In an organization where downtime must be minimized, configure your ArcGIS Enterprise deployment to be highly available. For the deployment to be highly available, all components of the deployment, including the portal, must be highly available. This topic covers configuring the portal component of the deployment. To configure a highly available portal, install the Portal for ArcGIS software on two machines. Create the portal on the first machine, and join the second machine to that portal.
Configuring high availability is an advanced task that requires an extensive understanding of portal administration, scripting, and networking. Before you install and configure Portal for ArcGIS, you must configure your organization's load balancer to forward requests to the portal software. Additionally, you need to set up a file server to contain the portal's content directory, and decide how ArcGIS Server will communicate with Portal for ArcGIS. Esri recommends that you coordinate with your organization's information technology staff so they understand the requirements for configuring a highly available portal.
In this architecture, a load balancer or reverse proxy server is configured and acts as a gateway to the organization. If you intend to use web-tier authentication, ArcGIS Web Adaptor is required. The web adaptor can also be the gateway if your web server is highly available. Otherwise, you can configure a second web adaptor. In this case, the load balancer must be configured with the portal before you configure the web adaptor. If you're not using web-tier authentication, ArcGIS Web Adaptor is not required.
Both portal machines include system databases that store information about content. The portal system database on the first machine replicates changes to the database on the second machine. An index service keeps users and item searches in sync between both machines.
In most cases, you'll use at least one GIS Server site, configured as the portal's hosting server. Esri recommends that you use the load balancer to distribute requests between the portal and the hosting server. This ensures that requests from the GIS Server site are sent to the portal in a highly available fashion. If you are using the load balancer as the gateway and you don't want to use it for internal communication with the hosting server as well, you can add a second load balancer that is only available internally. If you are using ArcGIS Web Adaptor as the gateway, all public traffic is handled by the web adaptor, and all internal traffic is handled by the added load balancer that's directly in front of the two portal machines balancing to port 7443.
Note that this topic primarily covers configuration and upgrading the Portal for ArcGIS component of a highly available ArcGIS Enterprise deployment, but the ArcGIS Server sites you configure with your highly available portal should also be configured to be highly available as should the data stores. Configure highly available ArcGIS Enterprise provides an overview and links to documentation for configuring the other components.
Prerequisites to configure a highly available portal
The following are the components of a highly available portal:
Load balancer—A third-party component that uses a distribution algorithm to balance network traffic across both portal machines based on demand, helping to enhance the scalability and availability of the portal. It must provide high availability by detecting machine failures and automatically redistributing traffic to the available portal machine. The health check accessed through the Portal administration API can be used to detect machine failures within the portal. If you use ArcGIS Web Adaptor, the load context name must be set to be the same context as the context for ArcGIS Web Adaptor (for example, https://lb.domain.com/portal if the web adaptor context is portal). A load balancer is optional if you use ArcGIS Web Adaptor as the gateway.
Note:
If you do not use ArcGIS Web Adaptor, be sure that the load balancer context name only goes one level deep. For example, you can have a load balancer URL such as https://lb.domain.com/enterprise, but you cannot have a load balancer URL such as https://lb.domain.com/myorg/enterprise.
Highly available file server—A third-party component that stores and shares the portal's content directory. The file directory you select must be accessible by both machines and the account that will be used to run the portal (known as the Portal for ArcGIS account). This can be a local or domain account. If it is a local account, it must exist on both portal machines.
Two Portal for ArcGIS machines—You'll need two separate machines installed with Portal for ArcGIS to configure high availability. These machines must meet the minimum operating system requirements and be configured with the same Portal for ArcGIS account.
ArcGIS Web Adaptor—An optional component included with Portal for ArcGIS that you can use to provide web-tier authentication. If you're not using web-tier authentication, ArcGIS Web Adaptor is not required. To learn more, see About ArcGIS Web Adaptor.
ArcGIS GIS Server—Portal for ArcGIS needs a hosting server to run services published to the portal. You can also add items from stand-alone GIS Server sites or federate other ArcGIS Server sites with your portal to make GIS web services available to others in your portal organization. Using ArcGIS Server with your portal provides many benefits as described in About using your server with Portal for ArcGIS.
