The federation process links an ArcGIS Server site with ArcGIS Enterprise to extend the capabilities of your organization and to automatically share the server site's content with it.
To achieve a base deployment of ArcGIS Enterprise, you must federate an ArcGIS GIS Server site and configure it as the hosting server.
If you have an existing standalone ArcGIS Server site that you are considering federating with the portal, review the following:
- When you federate a server with your portal, the portal's security store controls all access to the server. This provides a convenient sign-in experience but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions. Before federating, review the information in Administer a federated server to learn more about how federating will impact your existing site.
- Services that exist on the ArcGIS Server site at the time of federation are automatically added to the portal as items. These items are owned by the portal administrator who performs federation. After federation, the portal administrator can reassign ownership of these items to existing members as desired. Any subsequent items you publish to the federated server are automatically added as items on the portal and are owned by the user who publishes them.
Prerequisites
When federating a server site with your portal, the versions must match in most cases. It is supported to federate a server site at a prior version when the server site is one of the following:
- An ArcGIS GIS Server site that is not designated as the hosting server site. The hosting server site must match the version of the portal.
- An ArcGIS Image Server site that is not designated as a Raster Analytics site or Image Hosting site. Raster Analytics and Image Hosting sites must match the version of the portal.
Note:
Retired software versions are not guaranteed to be compatible with new versions. When federating ArcGIS GIS Server or ArcGIS Image Server sites at prior versions, the version must be supported per the product lifecycle policy to receive technical support.
To federate successfully, the ArcGIS Server site must have direct network access to your portal over port 7443. A forward proxy cannot be configured to manage or direct network traffic between the server and portal.
Federating with a server that uses web-tier authentication (IWA, PKI client-certificate authentication, and so on) is supported. The only requirement for this process is that the administration URL must not use web-tier authentication. Normally this is accomplished by specifying the URL over port 6443, https://gisserver.example.com:6443/arcgis. During federation, a warning message may be returned, indicating that the services URL cannot be validated. This is expected when the services URL uses web-tier authentication.
Add a server site
When you add a server site to your organization, you are federating it with the portal. A server that has been added to your organization is known as a federated server. To add a server site, complete the following steps:
- Ensure the TLS certificate in the administration URL is trusted by your organization or contains the URL hostname.
When federating an ArcGIS Server, the TLS certificate used in the administration URL must either be fully trusted by your organization or contain the URL hostname as either the common name (CN) or subject alternative name (SAN). If either of these conditions is not met, the federation process will fail.
An example scenario would be an administration URL that uses a wildcard certificate signed by a certificate authority that is not well-known, like a domain CA. As the URL hostname is typically not included as a SAN in a wildcard certificate, your organization must trust the CA that signed the certificate. As a result, the root, and intermediate certificate if it exists, must be imported into your organization before federating.
- Sign in to your ArcGIS Enterprise organization as a default administrator or custom role with administrative privileges to manage server settings.
You must connect to the website through the Web Adaptor URL (such as https://webadaptorhost.example.com/webadaptorname/home). Do not use the internal URL on port 7443.
- Click Organization at the top of the site and click the Settings tab.
- Click Servers on the left side of the page.
- Click Add server site.
- On the Federate server site page that appears, provide the following information:
- Services URL—The URL used by external users when accessing the server site composed of a scheme, host, and single-level context. It should follow the same rules as the organization's URL. If the site includes the Web Adaptor, the URL includes the Web Adaptor address, for example, http://webadaptorhost.example.com/webadaptorname. If you've added ArcGIS Server to your organization's reverse proxy server, the URL is the reverse proxy server address (for example, http://reverseproxy.example.com/myorg). If your organization requires HTTPS for all communication, use https instead of http. Note that the federation operation will perform a validation check to determine whether the provided Services URL is accessible from the server site. If the validation check fails, a warning will be generated in the portal logs. However, federation will not fail if the Services URL is not validated, as the URL may not be accessible from the server site, such as is the case when the server site is behind a firewall.
- Administration URL—The URL used for accessing the server site when performing administrative operations on the internal network. The Administration URL format depends on the type of server being added:
- GIS, Image, Workflow Manager, GeoEnrichment, or Knowledge Server—https://server.example.com:6443/arcgis
- Notebook Server—https://notebookserver.example.com:11443/arcgis
- Mission Server—https://missionserver.example.com:20443/arcgis
Note:
If you federate with a multimachine site or highly available ArcGIS Server, or if your ArcGIS Server is hosted in a cloud environment, use the Web Adaptor or load balancer URL in this field instead. The Administration URL setting must be a URL that the portal can use to communicate with all servers in the site, even when one of them is unavailable. If you use a web adaptor for this URL, ensure that you have enabled administrative access to the server through the web adaptor.
- Username—The username of the primary site administrator account that was used to initially sign in to and administer the server site. If this account is disabled, you must reenable it.
- Password—The password of the primary site administrator account.
- Click Next to federate your server site.
Federating the server site may take some time to complete.
- Optionally, on the Configure server role page, use the toggle button to select the server role you want to configure on your federated server site.
You can configure multiple server roles on your server site as long as the site meets the requirements for the server role. If requirements are not met, click Requirements missing for more information or review the requirements for the desired server role. If you do not want to configure a server role, you can skip this step by clicking Done. You can configure a server role at a later time using the configure server role option on a federated server site.
- Click Save server role.
The server site has been federated with your portal and, if selected, configured with a server role or roles. The server site will be listed in the Federated server sites section of the Servers page.
Considerations after federating
Once the server site is federated with the organization, you'll use a URL such as https://gisserver.example.com:6443/arcgis/manager to sign in to ArcGIS Server Manager. If the site includes multiple machines or a Web Adaptor was used for the Administration URL, users with the correct permissions can access Server Manager over the Administration URL defined during federation. You'll be required to supply the name and password of the portal account. To learn more about differences you'll encounter when working with a federated server, see Administer a federated server.
After federating your server site, you may also want to do the following:
Configure one of your federated servers as a hosting server—This allows your users to publish hosted layers. They can do this from the portal or ArcGIS Pro.
When you specify a hosting server for your portal, the hosting server's print service is automatically configured with the portal. You'll only need to start and share the print service to use it in the portal. However, if you've previously configured a print service with your portal, the URL is not updated when specifying a hosting server. You'll need to start the service, share the service, and configure it as a utility service.
Disable the primary site administrator account—This is not necessary for all sites, but it can provide an extra measure of security by forcing all users to use portal accounts and tokens.