Agenda

• Threat Mitigation and Prevention in ArcGIS Enterprise

• Geodatabase Design Best Practices
• What’s New in ArcGIS Enterprise
• ArcGIS Enterprise Administration Tips
• Upgrading ArcGIS Enterprise
• ArcGIS Enterprise: Road Ahead
Threat Mitigation and
Prevention in ArcGIS
Enterprise
Security Best Practices for
ArcGIS Enterprise
Enable and Use HTTPS

• HTTPS – Hypertext Transfer Protocol Secure

• Initial step in creating initial environment should always be to encrypt traffic
• Protect against a simple network sniffer
• HTTPS only by default in 10.7
Disable the Services Directory
• ArcGIS REST Services Directory exposes web services api in HTML format
• Recommended NOT to expose REST services directory on Production Servers
• ArcGIS Server Administrator Directory
Home > system > handlers > rest > servicesdirectory > edit

Before After
Restrict Cross Domain (CORS) Request
• By default, ArcGIS Server allows all cross-domain requests.
Disable Primary Site Administrator (PSA) Account
• Recommend disable the PSA account to remove an alternate method of administering ArcGIS
Server outside of your enterprise users
Enable HTTPS Communication
• Enforce HTTPS so that all communication in your portal is encrypted
• Set by default in 10.7
Disable ArcGIS Portal Directory (Production Environment)
• Provides a browsable HTML-based representation of all of Portal Items services, web maps, and
content
• Recommend disabling this to reduce the chance that your items can be browsed, found in a web
search, or queried through HTML forms.
• Portal Administrator Directory
Home > Security > Config > Update Security Configuration

Before After
Restrict Machines Accessible by Portal Proxy
• Portal ships with a built-in proxy server that is used in some scenarios to access resources on
different machines
- Storing credentials (ex. secured services, Online premium services)
- Adding OGC services to Content
- Accessing services from non-CORS systems
Restrict Machines Accessible by Portal Proxy
How to Restrict Proxies
Disable ‘Create an Account’ on Sign in Page
• Allows any new user to create a new built-in portal account
• Disable by default in 10.7
Restrict Incoming Cross-Domain (CORS) Requests
• Limits external JavaScript applications making CORS requests to Portal items
• Does NOT restrict overall access to Portal items
SAML access to any ArcGIS Enterprise
• Security Assertion Markup Language (SAML) is an open standard to securely exchange
authentication and authorization data between an enterprise identity provider and a service
provider (in this case, Portal for ArcGIS). The approach used to achieve this is known as SAML
Web Single Sign On.
• Bring secured services together from anywhere
Allow Portal Access
Needed to allow apps on other Portals to authenticate and access secured services hosted on your
Portal
Sharing content by Everyone
Can restrict the ability for users to share items with everyone
Scan Portal for Security Checks
• portalscan.py is a script in the Portal installation directory
Location: <install_directory>\ArcGIS\Portal\tools\security
• Checks for security configuration settings
10.7 – 12 different settings are checked
• Generates HTML report that makes recommendations to improve security
• Categorizes findings based on severity
• Critical
• Important
• Recommended
• Help links provided for each findings
Sample Portal for ArcGIS Security Scan Report
SSL Protocol Configuration
https://www.ssllabs.com/ssites/clients.html

• In 10.4, both Server and Portal can be configured to limit which SSL protocol is accepted and
used
• Starting 10.7, new installation of ArcGIS enterprise will use Transport Layer Security (TLS) 1.2
only
• Only impacts the communication with Portal, Server and Data Store over ports 7443, 6443,
and 2443 respectively
• Protocols used by the web adaptor or load balancer are configured separately
Portal for ArcGIS
TLS 1.0 port 7443

Client App ArcGIS Server

TLS 1.2 port 6443

ArcGIS Data Store

port 2443
Geodatabase Design
Best Practices
Geodatabase Design - Best Practices

• No Attributed Relationship Classes for Empty Tables

• Use Many to Many Relationship Classes Only When Necessary
• Don’t Use Objectid as Primary Key for Relationship Classes
• Leverage the existing Data Models
• Select Single Coordinate System
• Create Feature Datasets or Databases for each LOB (Line of Businesses)
• Integrate Related Feature Class using Topology
• Deploy Necessary Information Models
Process Tools