Caution:
If you plan to use ArcGIS Web Adaptor (IIS) for web-tier authentication, you'll need to perform some complex configuration steps in IIS to ensure the web adaptor works correctly with your highly available portal deployment. It's recommended you review the configuration steps in Step 7 to ensure your organization can support web-tier authentication in IIS.
Configure the portal
To configure your portal to be highly available, follow these steps.
Note:
To upgrade your highly available portal to 10.7, follow the steps in the upgrade section of this topic.
- Set up the portal content directory on a file server.
- Install and configure the first portal machine.
- Install and configure the second portal machine.
- If using web-tier authentication, install and configure ArcGIS Web Adaptor.
- Configure a load balancer.
- Install and configure the second ArcGIS Web Adaptor.
- Configure web-tier authentication in IIS.
- Federate a GIS Server site with your portal and designate it as the hosting server.
Step 1: Set up the portal content directory on a file server
In a highly available configuration, the portal's content directory is shared between both machines. You must set up the content directory so that it is accessible by both machines and the account that will be used to run the portal (known as the Portal for ArcGIS account). This can be a local or domain account. If it is a local account, it must exist on both portal machines.
- On the file server, create a directory for the portal's content directory, and share it so that it can be accessed by both portal machines. For example, \\share\portal\content.
- Grant the Portal for ArcGIS account Full control level file permissions to the folder.
- Verify that the directory can be accessed by the Portal for ArcGIS account on both machines.
If you need to change the content directory location once your portal has been configured, see Changing the portal content directory for details.
Step 2: Install and configure the first portal machine
- On the first portal machine, ensure that ports 5701-5703, 7005, 7099, 7654, 7120, and 7220 are allowed by your firewall and not currently in use by another application. Highly available deployments use these ports for intermachine communications and synchronization.
- Install Portal for ArcGIS on the first machine. For full instructions, see Installing Portal for ArcGIS.
- Open the portal website and create a portal. The URL to the website is formatted https://p1.domain.com:7443/arcgis/home. When you create a portal, you define information and credentials for the initial administrator account and specify the location for the content directory. Ensure that the content directory location can be accessed by both portal machines. The initial administrator is not an operating system account, and
it has no relation to the
Portal for ArcGIS account. To learn more about the Portal for ArcGIS account, see the Portal for ArcGIS account. You can change this account by following the instructions in Changing the Portal for ArcGIS account.
Note that for your portal to be truly highly available, the content directory must be placed on a highly available file server.
- When the portal is created, you'll see a message stating that the portal will be restarted. Click OK.
Step 3: Install and configure the second portal machine
- On the second portal machine, ensure that ports 5701-5703, 7005, 7099, 7654, 7120, and 7220 are allowed by your firewall and not currently in use by another application. Highly available deployments use these ports for intermachine communications and synchronization.
- Install Portal for ArcGIS on the second machine. For full instructions, see Installing Portal for ArcGIS.
- Open the portal website and join this portal to the one you created on the first machine. The URL to the website is formatted https://p2.domain.com:7443/arcgis/home. You cannot join a portal through ArcGIS Web Adaptor. Ensure that both portal machines are at the same version of Portal for ArcGIS.
- Click Join existing portal.
- Enter the Portal URL for the existing portal you would like to join. This URL is formatted https://p1.domain.com:7443.
- Enter an Administrator Username and Administrator Password for the existing portal.
- Click Join.
- Optionally, you can define the portal's failover properties. A highly available portal checks to see if a failure has occurred with the portal machines. You can define the interval in seconds and frequency for checking machine status using the steps below. These properties must be changed on each machine in the portal and must be the same on both machines.
- Go to <installdir>\ArcGIS\Portal\framework\etc and open portal-ha-config.properties.
- Edit the portal.ha.monitor.interval property to set the time to wait between checks. The default is 30 seconds.
- Edit the portal.ha.monitor.frequency property to define the number of times the check will take place before failover. The default is 5 times.
- Save the portal-ha-config.properties file.
- Restart the portal to pick up the changes.
- Repeat these steps on the second portal machine.
Note:
Use the exact same failover properties on both portal machines.
Step 4: Install and configure ArcGIS Web Adaptor
If you'll be using web-tier authentication, you're required to install and configure ArcGIS Web Adaptor. You can only use the web adaptor with web server ports 80 and 443. Using different ports is not supported. If you're not using web-tier authentication, ArcGIS Web Adaptor is not required.
