deploying and tuning arcgis server -...
TRANSCRIPT
Deploying and Tuning ArcGIS ServerDeploying and Tuning ArcGIS Server
Presented by Jim Mason and Eric MillerPresented by Jim Mason and Eric MillerESRI Server DevelopmentESRI Server Development
OverviewOverview
•• TuningTuning–– Detecting and Analyzing Performance BottlenecksDetecting and Analyzing Performance Bottlenecks–– Accommodating Performance ProblemsAccommodating Performance Problems
•• DeploymentDeployment–– High Availability ConfigurationsHigh Availability Configurations–– Distributed Installations of ArcGIS ServerDistributed Installations of ArcGIS Server–– Security ConsiderationsSecurity Considerations
PresumptionsPresumptions
•• Basic understanding of:Basic understanding of:
––ArcGISArcGIS Desktop.Desktop.
––ArcGISArcGIS Server architecture and concepts.Server architecture and concepts.
––Web ArchitecturesWeb Architectures
ArcGIS Server Case StudyArcGIS Server Case Study
Palm Springs Elevation Transect Geoprocessing Task ServicePalm Springs Elevation Transect Geoprocessing Task Service
•• Geoprocessing Tool ModelGeoprocessing Tool Model
–– Input Line Feature ClassInput Line Feature Class
–– Extract elevations at points on Extract elevations at points on the the verticiesverticies of the input line. of the input line.
•• ADF Web ApplicationADF Web Application
•• Extract ElevationsExtract Elevations–– Enter a series of pointEnter a series of point–– Symbolize the points Symbolize the points
according to elevation. according to elevation.
ArcGIS Server Case StudyArcGIS Server Case Study
Palm Springs Elevation Transect Geoprocessing Task ServicePalm Springs Elevation Transect Geoprocessing Task Service
ArcGIS Server Case StudyArcGIS Server Case Study
Palm Springs Elevation Transect Geoprocessing Task ServicePalm Springs Elevation Transect Geoprocessing Task Service
•• ArcMapArcMap
•• Extract ElevationsExtract Elevations–– Enter a series of pointEnter a series of point–– Symbolize the points Symbolize the points
according to elevation. according to elevation.
ADF Geoprocessing Task ResourcesADF Geoprocessing Task Resources
•• DocumentationDocumentation–– ArcGIS Desktop HelpArcGIS Desktop Help–– ArcGIS Server HelpArcGIS Server Help–– ArcGIS Server Developer HelpArcGIS Server Developer Help
•• ArcGIS Server Development ArcGIS Server Development BlogBlog–– http://blogs.esri.comhttp://blogs.esri.com ––> ArcGIS Server Development > ArcGIS Server Development BlogBlog link.link.
•• EDN SamplesEDN Samples–– ArcGIS Buffer GeoprocessingArcGIS Buffer Geoprocessing
Web Server (IIS 6)
ArcGIS Server 9.2Server Object Manager
ArcGIS Server 9.2
Server Object Container
ArcGIS Server Case StudyArcGIS Server Case StudyHardware EnvironmentHardware Environment
Predicting Usage by Modeling User BehaviorPredicting Usage by Modeling User Behavior
•• 500 users500 users
•• 20% peak concurrency20% peak concurrency
•• 100 simultaneous users (20% of 500)100 simultaneous users (20% of 500)
•• Users submit requests about once every minuteUsers submit requests about once every minute
•• 100 transactions/minute = 6,000 transactions/hour100 transactions/minute = 6,000 transactions/hour
ArcGIS Server: Response time factorsArcGIS Server: Response time factors
•• Four main factors of Four main factors of response timeresponse time
•• Multiple tiersMultiple tiers
•• Performance bottleneck Performance bottleneck can occur in each tiercan occur in each tier
Browser
Web Server
SOM
SOC
Transmission Time
Wait Time
Search & Retrieval Time
Usage Time
SDE
BottlenecksBottlenecks
•• ThreadingThreading•• MemoryMemory•• DiskDisk•• CPUCPU•• NetworkNetwork
BottlenecksBottlenecks
•• ThreadingThreading––Service availabilityService availability
•• MemoryMemory•• CPU CPU •• DiskDisk•• NetworkNetwork
Pooled Service ModelPooled Service Model
•• State information State information maintained in web server / browser.maintained in web server / browser.–– Current extentCurrent extent–– layer visibilitylayer visibility
•• Scales betterScales better due to shared object pool.due to shared object pool.
