical unit. These servers operate in conjunction with the ArcGIS Web Adaptor to form a collective unit referred to as an ArcGIS Server site. Within a site, all ArcGIS Servers share the same configuration store and ArcGIS Server directories. Once configured, the site can be administered from any of the servers within it. For more information on ArcGIS Enterprise deployment scenarios, consult the online documentation.
In addition to hosting ArcGIS Enterprise within your own infrastructure, whether it is on physical or virtual hardware, ArcGIS Enterprise can also run in the cloud. Esri supports ArcGIS Enterprise deployments on Amazon Web Services and Microsoft Azure. Standing up your ArcGIS Enterprise instance in the cloud offers several advantages to traditional on-premise deployments, such as:
- Ease of setup: Get an account set up and you can have a server up and running in just a few minutes.
- Maintenance: You don't have to maintain hardware infrastructure.
- Scalability: Machines can be added and removed as necessary, allowing you to distribute workloads for increased performance. Resources such as hard drives, CPUs, and memory can be easily scaled up as needed. Adding machines may require additional licensing depending on your licensing terms.
With Amazon Web Services (AWS), there are several options available for launching ArcGIS Enterprise architectures.
Through the AWS Marketplace (https://aws.amazon.com/marketplace), you can purchase an Amazon Machine Image (AMI) with ArcGIS Enterprise that can be easily deployed from your AWS account. Using the Marketplace, you purchase an AMI and then launch it as a virtual machine through the AWS Management Console:
CloudFormation is an AWS service that utilizes infrastructure as code to let you define architectures for the services you want to set up and utilize. Esri provides sample AWS CloudFormation templates that you can use to configure ArcGIS Server or ArcGIS Enterprise deployments for AWS. These template architectures vary in complexity, ranging from a simple single machine, ArcGIS Enterprise Deployment to a disaster recovery-ready configuration of multiple ArcGIS Enterprise deployments in two different AWS regions. See the ArcGIS Enterprise online documentation on AWS CloudFormation and ArcGIS for more information.
ArcGIS Server Cloud Builder is an Esri application that allows you to build and maintain a simple to complex ArcGIS Server site on AWS. With Cloud Builder, you can build, maintain, access, and backup your site, all from the Cloud Builder interface. It is perfect for those without cloud experience wanting to stand up infrastructure on AWS.
For the adventurous and those preferably with AWS experience, the AWS Management Console (AWS Console) can be used to administer any facet of the entire AWS ecosystem. From the AWS Console, you can stand up servers, manage security, view billing information, and add or remove any piece of AWS architecture to or from your system. With a manual deployment, you are responsible for planning, creating, and deploying all the machines in your site; setting up storage; configuring and managing security; and installing and configuring all components of ArcGIS Enterprise. For the purpose of this book, a single-machine deployment will be utilized in AWS, configured completely manually.
As with AWS, there are options for using Azure to deploy ArcGIS Enterprise.
Much like the AWS Marketplace, in the Azure Marketplace, you can search for a wide variety of preconfigured, readily available machines ready to be purchased and easily launched in the Azure cloud. The following is an example of an ArcGIS Enterprise machine available for purchase in the Azure Marketplace:
ArcGIS Enterprise Cloud Builder for Microsoft Azure is an application provided by Esri that you can use to deploy ArcGIS Enterprise and ArcGIS Server standalone sites on the Azure platform. With Cloud Builder for Azure, you can complete tasks, such as deploying ArcGIS Enterprise, adding sites to your deployment, installing an SSL certificate, adding a data store, and managing machines in your deployment.
The ArcGIS Server installation process is straightforward. With a little planning and preparation, things can go smoothly.
Before starting the installation of ArcGIS Server, there are a few items to acquire:
- An authorization file for ArcGIS Server. Get this from https://my.esri.com.
- ArcGIS Server setup program. Get this from https://my.esri.com.