• X-Ray Add-in
• GDB Diagrammer
• Sparx Systems Enterprise Architect
• Geometric Network Configuration Manager
What’s New in ArcGIS
Enterprise
Release Timeline
2016 2017 2018 2019

10.5 10.5.1 10.6 10.7

December June January March

10.6.1 10.7.1
June
Relationship style
New smart mapping style

Compares two attributes on a map using color variation

- Which commercial buildings have high occupancy rates and high energy use?
- Which streets had high rates of accidents and low speed limits?
Relationship style
New smart mapping style
Relationship style Demo
New smart mapping style
Create offline map areas
Support offline field workflows

Create pre-determined map areas to take offline :

- Make easier and faster to package up and take maps offline
- Update offline areas on a schedule to reflect changes in your web map
- Use in apps built using the Runtime SDK or Collector for ArcGIS
Create offline map areas Demo
Support offline field workflows
GeoAnalytics Server tools and extensibility
Big data processing and analytics

New tools:
- Clip, Dissolve, Merge
- Forest-Based Classification and Regression
- Generalized Linear Regression

New extensibility:
Run Python script
- Leverage pyspark & all subpackages
- Run SQL queries
- Chain tools together
ArcGIS Notebook Server
Host python notebooks in your infrastructure

A powerful data science platform

- Uses Docker containers to isolate each
notebook author’s workspace
- Code with the python API and ArcPy
- Dynamic mapping and visualization
ArcGIS Notebook Server Sample
Host python notebooks in your infrastructure
Webhooks for automatic notification
Automate notification based on portal actions

What is a Webhook?
A webhook is a new Arcgis Enterprise capability that will automatically
provides other applications with event-driven(event such as user actions,
messages from other programs) information, delivered as an HTTPS request
(POST)
Webhooks for automatic notification
Automate notification based on portal actions

10.7 Scope
• Webhooks can only be created, updated and deleted by portal admins
via the ArcGIS Portal Directory (Sharing API)
- Registration and management of webhooks are also supported via the ArcGIS API
for Python

• Webhooks can be created to subscribe to events pertaining to items,

users and groups in Portal for ArcGIS
- For 10.7 these events are primarily create, update, and delete – type events
- The REST API doc was updated to document this resource
Webhooks for automatic notification
Automate notification based on portal actions

3 examples use cases

- /groups: When someone shares an item to a collaboration group,
notify group members through Slack.

- /items: If the sharing settings are changed for a layer that contains
confidential information, email administrators.

- /users: Once a user is deleted, notify your admin via text.

http://enterprise.arcgis.com/en/portal/latest/administer/windows/create-and-manage-
webhooks.htm
Webhooks for automatic notification
Automate notification based on portal actions
Key Terms : Payload
• Once a webhook is triggered, a payload is delivered to the specified payload URL in
JSON format. Each event follows a similar JSON schema with information that is
relevant to the event

• Since all payloads are delivered through an HTTPS request, the webhook receiver
must be configured to communicate over HTTPS and be reachable by the Portal

• Number of options for how and where a webhook is received:

- Enterprise SDK sample (Java servlet)
- Third party services: Microsoft Flow, Zapier, or IFTTT
- Custom web servers: Node JS, Python Flask
Webhooks for automatic notification
Automate notification based on portal actions
Webhooks Demo
Automate notification based on portal actions
New for Administration of ArcGIS Server

1 Request ID for server

requests

• Each request gets a

unique ID

• Query logs using ID for

a comprehensive
timeline
New for Administration of ArcGIS Server
2 Inactivity properties for
server

• Suspend and then

unregister inactive
machines after a set
duration

• Particularly useful for

large cloud
deployments
New for Administration of ArcGIS Server

3 Jobs Page

• Query the status of

geoprocessing
jobs in Server Manager

• Select by service,
status, age, machine to
see the status, start &
end time, duration and
machine
New in Publishing

1 Publish map services from Pro 2.3

to a standalone (unfederated) ArcGIS Server
• Arcpy.sharing module
• Create draft, then share to server
• GUI planned for Pro 2.4