ArcGIS Server ArcGIS Server –– Configuring Pooled InstancesConfiguring Pooled Instances
•• Define MinDefine Min--Max instancesMax instances
•• Instances are distributed Instances are distributed across all host serversacross all host servers
Optimum number of pooled instances Optimum number of pooled instances for Dynamic Map Servicesfor Dynamic Map Services•• Set instances to level where Set instances to level where maximum throughputmaximum throughput
occurs (usually between 2 to 4 instances per CPU)occurs (usually between 2 to 4 instances per CPU)
CPU bottleneck
number of instances
Thro
ughp
ut (m
aps/
hour
)
N
BottlenecksBottlenecks
•• ThreadingThreading•• MemoryMemory•• CPU CPU •• DiskDisk•• NetworkNetwork
Memory BottleneckMemory Bottleneck
Palm Springs Elevation TransectPalm Springs Elevation Transect
•• Deployed 8 instances on 1GB host serverDeployed 8 instances on 1GB host server
•• Memory started paging before CPU was fully utilizedMemory started paging before CPU was fully utilized
•• Options to resolve:Options to resolve:–– Increase memoryIncrease memory––Reduce number of instances per serverReduce number of instances per server––Limit capacity on host machinesLimit capacity on host machines
Setting Capacity Setting Capacity
•• Limits number of service instances running on a Limits number of service instances running on a specific host machine. specific host machine.
•• Once this limit is reached, Server starts replacing Once this limit is reached, Server starts replacing least recently used instances instead of creating least recently used instances instead of creating new ones.new ones.
CPU/Memory BottleneckCPU/Memory Bottleneck•• LSASSLSASS
–– Local Security Authentication Server system process (Local Security Authentication Server system process (lsass.exelsass.exe) ) grows in CPU usage and memory utilization under heavy load.grows in CPU usage and memory utilization under heavy load.
•• Solution:Solution:–– Install ArcGIS Server Service Pack 1 or later.Install ArcGIS Server Service Pack 1 or later.–– Deploy web services and applications into a new application poolDeploy web services and applications into a new application pool..–– Change identity of the new application pool to Change identity of the new application pool to ArcGISWebServicesArcGISWebServices
user.user.–– Turn off web service/web application authentication.Turn off web service/web application authentication.
•• Windows_Server_2003 Windows_Server_2003 http://support.esri.com/index.cfm?fa=knowledgebase.techarticles.http://support.esri.com/index.cfm?fa=knowledgebase.techarticles.artarticleShow&d=326320icleShow&d=326320
•• Windows_XPWindows_XPhttp://http://support.esri.com/index.cfm?fasupport.esri.com/index.cfm?fa==knowledgebase.techarticles.artknowledgebase.techarticles.articleShow&dicleShow&d=326322=326322
BottlenecksBottlenecks
•• ThreadingThreading•• MemoryMemory•• CPUCPU•• DiskDisk•• NetworkNetwork
Optimize Your ServicesOptimize Your Services
•• DynamicDynamic–– Elevation TransectElevation Transect–– Roads symbolized by current snow depthRoads symbolized by current snow depth–– Electrical network showing the latest posted work orderElectrical network showing the latest posted work order–– GeocodingGeocoding addressesaddresses
•• Static Layers Static Layers –– Elevation TINElevation TIN–– ImageryImagery–– StreetMapStreetMap–– Shaded ReliefShaded Relief
•• The classification is subjectiveThe classification is subjective
Best Practices for Geoprocessing ServicesBest Practices for Geoprocessing Services
Optimizing Geoprocessing ServicesOptimizing Geoprocessing Services
•• Simplify Models and dataSimplify Models and data–– Preprocess steps in advance.Preprocess steps in advance.