- Install ArcGIS Web Adaptor on a web server machine. For full instructions, see the installation topic for IIS or Java (Windows).
- Configure the web adaptor with the first portal machine. When specifying the Portal URL, enter the URL of one of the portal machines, for example, https://p1.domain.com:7443. For instructions, see the configuring topic for IIS or Java (Windows).
Note:
You cannot create or join a portal through the web adaptor. Use the portal website URLs in the format https://portal.domain.com:7443 for creating the portal and for joining the portal.
Step 5: Configure a load balancer for the portal machines
- If you use a web adaptor, set the load balancer context name to be the same as the web adaptor context. If you're not using a web adaptor, choose the load balancer context name you want, and configure the load balancer to use it.
- Configure HTTPS on the load balancer. This is necessary as Portal for ArcGIS requires HTTPS for some communication. Consult the product documentation for your load balancer to learn how to set up HTTPS.
- Configure your load balancer to distribute requests to both of your portal machines (p1.domain.com and p2.domain.com).
- In the load configuration, set an X-Forwarded-Host header. Portal for ArcGIS expects to see this property set in the header sent by the load balancer and will return requests to the load balancer that match the load balancer URL. For example, a request to the Portal for ArcGIS REST endpoint (https://lb.domain.com/arcgis/sharing/rest) will be returned to the client as the same URL. If the property is not set, Portal for ArcGIS may return the URL of the internal machine where the request was directed (for example, https://p1.domain.com/arcgis/sharing/rest instead of https://lb.domain.com/arcgis/sharing/rest). This is problematic, as clients will not be able to access this URL (commonly noted as a browser 404 error). Also, the client will have access to some information about the internal machine.
- If you're not using web-tier authentication, configure the load balancer to distribute requests to ports 7080 (HTTP) and 7443 (HTTPS). By default, Portal for ArcGIS uses these ports for communication; you'll need to include these ports as part of the configuration. For example, on Apache, the ports are specified in the httpd.conf and httpd-ssl.conf configuration files. To learn more, see Ports used by Portal for ArcGIS.
- If you're using web-tier authentication, configure the load balancer to distribute requests to ports 80 (HTTP) and 443 (HTTPS). You can only use ArcGIS Web Adaptor with web server ports 80 and 443. Using different ports is not supported. Update the health check URL to expect a 401 response from the web adaptor instead of a 200 response.
- Set the load balancer context name (the WebContextURL property).
- Open a web browser and sign in to the ArcGIS Portal Directory as an administrator of your organization. The ArcGIS Portal Directory URL is formatted https://portal.domain.com:7443/arcgis/portaladmin.
- Click System > Properties > Update Properties.
- On the Update System Properties dialog box, insert the following JSON, substituting your own load balancer URL.
{ "WebContextURL": "https://lb.domain.com/arcgis" }
- Click Update Properties.
- Set the privatePortalURL property.
- Open a web browser and log in to the ArcGIS Portal Directory as a member of the default administrator role in your portal organization. The ArcGIS Portal Directory URL is formatted https://portal.domain.com:7443/arcgis/portaladmin.
- Click System > Properties > Update Properties.
- On the Update System Properties dialog box, insert the following JSON, substituting your own load balancer URL.
{ "privatePortalURL": "https://lbprivate.domain.com:7443/arcgis" }
Note:
Do not set the X-Forwarded-Host header for this URL.
- Click Update Properties.
- Configure the load balancer to use a health check URL. This ensures the load balancer checks each portal machine to detect if a machine is unavailable.
Step 6: Install and configure the second ArcGIS Web Adaptor to achieve web server tier high availability
The second web adaptor can only be configured if the portal already has the WebContextURL property configured.
- Install ArcGIS Web Adaptor on a web server machine. For full instructions, see the installation topic for IIS or Java (Windows).
- Configure the web adaptor with the portal. When specifying the Portal URL, enter the URL of one of the portal machines, for example, https://p1.domain.com:7443. For instructions, see the configuring topic for IIS or Java (Windows).
Step 7: Configure web-tier authentication in IIS
If you have two web adaptors (IIS) behind your load balancer, you'll need to perform additional configuration steps in IIS to ensure web-tier authentication works correctly with your highly available portal deployment. For more information about web-tier authentication, see Use Integrated Windows Authentication with your portal.