2 Publish OGC services from ArcGIS Pro

• WMS, WFS, WCS, KML
Area of Interest
New option for hosted feature layer views

• Feature definition
• Field definition
• Area of interest

Keeps the connection to the

source data while displaying
only what you want to show
Coded value domains
New for hosted feature layers

• Constrain attribute values

• Long-time feature of geodatabases
• Can use permitted values in the field applications like Collector for
ArcGIS
• Enforces data integrity and consistency
Coded value domains Demo
New for hosted feature layers
Print Service Enhancements
New at 10.6

• Share a custom print service using Python

Adapt “Export
Author map Web Map” Share the Use print
Run script
template in ArcGIS Python code to result as a service in
include as GP tool
Pro print service web apps
templates
Print Service Enhancements
New at 10.7

• Include ArcGIS Pro reports in a print service

Adapt “Export
Author map Web Map” Share the Use print
Run script
template in ArcGIS Python code to result as a service in
include as GP tool
Pro print service web apps
templates

Printing from web app

outputs the data in your
report format
What items can I share using collaborations at 10.7
• Hosted feature layers
• New: Hosted feature layer views (as copies)
• Referenced feature layers
• CSVs, Word documents, excel files
• Shapefiles
• Tile packages, vector tile packages
• Web maps
• Web scenes
• Map and feature services (via URLs)
• Apps created from configurable app templates
• New: Insights items (workbooks, pages, models, themes)
New for Collaborations
Pause and resume syncs

Pause and resume scheduled data syncs at your own pace

• When you are making ongoing edits, regular edits
• When you are upgrading your system or performing maintenance
• Whenever you want to wait to share data
Sites and Pages

• Tailor the entry way into your GIS

• Display the data that matters most
to the users looking for it
• Drag and drop builder
• HTML and CSS options

New at 10.7
• Rich text editing
• Direct upload of images
• Choose an image focal point
• Streamlined UI for adding widgets
New Applications ArcGIS Excalibur
& Products
• Imagery exploitation
and management
web application

ArcGIS Indoors

• Complete system for

indoor mapping
used to create a Tracker for ArcGIS
connected
workplace • New mobile and web
app for tracking your
workforce, improving
situational
awareness
User Types

• New licensing model for users beginning at 10.7

• Provides the much requested ‘intermediate level’ user
• Each user type has an identity, capabilities and included applications
• Match your licensing to your workflows
User Types Bundles
User Types Included Capabilities and Apps

Viewer Editor Field Worker Creator GIS Professional

View your team’s private maps and apps ✓ ✓ ✓ ✓ ✓

Use ArcGIS Essentials Apps ✓ ✓ ✓ ✓ ✓

Edit data ✓ ✓ ✓ ✓

Use Field Apps Bundle ✓ ✓ ✓

Use Office Apps Bundle ✓ ✓

Create maps and apps ✓ ✓

Administer subscription ✓ ✓

Use ArcGIS Pro ✓

User Types
HTTPS and TLS

• 10.7 will enforce the use of HTTPS and

TLS (Transport Layer Security) version 1.2
• On April 16, ArcGIS Online will switch to
only supporting TLS. 12
• Validate your system’s support for TLS
v1.2 as soon as possible

Esri support has a page for information, patches and instructions for
updating software
support.esri.com/en/tls
Updated product lifecycle

• Starting 10.7, ArcGIS Enterprise releases will be either:

- Short term support: 3 years of support including 1.5 years of patches [10.7]
- Long term support: 6 of support including 1.5 years of patches [10.7]
• All previous versions will remain long term support

• When planning your upgrades, take these into consideration

- Are you updating frequently (every year or two?)
- Or do you need to choose a version and stay there for a longer time period
ArcGIS Enterprise
Administration Tips
Quick Tips
• Always have a back up!
• ArcGIS Data Store, ArcGIS Server, Portal for ArcGIS all have backup & restore
workflows
• Do not unfederated ArcGIS Server from your enterprise portal!
• Have more than one Administrator in your organization
• Take advantage of Enterprise capabilities
• Python API
• Rest API
• Distributed Collaboration
• Custom roles
• Webhooks
Upgrading ArcGIS Enterprise
Supported versions