•• Use inUse in--memory datamemory data
•• Use fastUse fast--access data (uncompressed).access data (uncompressed).
•• Two instances cannot update the same data at the Two instances cannot update the same data at the same time. same time.
General GuidelinesGeneral Guidelines
Best Practices for Dynamic Map ServicesBest Practices for Dynamic Map Services
Best PracticesBest Practices
•• Show relevant informationShow relevant information
–– Start simple (Start simple (additional layers can be toggled on by useradditional layers can be toggled on by user))
–– Use field visibility (Use field visibility (hide unnecessary attributeshide unnecessary attributes))
•• Use scale dependenciesUse scale dependencies
–– Use data appropriate for the given scale (generalize if Use data appropriate for the given scale (generalize if
necessary)necessary)
–– Display similar number of features at all scales for consistent Display similar number of features at all scales for consistent
user experienceuser experience
General GuidelinesGeneral Guidelines
ESRI_OptimizedESRI_Optimized Lines and PolygonsLines and Polygons
•• Outlines for all fills are Outlines for all fills are
simple lines instead of simple lines instead of
cartographic linescartographic lines
•• Picture fills are EMFPicture fills are EMF--
based instead of BMPbased instead of BMP--
basedbased
•• Improves drawing Improves drawing
performance by > 50%performance by > 50%
http://webhelp.esri.com/arcgisdesktop/9.2/index.cfm?id=305&pid=2http://webhelp.esri.com/arcgisdesktop/9.2/index.cfm?id=305&pid=297&topicname=Creating_fill_symbols97&topicname=Creating_fill_symbols
•• Use annotation instead of labelsUse annotation instead of labels•• Use indexed fields Use indexed fields •• Use label and feature conflict weights sparinglyUse label and feature conflict weights sparingly•• Avoid special effects (fill patterns, halos, callouts, Avoid special effects (fill patterns, halos, callouts,
backgrounds)backgrounds)•• Avoid very large text size (60+ pts)Avoid very large text size (60+ pts)•• Avoid Maplex for dynamic labelingAvoid Maplex for dynamic labeling
Text and labelingText and labeling
Best PracticesBest Practices
Best Practices for Static Map ServicesBest Practices for Static Map Services
Classic Dynamic Mapping TradeClassic Dynamic Mapping Trade--OffOff
Quality vs. SpeedQuality vs. Speed
•• Shaded ReliefShaded Relief•• Transparent LayersTransparent Layers•• MaplexMaplex LabelingLabeling
•• Standard LabelingStandard Labeling
If you can cache your map then no need to tradeIf you can cache your map then no need to trade--offoff
1.5 seconds1.5 seconds 4 seconds4 seconds
Cached Map ServiceCached Map Service
•• Tiles preTiles pre--rendered rendered at fixed scalesat fixed scales
•• Rapid display of Rapid display of static base mapsstatic base maps
•• Richer symbols and Richer symbols and more informationmore information
How Map Caching WorksHow Map Caching Works
•• You can controlYou can control::
–– Origin of the tiling scheme in map coordinatesOrigin of the tiling scheme in map coordinates
–– Set of scalesSet of scales
–– Image format (PNG, JPG)Image format (PNG, JPG)
–– Tile size (default = 512 x 512)Tile size (default = 512 x 512)
–– Display resolution in DPI (default = 96)Display resolution in DPI (default = 96)
–– The scale, tile size, and DPI control the pixel resolution in The scale, tile size, and DPI control the pixel resolution in map units at each scale levelmap units at each scale level
How the Map Cache is StoredHow the Map Cache is Stored
•• Map services have an Map services have an associated map cache directoryassociated map cache directory–– SubSub--directory under one of the GIS Serverdirectory under one of the GIS Server’’s cache directoriess cache directories
•• AssociationAssociation between the map service and the map cache between the map service and the map cache directory is directory is by nameby name
•• Accessed from clients using a Accessed from clients using a virtual directoryvirtual directory..–– For ADF clients, anonymous access should be enabled.For ADF clients, anonymous access should be enabled.