ArcGIS Server runs as a Windows service on the application server. All Windows services have an operating system service account that they run under; the ArcGIS Server default service account is a local account called arcgis, and it is commonly referred to as the ArcGIS Server account. The default local arcgis account is sufficient for development or testing environments, but Esri recommends using a domain account for production environments. If your organization uses a domain account, try to get the account set so that the password never expires. If your organization has security policies in place that require password expirations, determine when your ArcGIS Server account password will expire, and set a calendar reminder in advance. Once the password expires, the ArcGIS Server service will not be able to start and your ArcGIS Server site will be down. Always use a strong password, such as one generated at https://xkpasswd.net. To update the (expired) password, run the Configure ArcGIS Server Account Utility located in the Windows Start menu. See Chapter 10, Troubleshooting ArcGIS Enterprise Issues and Errors for more information on troubleshooting and issues with permissions and the ArcGIS Server account.
If you will be utilizing an SSL certificate with your ArcGIS Server site, which is the recommended practice, Esri recommends installing this first before the installation of ArcGIS Server. The acquisition and installation of SSL certificates are quite often not well understood by GIS professionals. This is understandable, as SSL certificates are usually handled by systems administrators. That said, your systems administrator may indeed handle all aspects of SSL certificates within your organization, so contact them first before proceeding with purchasing one yourself. Regardless, let's demystify the process of acquiring and installing SSL certificates.
Requesting and purchasing an SSL certificate is not as scary as it may seem. Armed with the knowledge of the process, it can be done in a few hours spread out over a few days in most cases.
Requirements
To acquire a basic SSL certificate, a few items are necessary:
- Web server access
- An account with a certificate authority
- A domain name and unique IP address
First, you will need administrative access to the web server that the ArcGIS Web Adaptor will be installed on. For our purposes here, we will be using IIS 8.5 on Windows Server 2012 R2. SSL certificates can, of course, be installed on any flavor of web server. See your web server's documentation for details on SSL certificate installation. Secondly, you, or someone in your organization, will need an account with a certificate authority, such as Digicert, GoDaddy, or Entrust, through which you will apply for and purchase the certificate. Again, check with your systems administrator before proceeding with the purchase of any SSL certificates. Finally, you will need a unique IP address and domain name to go along with it.
Getting the certificate
The first step in acquiring an SSL certificate is the generation of a certificate signing request or CSR. A CSR is a block of encoded text generated on the server where the certificate will be installed; it contains information that will be included in the certificate, such as the organization and domain name. Think of CSR as a digital signature for your server. To generate a CSR in IIS, follow these steps:
- Launch IIS, select the machine name in the left
Connectionsmenu, then double-click onServer CertificatesinFeatures View:
- In the right
Actionsmenu, click onCreate Certificate Request...:
- Fill out the
Distinguished Name Properties, being careful to match these items (especially theOrganizationname) to those of theWHOISrecord for your domain name. Click onNext:
- For
Cryptographic Service Provider Properties, selectMicrosoft RSA SChannel Cryptographic Providerwith aBit lengthof2048; these are typical industry standards:
Specify a name and location for your CSR text file, as shown in the following screenshot:
- Open your CSR in a text editor; it will look like the following screenshot:
The second step in acquiring an SSL certificate is to purchase the certificate from the certificate authority, or CA. All CAs are different, but the process is the same in principle. First, log in to your account and purchase your SSL certificate. There are different options, so research them and find out which is best for your needs. Next, purchase your certificate. After you make the purchase, it will be available to you in your account.
The final step in this process is to apply your CSR to the certificate in your account. Here, you are requesting the certificate with the certificate signing request from your web server--this will bind the SSL certificate to your server, ensuring your end users that the site they are going to is indeed your site. After a successful request of the certificate from the CA, you will be able to download the certificate as a ZIP file.