10.7.x will be the last release series that direct upgrades from 10.2.x will be supported
Recommended Order of Upgrade
1. Upgrade Portal for ArcGIS

• You will need your new Portal JSON license file before you can upgrade Portal
Recommended Order of Upgrade
1. Upgrade Portal for ArcGIS
Recommended Order of Upgrade
1. Upgrade Portal for ArcGIS
Recommended Order of Upgrade
1. Upgrade Portal for ArcGIS
Recommended Order of Upgrade
2. Upgrade your Portal’s ArcGIS Web Adaptor
• Take note of the web adaptor context you used at the previous version
• This is the Web Adaptor name (for example ‘arcgis’)
• Uninstall the previous version
• Install the 10.7 Web Adaptor
• Ensure you use the same context you used previously
• Reconfigure the Web Adaptor with your Portal
Recommended Order of Upgrade
3. Upgrade ArcGIS Server
1. In a multi-node site, it is recommended to upgrade one server at a time
2. At 10.7 you can no longer directly upgrade from 10.1

• If you are at 10.1 you will need to first upgrade to an intermediate version
Multi-Cluster Sites
• At 10.7 we no longer support multiple clusters
• During the upgrade, if you have multiple clusters:
• If you do not have the ‘Default’ cluster, this will be created
• All Servers in the site will be moved to the ‘Default’ cluster
• All Services will be moved to the ‘Default’ cluster
• This include the system and Utility services
• All services will be in a ‘Stopped’ state
• System and Utility services will be in their expected estate
• Services will need to be manually started
Recommended Order of Upgrade
4. Upgrade your Server’s ArcGIS Web Adaptor
• Take note of the web adaptor context you used at the previous version
• This is the Web Adaptor name (for example ‘arcgis’)
• Uninstall the previous version
• Install the 10.7 Web Adaptor
• Ensure you use the same context you used previously
• Reconfigure the Web Adaptor with your ArcGIS Server
Recommended Order of Upgrade
5. Upgrade ArcGIS Data Store
• Prior to 10.7 you are required to upgrade the Primary Data Store before you can
upgrade the Standby Data Store
• At 10.7 you are able to upgrade from either the Primary or Standby Data Store
• You will first need to install the setup on all Data Stores
• Relational and TileCache Primary and Standby
• All Spatiotemporal Data stores
• On one of the Data Stores initiate the upgrade
• Starting 10.6 you can no longer perform an uninstall/install upgrade of Data Store
• You will need to perform an inplace upgrade
• To upgrade the spatiotemporal Big Data Store
• Run the installation on each machine in the configuration
• Run the configuration on any machine in the configuration
• The remaining machines are all upgraded automatically
ArcGIS Enterprise: Road
Ahead
Interceptors, WebHooks,
GeoAnalytics, and
Containers
Developer technology: Server Interceptors (server filters)
• Today SOIs are very powerful but comes with high development cost and limitations
- Very powerful but also very low-level API
- Only works for Pro-based map services (ArcGIS Enterprise SDK) or ArcMap based map and
image services (ArcObjects SDK)

• Server Interceptors will be an expansion of the Server Object Interceptor (SOI) pattern

• Intercept any request for any type of service

- Geocoding services
- Hosted feature service

• Java-only and less powerful API with no heavy GIS functionality

Developer technology: WebHooks

• Future plans include support for additional events for future services
- Feature.Created, Feature.Updated, Feature.Deleted, Feature.Edited
- Feature.AttachmentCreated, Feature.AttachmentUpdated, Feature.AttachmentDeleted
- Layer.SchemaChanged, Layer.DefinitionChanged, FeatureService.DefinitionChanged

• Payloads are designed to be skinny to minimize network overhead and for security
reasons
- Information on what happened and enough information to identify what was affected
- E.g. the service name, the layer id, and the OBJECTID of a modified feature

• Recipients are expected to decide how to act and contact the server to fetch
additional information if needed.
GeoAnalytics

• New and enhanced analysis tools

- Time-enabled Build Multi-Variable Grid
- Geographically Weighted Regression
- Layer.SchemaChanged, Layer.DefinitionChanged, FeatureService.DefinitionChanged

• Spatiotemporal Clustering
- Where are points clustering in space as well in time?