How the Map Cache is Stored (continued)How the Map Cache is Stored (continued)
•• Map cache directory organizationMap cache directory organization
•• Server Cache DirectoryServer Cache Directory•• Map Cache Directory (Wyoming, Map Cache Directory (Wyoming, SoCalSoCal, , ……))•• Data Frame (Layers, Study Area, Data Frame (Layers, Study Area, ……))•• Layer (_Layer (_alllayersalllayers, roads, , roads, ……))•• Level (L01, L02, L03, Level (L01, L02, L03, ……))•• Row (R00000000, R00000001, Row (R00000000, R00000001, ……))•• Tiles (C00000000.png, C00000001.png, Tiles (C00000000.png, C00000001.png, ……))
What Happens During Map CachingWhat Happens During Map Caching
•• Data is Data is prepre--renderedrendered into large ininto large in--memory tiles that memory tiles that are subsequently chopped up to the specified tile are subsequently chopped up to the specified tile sizesize
–– Minimizes the need to squeeze labels into small tile Minimizes the need to squeeze labels into small tile boundariesboundaries
–– Tip: remove label offsets Tip: remove label offsets
AntiAnti--aliasingaliasing
•• Tiles are rendered at Tiles are rendered at finer resolutionfiner resolution followed by followed by down samplingdown sampling
–– Smoothes the edges of labels and lines by blending them with theSmoothes the edges of labels and lines by blending them with thebackground.background.
–– The resulting screen display quality is better than standard The resulting screen display quality is better than standard rendering in ArcMap.rendering in ArcMap.
AntiAnti--aliasingaliasing
•• Tiles are rendered at Tiles are rendered at finer resolutionfiner resolution followed by followed by down samplingdown sampling
–– Smoothes the edges of labels and lines by blending them with theSmoothes the edges of labels and lines by blending them with thebackground.background.
–– The resulting screen display quality is better than standard The resulting screen display quality is better than standard rendering in ArcMap.rendering in ArcMap.
Caching map services that may overlay other Caching map services that may overlay other servicesservices
•• Boundaries, Streets, Thematic PolygonsBoundaries, Streets, Thematic Polygons•• Use PNG format for TransparencyUse PNG format for Transparency•• Background ColorBackground Color
–– Explicitly define itExplicitly define it–– Use a color not used in Use a color not used in SymbologySymbology (e.g., RGB(1,2,3))(e.g., RGB(1,2,3))–– Use dark backgrounds when overlaying antiUse dark backgrounds when overlaying anti--aliased lines or aliased lines or
labels on imagerylabels on imagery
Impact of Tile Size selectionImpact of Tile Size selection
•• Larger size produces fewer tilesLarger size produces fewer tiles–– Less disk space (block size)Less disk space (block size)–– Faster creation, Easier to manageFaster creation, Easier to manage
•• Smaller sizeSmaller size–– Allows partial update of the displayAllows partial update of the display
•• Example: OahuExample: Oahu
5 hours5 hours1.2 GB1.2 GB311K311K128x128128x128
1 hour1 hour0.2 GB0.2 GB19K19K512x512512x512
Creation Creation TimeTime
Size on Size on DiskDiskFilesFilesTile SizeTile Size
Impact of Scale selectionImpact of Scale selection•• StreetMapStreetMap USAUSA
–– 48 states 48 states –– Cached on 6 dualCached on 6 dual--CPU serversCPU servers
37 hours37 hours4.7M4.7M1:16K1:16K
2 min2 min4K4K1:500K1:500K
………………
4.5 hours4.5 hours1.1M1.1M1:32K1:32K
2 hours2 hours0.3M0.3M1:64K1:64K
Creation TimeCreation TimeFilesFilesScaleScale
Total Size on Disk: 57 GBTotal Size on Disk: 57 GB
BottlenecksBottlenecks
•• ThreadingThreading•• MemoryMemory•• CPUCPU•• DiskDisk•• NetworkNetwork
Disk BottlenecksDisk Bottlenecks
•• Problem: Disk contentionProblem: Disk contention
•• Output: Output: Temporary files returned to the user as outputTemporary files returned to the user as output•• Cache: Cache: PrePre--rendered map and globe tiles.rendered map and globe tiles.•• JobsJobs: : Files needed by geoprocessing servicesFiles needed by geoprocessing services•• Data sourceData source•• Page FilePage File
•• SolutionsSolutions––Network Attached Storage (NAS)Network Attached Storage (NAS)––Fast SCSI III drivesFast SCSI III drives––Fast Network between storage and server.Fast Network between storage and server.