On your web server, you are now ready to install your SSL certificate. Launch IIS and complete the following steps:
- In the
Connectionspane, select your server. Next, inFeatures View, double-click onServer Certificates. Finally, in theActionspane, click onComplete Certificate Request...:
- Enter the path to your
.crtSSL certificate, then enter the friendly name (your domain name) and select thePersonalcertificate store:
- Your SSL certificate is now installed on your web server and should be listed in the
Server Certificatespane, as shown here:
Next, you need to bind your server's IP address and host header to port 443 with your SSL certificate. This is done through the Site Bindings settings in IIS. Again, open IIS and complete the following steps:
- In the
Connectionsleft pane, select your website. In the rightActionspane, selectBindings...:
- In the
Site Bindingswindow, you will more than likely only have one binding for port80onhttp. Click onAdd:
- Add a binding for
Type:https,IPAddress:AllUnassigned,Port:443. Select yourSSLcertificatefrom the SSL certificate dropdown, as shown in the following screenshot, and then click onOK:
Your SSL certificate is now bound to port 443. In a browser, navigate to your site over https; in my case, it is https://www.masteringageadmin.com:
Now that your SSL certificate is in place and you have your software authorizations and installers from Esri, it is finally time to install ArcGIS Server. The installation of ArcGIS Server is a straightforward process; as such, we will walk through the process at a high level, while highlighting some of the more important sections:
- Double-click on the setup executable to launch it. The first step is to choose a location for setup installation files. This typically defaults to a path such as
C:\Users\Administrator\Documents\ArcGIS 10.5. It is good practice to change this to a temp directory such asC:\temp\ags. Why, you ask? During this step of the installation, several very large.cabfiles (compressed files containing the installation pieces for ArcGIS Server), totaling almost 2 GB in size, are extracted to setup installation location. If you leave this location as the default, you will be placing almost 2 GB of files in the profile directories of the user running the installation. By storing them in a known location such asC:\temp, these files are more likely to get cleaned up and not be left sitting around needlessly on your system:
- After the extraction of the installation files, check the checkbox to launch the setup program and click on
Close. - Accept the license agreement and click on
Next. - Choose features and the location in which to install them. Select all features (the default). The default installation directory for ArcGIS Server is
C:\Program Files\ArcGIS\Server. However, some organizations, as a best practice, often have additional drives on servers to house application installs and data. If you have the option, it is a best practice to keep the ArcGIS Server installation off the operating system drive and installed on a secondary drive. This helps mitigate risks such as having an oftentimes relatively small operating system drive fill up and cause performance issues. To change the installation location, click on theChange...button and simply change the drive letter in the folder name path:
- If you changed the installation location to another drive for ArcGIS Server, do the same for the Python installation by simply changing the drive letter.
Next, we come to the setup of the ever-important ArcGIS Server account. The ArcGIS Server account was discussed earlier in this chapter. If you will be using an existing domain account, enter it as domain\user along with the proper password. If you will be using a local account, you can stick with the default name of arcgis or change it. Remember to use a strong password, and it must meet the Windows password requirements. If you have previously saved a configuration file during a previous ArcGIS Server installation and would like to use the same account to run ArcGIS Server, you can use that here to avoid entering the ArcGIS Server account information:
- Next, you can optionally save a configuration file to use in later installations of ArcGIS Server. These configuration files can be useful to allow someone to do an installation without needing to know the ArcGIS Server account credentials, performing multiple installations of ArcGIS Server in a multi-server environment, or just to keep on hand in case of disaster recovery.
- After you have specified ArcGIS Server account, the process will continue and install ArcGIS Server. Once finished, you will need to authorize your software.
Once the ArcGIS Server installation is completed, the Software Authorization Wizard launches. You can authorize with an authorization file you downloaded from https://my.esri.com, or authorize by email or additional extensions through the wizard.
Using an authorization file from https://my.esri.com is usually the easiest and most common method of authorization. To authorize with an authorization file, follow these steps:
- Select the
I have received an authorization file and am now ready to finish the authorization processradio box. Navigate to and select your provisioning file (.prvc), and then click onNext:
- Select
Authorize with Esri now using the Internet.
- When using a provisioning file, your
Authorization Informationshould fill in for you, as this was entered when the license was provisioned on https://my.esri.com. If not, fill in the contact and organizational details. Click onNext. - Continue by entering the organization information.
- Your software authorization number, commonly referred to as an ECP number, will get populated from your provisioning file. Click on
Next. - Next, you can authorize extensions for which you have licensing or authorize trial extensions for evaluation copies of several ArcGIS Server extensions.
- Finally, your authorization information is sent to Esri and your software is authorized. Click on
Finish.
Once ArcGIS Server is installed and authorized, you need to either create a new ArcGIS Server site or join an existing ArcGIS Server site. When you open ArcGIS Server Manager, the web-based ArcGIS Server administration panel, for the first time, you will be prompted to create a new site or join an existing site. An ArcGIS Server site is a deployment of ArcGIS Server.
