Federate a server site

Federation enables ArcGIS Enterprise servers to extend the capabilities of your organization and automatically share the server site's content with it.

To achieve a base deployment of ArcGIS Enterprise, you must federate an ArcGIS GIS Server site and configure it as the hosting server.

If you have an existing standalone ArcGIS Server site that you are considering federating, review the following:

• When you federate a server, the portal's security store controls all access to the server. This provides a convenient sign-in experience but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by organization members, roles, and sharing permissions.

  Note:

  Before federating, review the information in Administer a federated server to learn more about how federating will impact your existing site.

• Services that exist on an ArcGIS Server site at the time of federation are automatically added to the organization as items. These items are owned by the organization administrator who performs federation. After federation, the administrator can reassign ownership of these items to existing members as desired. Any subsequent items you publish to the federated server are automatically added as items in the organization and are owned by the user who publishes them.

Prerequisites

When federating a server site, it is recommended to use the same software version that is used by other components in your base deployment.

Mixed operating system deployments are supported. However, WebGISDR backup and restore operations require all ArcGIS Enterprise components to run on the same operating system when a file system backup location is used. When a cloud storage location is used for WebGISDR backups, deployments that span multiple operating systems are supported.

To federate an ArcGIS Server site successfully, it must have direct network access to your portal over port 7443. A forward proxy cannot be configured to manage or direct network traffic between the server and portal.

Federating with a server that uses web-tier authentication (IWA, PKI client-certificate authentication, and so on) is supported. The only requirement for this process is that the administration URL must not use web-tier authentication. Normally this is accomplished by specifying the URL over port 6443, https://gisserver.example.com:6443/arcgis. During federation, a warning message may be returned, indicating that the services URL cannot be validated. This is expected when the services URL uses web-tier authentication.

Add a server site

When you add a server site to your organization, you are federating it with the organization. A server that has been added to your organization is known as a federated server. To add a server site, complete the following steps:

1. Ensure the TLS certificate in the administration URL is trusted by your organization or contains the URL hostname.

   When federating an ArcGIS Server, the TLS certificate used in the administration URL must either be fully trusted by your organization or contain the URL hostname as either the common name (CN) or subject alternative name (SAN). If either of these conditions is not met, the federation process will fail.

   An example scenario would be an administration URL that uses a wildcard certificate signed by a certificate authority that is not well-known, like a domain CA. As the URL hostname is typically not included as a SAN in a wildcard certificate, your organization must trust the CA that signed the certificate. As a result, the root, and intermediate certificate if it exists, must be imported into your organization before federating.

2. Sign in to your ArcGIS Enterprise organization as a default administrator or custom role with administrative privileges to manage server settings.

   You must connect to the website through the Web Adaptor URL (such as https://webadaptorhost.example.com/webadaptorname/home). Do not use the internal URL on port 7443.

3. Click Organization at the top of the site and click the Settings tab.

4. Click Servers on the left side of the page.

5. Click Add server site.

6. On the Federate server site page that appears, provide the following information:

   • Services URL—The URL used by external users when accessing the server site composed of a scheme, host, and single-level context. It should follow the same rules as the organization's URL. If the site includes the Web Adaptor, the URL includes the Web Adaptor address, for example, http://webadaptorhost.example.com/webadaptorname. If you've added ArcGIS Server to your organization's reverse proxy server, the URL is the reverse proxy server address (for example, http://reverseproxy.example.com/myorg). If your organization requires HTTPS for all communication, use https instead of http. Note that the federation operation will perform a validation check to determine whether the provided Services URL is accessible from the server site. If the validation check fails, a warning will be generated in the portal logs. However, federation will not fail if the Services URL is not validated, as the URL may not be accessible from the server site, such as is the case when the server site is behind a firewall.

   • Administration URL—The URL used for accessing the server site when performing administrative operations on the internal network. The Administration URL format depends on the type of server being added:

     • GIS, Image, Workflow Manager, GeoEnrichment, or Knowledge Server—https://server.example.com:6443/arcgis

     • Notebook Server—https://notebookserver.example.com:11443/arcgis

     • Mission Server—https://missionserver.example.com:20443/arcgis

     • Video Server—https://videoserver.example.com:21443/arcgis

     • Data Pipelines Server—https://datapipelinesserver.example.com:14443/arcgis

     Note:

     If you federate with a multimachine site or highly available ArcGIS Server, or if your ArcGIS Server is hosted in a cloud environment, use the Web Adaptor or load balancer URL in this field instead. The Administration URL setting must be a URL that the portal can use to communicate with all servers in the site, even when one of them is unavailable.

   • Username—The username of the primary site administrator account that was used to initially sign in to and administer the server site. If this account is disabled, you must reenable it.

   • Password—The password of the primary site administrator account.

7. Click Next to federate your server site.

   Federating the server site may take some time to complete.

8. Optionally, on the Configure server role page, use the toggle button to select the server role you want to configure on your federated server site.

   You can configure multiple server roles on your server site as long as the site meets the requirements for the server role. If requirements are not met, click Requirements missing for more information or review the requirements for the desired server role. If you do not want to configure a server role, you can skip this step by clicking Done. You can configure a server role at a later time using the configure server role option on a federated server site.

9. Click Save server role.

The server site has been federated and, if selected, configured with a server role or roles. The server site will be listed in the Federated server sites section of the Servers page.

Considerations after federating

Once the server site is federated with the organization, you'll use a URL such as https://gisserver.example.com:6443/arcgis/manager to sign in to ArcGIS Server Manager. If the site includes multiple machines or a Web Adaptor was used for the Administration URL, users with the correct permissions can access Server Manager over the Administration URL defined during federation. You'll be required to supply the name and password of the portal account. To learn more about differences you'll encounter when working with a federated server, see Administer a federated server.

After federating your server site, you may also want to do the following:

• Configure one of your federated servers as a hosting server—This allows your users to publish hosted layers. They can do this from the organization or ArcGIS Pro.

  When you specify a hosting server, the hosting server's print service is automatically configured with the organization. You'll only need to start and share the print service to use it. However, if you've previously configured a print service, the URL is not updated when specifying a hosting server. You'll need to start the service, share the service, and configure it as a utility service.

• Disable the primary site administrator account—This is not necessary for all sites, but it can provide an extra measure of security by forcing all users to use organization accounts and tokens.