BottlenecksBottlenecks
•• ThreadingThreading•• MemoryMemory•• CPUCPU•• DiskDisk•• NetworkNetwork
Network Performance and High Availability ConfigurationNetwork Performance and High Availability Configuration
Web Server (IIS 6)
ArcGIS Server 9.2Server Object Manager
ArcGIS Server 9.2
Server Object Container
Scaling Out Scaling Out –– Adding More Adding More ArcGISArcGIS Server ComponentsServer Components
Distributed Installs:Distributed Installs:
•• The following topics in the online help provide complete The following topics in the online help provide complete instructions for a distributed install:instructions for a distributed install:
–– How the GIS Server WorksHow the GIS Server Works
–– Configuring a Distributed Installation of ArcGIS ServerConfiguring a Distributed Installation of ArcGIS Server
•• The online help can be found at the following URLs:The online help can be found at the following URLs:–– http://webhelp.esri.com/arcgisserver/9.2/dotnethttp://webhelp.esri.com/arcgisserver/9.2/dotnet–– http://webhelp.esri.com/arcgisserver/9.2/javahttp://webhelp.esri.com/arcgisserver/9.2/java
Distributed Installs:Distributed Installs:
•• HighlightsHighlights
–– Determine which ArcGIS Server Components to scale to Determine which ArcGIS Server Components to scale to additional machines.additional machines.
–– Run the required postRun the required post--installsinstalls
–– Add required OS users and groupsAdd required OS users and groups
–– Configure required server directoriesConfigure required server directories
Distributed Installs: Required OS Users and GroupsDistributed Installs: Required OS Users and Groups
Distributed Installs: Required Directory ConfigurationDistributed Installs: Required Directory Configuration
Distributed Installs: Network ConsiderationsDistributed Installs: Network Considerations
•• If installing in a If installing in a WorkgroupWorkgroup
–– Simple File Sharing must be Simple File Sharing must be ““OffOff”” on XP.on XP.
–– Core ArcGIS Server accounts must be local users.Core ArcGIS Server accounts must be local users.
–– Local Security Policy SettingLocal Security Policy Setting•• For For ““Network access: Sharing and security model for local accountsNetwork access: Sharing and security model for local accounts””
Set to Set to ““Classic Classic –– local users authenticate as themselveslocal users authenticate as themselves””..
Web Server (IIS 6)
ArcGIS Server 9.2 Server Object Manager
ArcGIS Server 9.2
Server Object Container
ArcGIS Server 9.2
Server Object Container
Scaling Out Scaling Out –– Adding More Computing PowerAdding More Computing Power
Scaling Out Scaling Out –– Adding More Computing PowerAdding More Computing Power
Detecting BottlenecksDetecting Bottlenecks
•• Single user testing is inadequateSingle user testing is inadequate
•• Simulating multiple usersSimulating multiple users–– Low Tech: Low Tech:
•• Recruit others in the officeRecruit others in the office
–– High Tech: Load simulation tool High Tech: Load simulation tool •• Web Application Stress Tool (WAST)Web Application Stress Tool (WAST)
•• Application Center Test (ACT)Application Center Test (ACT)
•• Visual Studio 2005 Team Edition for TestersVisual Studio 2005 Team Edition for Testers
Test Strategy for ArcGIS OnlineTest Strategy for ArcGIS Online
•• Static Maps and GlobeStatic Maps and Globe
•• Performance depends on web Performance depends on web serverserver’’s ability to deliver tiles.s ability to deliver tiles.