If you are installing ArcGIS Server on a single application server, or you are doing the first of several installations in a multi-machine environment, then you will create a new site:
To begin, go to https://localhost:6443/arcgis/manager in a web browser. There is also an installed shortcut on the Start menu called ArcGIS Server Manager:
- Step one of setting up an ArcGIS Server site is to create the Primary Site Administrator (PSA) account. This account is often referred to as the
siteadminaccount, as that is the default username, which most people utilize. This is not an operating system account, nor is it the same as the ArcGIS Server account (this is often a point of confusion). Thesiteadminaccount has unrestricted access to the ArcGIS Server site. You can name this account differently, or you can disable it once you have configured other administrative accounts. Regardless, choose a very strong password for this account, enter it, and click onNext. - Specify your root server directory and configuration store (config store) locations. These will default to
D:\arcgisserver\directoriesandD:\arcgisserver\config-storerespectively, with the drive letter matching the drive you installed ArcGIS Server onto. In single-machine deployments, it is common to keep the config store and root directory on a local drive. With a multi-machine ArcGIS Server setup, all machines in the site share a configuration store, so it needs to be accessible by all machines. This is typically accomplished by using a network share for the config store. - Click on
Finishto create your ArcGIS Server site. You may now login to your new ArcGIS Server site with yoursiteadmincredentials.
In a multi-machine ArcGIS Server configuration, once the first server in the site is stood up and an ArcGIS Server site is configured there, you will add subsequent ArcGIS Server machines to that first site. This process is referred to as joining to an existing site. Before joining an ArcGIS Server machine to an existing site, make sure it meets the following criteria:
- Ensure that the machine to join is running the same operating system as the other machines in the site. It is best practice to have all site machines running on the same hardware and operating system.
- The ArcGIS Server version of the joining machine must match that of the other site machines, and it must be running under the same license.
- The joining machine must be able to read and write to the site's configuration store and server directories, and it must be running ArcGIS Server under the same ArcGIS Server account as all other machines on the site.
Note
In this scenario, the ArcGIS Server account can be a local account with the exact same name and password on all site machines, but it is highly recommended to use a domain account for the ArcGIS Server account in a multi-machine setup.
- The joining machine must be able to communicate with all other site machines through the required ArcGIS Server ports.
- The joining site must be able to read any data referenced by any machines in the site.
To join a new ArcGIS Server machine to an existing ArcGIS Server site, follow these steps:
- Open ArcGIS Server Manager by going to
https://localhost:6443/arcgis/managerfrom the machine to be joined, or use the Start menu shortcut calledArcGIS Server Manager.
Note
If you are prompted to login instead of being presented with the option to create or join an existing site, then this machine is already either its own ArcGIS Server site or it has been joined to another site.
- Click on
Join an existing site. - Enter the fully qualified domain name (FQDN) to the ArcGIS Server site you want to join this machine to. This should follow the format of
https://machinename.domain.com:6443/. - Enter in administrator credentials of the site you are joining to. This is typically
siteadmin, but could be any other administrator credentials as well. - If you have more than one cluster on your main site, then choose the cluster to join to. Otherwise, you will join the new machine to the default cluster.
- Review your selected configuration and click on
Finishto join the machine to the site.
The ArcGIS Web Adaptor is one of the four components of ArcGIS Enterprise. Running in your existing website, the Web Adaptor forwards requests to your ArcGIS Server machines, typically forwarding incoming traffic on port 443 to 6443 and 80 to 6080. In addition, the Web Adaptor keeps track of the ArcGIS Server machines on your site and forwards and distributes traffic to only currently participating machines. The Web Adaptor also allows you to do the following:
- Expose your ArcGIS Server through your standard website and port by leaving off the default port
6080(or6443, if using SSL) - Block the ArcGIS Server Administrator Directory and ArcGIS Server Manager from external viewers outside of your network
- Use web-tier authentication, such as Integrated Windows Authentication, to secure your ArcGIS Server
The Web Adaptor can be installed in your ArcGIS Server application machine, but is often put in an existing web server or a web server dedicated to GIS services.
The ArcGIS Web Adaptor comes as a separate installer that you can download from http://my.esri.com.