For full instructions, see technical article 000012357 on the Esri Support website.
If you don't have two web adaptors (IIS) behind your load balancer, skip this step.
Step 8: Configure a hosting server for your portal
Portal for ArcGIS requires a hosting server to allow members to perform such tasks as publishing hosted web layers and adding CSV files to Map Viewer in the portal website. A portal can have one hosting server.
Set up a second load balancer to allow communication between the GIS Server and portal to be highly available, and set the GIS Server site as the portal's hosting server.
- Configure a second load balancer following the steps in Step 5. The load balancer will send requests directly to port 7443 on both portal machines. Be sure the load balancer is configured to recognize the context used in the URL.
In the example in step 5, the context was set to arcgis, so the load balancer context name must be arcgis; for example https://lbprivate.domain.com:7443/arcgis.
- Follow the instructions in Federate an ArcGIS Server site with your portal to federate the server with your highly available portal deployment.
- Follow the instructions to configure this as the portal's hosting server.
Step 9: Federate additional ArcGIS Server sites
You have the option to federate additional GIS Server sites with the portal, or federate other ArcGIS Server sites, such as ArcGIS GeoAnalytics Server, ArcGIS GeoEvent Server, or ArcGIS Image Server sites. These additional sites can use the second load balancer (the one you configured in Step 8) to communicate with the portal.
Upgrade a highly available portal
Follow the steps in the sections below to upgrade a highly available portal to 10.7. You will install the 10.7 software on both portal machines, then start the upgrade process on either machine.
Note:
The upgrade process for highly available portals has been simplified at 10.7.
Run installer on both machines
To begin the upgrade of your highly available portal, install Portal for ArcGIS 10.7 on both portal machines. You can run the upgrade process for both machines simultaneously.
Continue portal upgrade
When the installer has been run on both machines, continue the upgrade. This step will take a few minutes to complete.
- Open the portal website on either the first or the second portal machine, provide the path to your current license file, and choose to Continue portal upgrade. The URL of the portal website is formatted https://portal.domain.com:7443/arcgis/home.
- When the upgrade completes, you'll see a message stating that the portal will be restarted. Click OK.
Upgrade ArcGIS Living Atlas of the World
The last step to take when upgrading your highly available portal is to upgrade your ArcGIS Living Atlas of the World content.
While signed in as an administrator, go to Organization > Settings > ArcGIS Online. Within the Configure Living Atlas Content section, click Upgrade Content. Do not close the ArcGIS Online page until the portal finishes upgrading the ArcGIS Online content.
Click Save to return to the Organization page. If your portal was not configured to access Living Atlas content, this step is not needed.
Replace root certificates
If you upgraded from Portal for ArcGIS 10.3 or 10.3.1 and your portal was configured to trust the certificates between the primary and secondary portal machines, you'll need to import the certificate again to both the primary and secondary portal machines after you upgrade.
If you upgraded from Portal for ArcGIS 10.4, 10.4.1, or 10.5 and your portal was configured to trust the certificates between the primary and secondary portal machines, you'll need to import the certificate again to the secondary machine after you upgrade.
Install and configure Web Adaptors
If you use ArcGIS Web Adaptor, follow the steps below to install and configure new web adaptors with the portal.
Note:
If you are upgrading from version 10.3 or 10.3.1 and used a load balancer in front of your highly available portal, unregister the Web Adaptors configured with the portal, and update the system properties to add a WebContextURL property pointing to the load balancer URL.
- Install ArcGIS Web Adaptor version 10.7 on a web server machine. For full instructions, see the installation topic for IIS or Java (Windows).
- Configure the web adaptor with the portal. When specifying the Portal URL, enter the URL of one of the portal machines, for example, https://p1.domain.com:7443. For instructions, see the configuring topic for IIS or Java (Windows).
- Install the second ArcGIS Web Adaptor and configure it with your portal, as in the above two steps.
Upgrade remaining ArcGIS components
Upgrade the remaining ArcGIS components in your deployment to 10.7.
- ArcGIS Server (run the 10.7 setup to upgrade)
- ArcGIS Data Store (run the 10.7 setup to upgrade)
Tip:
Upgrade Portal for ArcGIS outlines additional considerations when upgrading your deployment to 10.7.