•• High volume load testHigh volume load test–– Random request for tiles Random request for tiles –– ……popular tiles requested more popular tiles requested more
frequentlyfrequently
Application Center TestApplication Center Test
Application Center TestApplication Center Test
Application Center TestApplication Center Test
Additional Information Additional Information
How To: Use ACT to Test Web Services PerformanceHow To: Use ACT to Test Web Services PerformanceImproving .NET Application Performance and ScalabilityImproving .NET Application Performance and ScalabilityJ.D. Meier, J.D. Meier, SrinathSrinath VasireddyVasireddy, , AshishAshish BabbarBabbar, and Alex , and Alex MackmanMackmanMicrosoft Corporation, May 2004Microsoft Corporation, May 2004
http://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/en--us/library/ms979203.aspxus/library/ms979203.aspx
Monitor Statistics and Log FilesMonitor Statistics and Log Files
•• Creation TimeCreation Time•• Wait TimeWait Time•• Usage TimeUsage Time
Security: OverviewSecurity: Overview
•• Server Communications Architecture OverviewServer Communications Architecture Overview
•• Core Server SecurityCore Server Security–– FirewallsFirewalls–– Proxy ServersProxy Servers
•• Application SecurityApplication Security–– EncryptionEncryption–– AuthenticationAuthentication–– AuthorizationAuthorization–– Reverse Proxy ServersReverse Proxy Servers
ArcGIS Server Communications ArchitectureArcGIS Server Communications ArchitectureLegendLegend ArcGIS ServerArcGIS Server
BrowserBrowser
DesktopDesktop
Web Server TierWeb Server Tier
Manager/WebManager/WebServicesServices
ADF Web ADF Web ApplicationsApplications
ArcGIS Server ArcGIS Server Virtual DirectoriesVirtual Directories
App Server TierApp Server TierSOMSOM SOCSOC SDESDE
Plain HTTP and SOAP over HTTPPlain HTTP and SOAP over HTTP
Binary or SOAP over DCOMBinary or SOAP over DCOM
Plain TCP/IPPlain TCP/IP
ClientsClients
Special case when Special case when Service is a clientService is a client
ArcGIS Server Communications ArchitectureArcGIS Server Communications Architecture
•• SOAP over HTTPSOAP over HTTP between clients and web server tier.between clients and web server tier.–– There is There is nono direct SOAP transfer between web clients and the direct SOAP transfer between web clients and the
application tier.application tier.
•• SOAP/Binary over DCOMSOAP/Binary over DCOM between desktop clients and between desktop clients and application server using local connections.application server using local connections.
•• SOAP/Binary over DCOMSOAP/Binary over DCOM between web server tier and between web server tier and application server.application server.–– Exception: Service is a client to another service.Exception: Service is a client to another service.
Core Server Security: FirewallsCore Server Security: Firewalls
•• Firewalls Firewalls betweenbetween ArcGIS Server components ArcGIS Server components not not recommendedrecommended..–– Use a DMZ ReverseUse a DMZ Reverse--Proxy to protect your Server from the internet.Proxy to protect your Server from the internet.
•• NAT FirewallsNAT Firewalls–– Will not workWill not work
•• NAT makes internal NAT makes internal IPsIPs inaccessible to external COM clients.inaccessible to external COM clients.
•• NonNon--NAT FirewallNAT Firewall–– Not RecommendedNot Recommended
•• Must open range of ports that can quickly become saturated.Must open range of ports that can quickly become saturated.
–– HowToHowTo: Configure ArcGIS Server for firewalls and NAT devices : Configure ArcGIS Server for firewalls and NAT devices http://http://support.esri.com/index.cfm?fasupport.esri.com/index.cfm?fa==knowledgebase.techarticles.aknowledgebase.techarticles.articleShow&drticleShow&d=28703=28703
Core Server Security: FirewallsCore Server Security: Firewalls
•• Windows FirewallWindows Firewall
–– Not recommended for server class deploymentsNot recommended for server class deployments
–– HowToHowTo: : Configure Windows XP SP2 Firewall to work with Configure Windows XP SP2 Firewall to work with ArcGIS Server ArcGIS Server http://http://support.esri.com/index.cfm?fasupport.esri.com/index.cfm?fa==knowledgebase.techarticleknowledgebase.techarticles.articleShow&ds.articleShow&d=27798=27798
Core Server Security: Proxy ServersCore Server Security: Proxy Servers•• ArcCatalogArcCatalog and other and other ArcGIS DesktopArcGIS Desktop ApplicationsApplications
–– When making connections to ArcGIS Server Servers and When making connections to ArcGIS Server Servers and Services.Services.