• Doing R&D into track analysis tools:

- “are assets moving, slowing down?”
GeoAnalytics

• Data Sources
- Vision includes direct read from traditional RDBMS (SQL Server, Oracle, PostgreSQL
- Accumulo
- Hbase
- Google Cloud Storage
• Developer Story
- At 10.7 we exposed a tool to run custom Python code on your GeoAnalytics Server
- Can use pyspark, chain GeoAnalytics development and extensibility
- Future: Expose this functionality as part of Notebook Server
Deliver ArcGIS Enterprise as a collection
of microservices, running on containers,
managed by a standard orchestration
fabric
ArcGIS Enterprise: The Next Generation

Design Approach

• Software Delivery
• Containers
• Container orchestration
• Software architecture
• Microservices and Microservers
ArcGIS Enterprise: The Next Generation

Orchestration framework:
Kubernetes (K8s)

• Manage many containers across available nodes

• Scheduling of containers
• Provides high availability
ArcGIS Enterprise: The Next Generation
• Not a replacement for the current generation of the software
• Will continue to develop and release traditional Windows and Linux installers for a long
time to come
• Think of this as support for a third operating system (Kubernetes)

• Initial target audience

• Large organizations with existing Kubernetes knowledge
• New cloud deployments

• Timeline
• Development throughout 2019 and 2020
• Initial release planned for second half of 2020
Introduction to ArcGIS Notebooks

• Integrated Python Jupyter Notebooks

• 2D/3D maps in notebooks
• Docker Notebook Runtime Images
• ArcGIS API for Python, Arcpy, Python open science libraries
• Rich content and tool browsing UX
• Sharing and Collaboration
• Can be configured to take advantage of GPUs
Enterprise Updates

• Multi-node deployment for ArcGIS Notebooks Server

• Support for webGIS DR tool for backup and restore
• AWS Cloud formation template
• More sample
Notebooks as Geoprocessing Services (Webtools)

• Ability to publish Webtools from Notebooks

• Execute notebooks via a Geoprocessing REST API
• Use it with Web AppBuilder and other applications that support WebTools
• Annotate parameters in notebooks that get exposed as WebTools parameters
Data Stores – a quick introduction

• Connections registered with GIS Server

• Used as referencing data for publishing services, perform analysis or used as
output stores for tile caches and raster
• UX via Server Manager, ArcMap and Pro
• Shared with all publishers and administrators in the organization
Quickly Bringing Enterprise Datasets To Web GIS

• Most enterprise datasets are in enterprise geodatabases (and folders)

• Making it easy to bring these datasets into Web GIS
- Searchable
- Usable
- Group-based sharing
• New capability in Portal to easily bulk publish vector datasets as feature layers
- Simple, quick UX
- Keep in sync
Registering Data Stores in Portal

• Modern UX to register data stores via Portal application

- Folder
- Database
- Cloud Store
• Use registered Folders and Databases to bulk publish datasets
• Use them to publish image layers via Portal application
• Use data stores from ArcMap and Pro for publishing referenced data
10.7.1/10.7.2 (subject to change)

Multidimensional
data
Hosted Imagery Layers Creation of tile layers
from Imagery

Configuration option
such as nodata
10.7.1/10.7.2 (subject to change)

• Ortho Maker
- Satellite Imagery
- Seamline editing
- Scanned imagery
- Custom frame camera UX
- Parrot SEQUOIA
10.7.1/10.7.2 (subject to change)

• Deep Learning
- Improved multi-GPU support
- Improved deployment scripts for deep learning framework setup
- Manage training samples in cloud storage (S3, Azure,…)
- Training sample manager Web UX
- Extract training samples in image space, image space inference
- Valuable for highly oblique images
- Remove distortions
Q4 2019/2020 (subject to change)

• Imagery in ArcGIS Online (SaaS)

- hosted imagery layers as dynamic image services
- hosted imagery as tile layers (w/ hosted tile generation)
- hosted ortho mapping for drones
- hosted distributed raster analytics and image processing
Thank You!