The Web Adaptor for ArcGIS is supported on IIS 10 on Windows Server 2016 Standard and Datacenter 64-bit and Windows 10 Pro and Enterprise; IIS 8.5 on Windows Server 2012 R2 Standard and Datacenter and Windows 8.1 Pro and Enterprise; IIS 8 on Windows Server 2012 Standard and Datacenter; and IIS 7.5 on Windows Server 2008 R2 Standard, Enterprise, and Datacenter and Windows 7 Ultimate and Professional. Windows 10, 8.1, and 7 are also supported for basic testing and application development only, not for production environments.
The ArcGIS Web Adaptor installation process is quick and easy:
- Double-click on the installation executable to launch it.
- Select a location to unpack the installation files to; a known temporary location is best for easy cleanup later.
- After the installation files are unpacked, launch the setup program.
- The ArcGIS Web Adapter for IIS requires certain components of IIS to be installed. At 10.5, there is a verification step in the installer that will detect what components are missing, and it will install them for you. Click on
I Agreeto install the missing IIS components, if any:
- Click on
Nextand agree to the license agreement. - Select a port to install the Adaptor to. Since we installed and configured our SSL certificate already, port
443is available to us. Select port443and click onNext:
- Specify the name of the ArcGIS Web Adaptor for your ArcGIS Server instance. The default here is
arcgis. This is an important step in the process, as the Adaptor name will be in your services URL; for example,https://www.masteringageadmin.com/arcgis/rest:
- Click on
Installto begin the installation and click onFinishwhen done.
Once the Web Adaptor for the ArcGIS installation process is complete, the configuration page should open in your default web browser (https://localhost/arcgis/webadaptor). To configure the Web Adaptor for ArcGIS Server, do the following:
Note
There is also a Web Adaptor shortcut in the Windows Start menu named ArcGIS Web Adaptor - <web-adaptor name> (port), such as ArcGIS Web Adaptor - arcgis (443).
- First, select the product to configure with the Web Adaptor. Here, we are configuring the Web Adaptor for ArcGIS Server. Later, we will also configure a Web Adaptor for Portal for ArcGIS. When we get to the Portal Web Adaptor configuration later, this configuration page will tell us that a server IS configured with our Web Adaptor. Here, select
ArcGIS Serverand click onNext:
Next is the final and main configuration page.
- Enter your
ArcGIS Server URL. This is the URL to any one of the ArcGIS Server machines in your ArcGIS Server site (remember that all the machines in a site function together as one). The URL should take the form ofhttps://gisserver.domain.com:6443orhttp://gisserver.domain.com:6080if you do not have SSL in place. Here, my ArcGIS Web Adaptor server is not on a domain, so my URL takes the form of my machine name, that is,https://WIN-25FPFGEMUA9:6443:
- Enter your primary site administrator account credentials or the credentials of another administrative account.
- Finally, choose whether or not to allow administrative access to your ArcGIS Server site through the Web Adaptor. Esri recommends disabling administrative access, but there are considerations, which are as follows:
- If disabled, administrators cannot access ArcGIS Server Manager and the ArcGIS Server Administrator Directory through the Web Adaptor URL. More importantly, ArcGIS Desktop users cannot establish administrative or publisher connections to ArcGIS Server, meaning publishers cannot publish services directly from their desktops (user connections can still be made regardless of this setting). However, if ArcGIS Server's internal URL is accessible, these connections can be made from there.
- If your ArcGIS Server will be configured with web-tier authentication (more on that later), you must enable administration through the Web Adaptor, allowing administrative and publisher users in the enterprise identity store to publish services from ArcGIS Desktop.
- Click on
Configureto continue. When the Web Adaptor configuration is successful, you will be presented with the following message telling you that your server is successfully configured with the Web Adaptor:
Note
For a secure production environment, it is not recommended to allow administrative access through the same Web Adaptor used to host the REST services. Rather, install a second Web Adaptor with administrative access enabled through the Web Adaptor, possibly on an internal server that is only accessible to local users. This configuration ensures that public users are not presented with the option to access the ArcGIS Server Manager application. If an internal server is not available, a second Web Adaptor with additional security applied to it (Integrated Windows Authentication) that only publishers/administrators have access to can be installed on the same server.
Once the Web Adaptor is successfully configured, you can access your ArcGIS Server site without the port number, such as http://www.masteringageadmin.com/arcgis/rest/services.