Core Server Security: Proxy ServersCore Server Security: Proxy Servers•• For ArcGIS Server Application Server Components (For ArcGIS Server Application Server Components (SOCSOC))
•• When Service is a client When Service is a client –– GeodatabaseGeodatabase service synchingservice synching–– Service containing web reference to another serviceService containing web reference to another service–– Configure in ArcGIS Server postConfigure in ArcGIS Server post--install.install.
Core Server Security: Proxy ServersCore Server Security: Proxy Servers
•• For the For the .NET Manager.NET Manager web application when it, itself, is a web application when it, itself, is a client to web services.client to web services.–– Example: Adding web services while authoring a web application Example: Adding web services while authoring a web application –– Alter Proxy Server settings in IE (IIS applications inherit)Alter Proxy Server settings in IE (IIS applications inherit)
Core Server Security: Proxy ServersCore Server Security: Proxy Servers
•• For the For the Java ManagerJava Manager web application when it, itself, is web application when it, itself, is a client to web services. a client to web services.
–– Example: When adding web services while authoring a web Example: When adding web services while authoring a web application application
–– Alter Proxy Server settings in the JVM of the embedded Tomcat Alter Proxy Server settings in the JVM of the embedded Tomcat servletservlet engine (embedded Tomcat applications inherit)engine (embedded Tomcat applications inherit)
•• %AGSHOME%/%AGSHOME%/\\javajava\\managermanager\\serviceservice\\jrejre
•• http://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.htmlhttp://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.html
Web Applications and Services SecurityWeb Applications and Services Security
•• ADF applications and ArcGIS Server services are ADF applications and ArcGIS Server services are standard web applications and services.standard web applications and services.
•• Use standard web application security approaches for:Use standard web application security approaches for:
–– EncryptionEncryption
–– AuthenticationAuthentication
–– AuthorizationAuthorization
Web Applications and Services SecurityWeb Applications and Services Security
•• Encryption (SSL)Encryption (SSL)
–– Install SSL server certificates into ADF and ArcGIS Server Web Install SSL server certificates into ADF and ArcGIS Server Web Services web servers.Services web servers.
•• Instructions available from any Certificate AuthorityInstructions available from any Certificate Authority
–– .NET: .NET: http://www.digicert.com/sslhttp://www.digicert.com/ssl--certificatecertificate--installationinstallation--microsoftmicrosoft--iisiis--55--6.htm6.htm
–– Java: Java: http://www.digicert.com/sslhttp://www.digicert.com/ssl--certificatecertificate--installationinstallation--apache.htmapache.htm
–– Install SSL client certificates into ArcGIS Desktop Install SSL client certificates into ArcGIS Desktop libcurllibcurl store.store.
Web Applications and Services SecurityWeb Applications and Services Security
•• Encryption (SSL)Encryption (SSL)–– Install SSL client certificates into Install SSL client certificates into
ArcGIS Desktop ArcGIS Desktop libcurllibcurl certificate certificate bundle.bundle.•• http://curl.haxx.se/docs/sslcerts.htmlhttp://curl.haxx.se/docs/sslcerts.html•• Add path to Add path to libcurllibcurl certificate bundle certificate bundle
in in ArcCatalogArcCatalog..
Web Applications and Services SecurityWeb Applications and Services Security
•• AuthenticationAuthentication
–– Basic and DigestBasic and Digest
•• Web application server provides framework to authenticate users.Web application server provides framework to authenticate users.•• Basic is completely unencrypted.Basic is completely unencrypted.•• Digest is encrypted, but may suffer from different Digest is encrypted, but may suffer from different
implementations on IIS and Apache.implementations on IIS and Apache.•• Neither is recommended unless using with SSL.Neither is recommended unless using with SSL.
–– FormsForms•• Web application provides authentication for users.Web application provides authentication for users.•• Username/password is not encrypted.Username/password is not encrypted.•• Not recommended unless using with SSL.Not recommended unless using with SSL.
Web Applications and Services SecurityWeb Applications and Services Security
•• AuthenticationAuthentication
–– Windows integrated (IIS only)Windows integrated (IIS only)•• Similar to Basic/Digest, but uses a different transmission schemSimilar to Basic/Digest, but uses a different transmission scheme.e.•• IE Users may not be challenged if they are logged into the OS.IE Users may not be challenged if they are logged into the OS.•• Only works over intraOnly works over intra--net.net.
–– ClientClient--CertCert•• Uses encrypted certificates to authenticate both server and userUses encrypted certificates to authenticate both server and user..
Web Applications and Services SecurityWeb Applications and Services Security
•• AuthorizationAuthorization
–– UserUser--role mappingrole mapping•• Access Control List filesAccess Control List files•• DatabasesDatabases•• web.configweb.config
•• Single Sign OnSingle Sign On–– Combines Authentication and AuthorizationCombines Authentication and Authorization
Web Applications and Services SecurityWeb Applications and Services Security
•• ReverseReverse--Proxy ServersProxy Servers–– Recommended to avoid firewall between ArcGIS Server Recommended to avoid firewall between ArcGIS Server
components.components.
Web Applications and Services SecurityWeb Applications and Services Security
•• ReverseReverse--Proxy ServersProxy Servers
– IIS has no native reverse-proxy server, but many 3rd party solutions exist.
• Microsoft ISA Server contains a reverse-proxy server (expensive for just a reverse-proxy server)
– http://www.microsoft.com/isaserver/default.mspx
• Isapi rewrite (~$70.00)
– http://www.helicontech.com/download/#isapi_rewrite
• Write your own:
– http://www.codeproject.com/aspnet/HTTPReverseProxy.asp
Web Applications and Services SecurityWeb Applications and Services Security
•• ReverseReverse--Proxy ServersProxy Servers
–– ApacheApache
•• HowToHowTo: : Configure ArcGIS Server for the Microsoft .NET Configure ArcGIS Server for the Microsoft .NET Framework to work with a Reverse Proxy. Framework to work with a Reverse Proxy. http://support.esri.com/index.cfm?fa=knowledgebase.techarticles.http://support.esri.com/index.cfm?fa=knowledgebase.techarticles.articleShow&d=32634articleShow&d=32634
•• HowToHowTo: Configure ArcGIS Server Java to work with a Reverse : Configure ArcGIS Server Java to work with a Reverse Proxy. (Proxy. (Coming SoonComing Soon))
SummarySummary
•• PerformancePerformance–– Detecting and Analyzing Performance BottlenecksDetecting and Analyzing Performance Bottlenecks
–– Best practices for avoiding Threading, Memory, CPU, Disk and Best practices for avoiding Threading, Memory, CPU, Disk and Network bottlenecks.Network bottlenecks.
•• DeploymentDeployment–– Distributed Installations of ArcGIS ServerDistributed Installations of ArcGIS Server
–– High Availability ConfigurationsHigh Availability Configurations
–– SecuritySecurity
Further questions?Further questions?
•• TECHTECH--TALK AREASTALK AREAS–– What:What: Further opportunity to discuss questions and concerns Further opportunity to discuss questions and concerns
about performance, deployment and security. about performance, deployment and security. –– Where: Where: Tech Talk Area 1, Oasis 3ATech Talk Area 1, Oasis 3A–– When:When: during the next 30 minutesduring the next 30 minutes
•• ESRI ShowcaseESRI Showcase
•• ESRI Developers Network (EDN) websiteESRI Developers Network (EDN) website–– http://edn.esri.comhttp://edn.esri.com
Session Evaluations ReminderSession Evaluations Reminder
Session Attendees:Session Attendees:Please turn in your session evaluations.Please turn in your session evaluations.
. . . Thank you. . . Thank you