Qlik Sense® integration with Azure AD Application Proxy

    This article is a comprehensive guide on the current integration of Qlik Sense with Microsoft Azure AD Application Proxy as of March 2018. This feature is rolling out to Azure tenants from March 23rd 2018.

    Recommendation

    Due to the widespread adoption of Office 365, many Enterprises have already replicated their on-Premise Active Directory into Azure, and are finding additional Microsoft cloud services increasingly attractive. Data sources, Application Servers and Business Intelligence tools may be migrated to Azure Cloud. Microsoft Intune may be considered for Mobile Device Management but doesn't include a connectivity component for access to on-Premise services. The Azure AD Application Proxy provides an easily deployed VPN-less gateway that can be used to provide access to internal websites for small-medium businesses. Enterprises should consider whether they also require additional Device-level authentication (as provided by VPN Gateways) or multi-factor authentication for access to internal websites.

    Qlik Sense requires that clients and intermediate infrastructure support web-socket connectivity that is used between the Qlik Visualizations and the Qlik Sense Proxy service for retrieval of Associative datasets. Web-sockets are part of the HTML5 standard, but many proxy servers fail to support it; iOS v11 has resolved previous issues with routing web-socket traffic via any perApp VPN. Remaining connectivity problems are now due to configuration/limitations of EMM and other network infrastructure.

    The following is a comprehensive guide on the current integration of Qlik Sense with Microsoft Azure AD Application Proxy.

     

    Microsoft Azure AD Application Proxy

    See also https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started

     

    azure.PNG

     

    (A) Install the Azure AD Connect service on/near the Primary Domain Controller. This will replicate the Domain to Azure Active Directory. Only one instance of this service should be running. Installation includes a Health Service and an Upgrader Service. These are used to ensure that the Azure Portal notifies Administrators of synchronization issues, and that the software will be automatically updated with feature improvements. See also https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect

    (B) Install the Azure AD App Proxy Connector on one/more hosts. These initiate an outbound connection to the Azure Cloud, through which traffic will pass to registered Enterprise Applications.  Installation includes an Update Service, so the software will be automatically updated with feature improvements. Within the Azure Portal the registered Application Proxies are pooled into Connector Groups. See also https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-enable

    (C) Using the Azure Portal https://portal.azure.com/ the Administrator can register on-premise URLs such as Qlik Sense as Enterprise Applications. These are assigned a corresponding Public HTTPS URL, are associated with a Connector Group, and may be configured with authentication at the Azure entry point for Single SignOn into Qlik Sense.

    (D) Any browser, on mobile or desktop can browse to a Public URL that provides access to the on-Premise instance of Qlik Sense. The default Public URL is formed from a concatenation of the Application Name, Tenant Name and ".msAppProxy.net" and is accessed using https:// for example https://demo-qlikemmnet.msappproxy.net/anon/hub/

    Configuration of Application Proxies

    During installation of an Application Proxy within the LAN, you are prompted to sign into Azure as an Administrator. This will register the Application Proxy for use, however it has no further directly configurable properties, but will be automatically upgraded when necessary. Microsoft recommend installing several instances of the Application Proxy which can be pooled into a Connector Group within the Azure Portal to provide Highly Available connectivity to on-premise resources.

    If an Application Proxy has been uninstalled or otherwise disabled, it will be removed from the Azure Portal after 10 days of inactivity.

    See also https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-understand-connectors

     

    Configuration of Enterprise Applications

    When configuring an on-premise application as an Enterprise Application, please refer to http://https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-qlik

    When providing access to Qlik Sense releases prior to April 2018 you must register an application for Qlik Sense Hub and an additional application for the corresponding Authentication URL. If you had registered https://demo.qlikemm.com/ as an application "Demo", you must also register https://demo.qlikemm.com:4244/ as "Demo4244" (or corresponding http URLs http://demo.qlilkemm.com/ and http://demo.qlikemm.com:4248/ ).

    You can suppress the additonal application from http://https://myapps.microsoft.com by appropriately setting "Visible to Users" in the Enterprise Application properties.

    Qlik has not yet evaluated the use of Kerberos Constrained Delegation for Single SignOn from an Azure pre-authenticated application into Qlik Sense, or the impacts of Two-factor-Authentication on Qlik Sense Mobile. Qlik currently encourages Azure customers to configure "passthrough" pre-authentication.

    See also https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using-kcd


    Further Qlik Considerations

    Within the Qlik Sense Management Console (QMC) you must also record the new External URL in the WhiteList of the Virtual Proxy.


    Testing and Diagnosis

    QlikView is reliably accessible via the Microsoft Azure AD Application Proxy, as it does not depend on advanced features of HTML5 such as websockets.

    Qlik Sense requires websocket connectivity that is now newly available with the Application Proxy. Qlik Sense may also require a second registered application for the authentication URL.

    Qlik suggests deploying the Qlik Sense Websocket Connectivity Tester from http://branch.qlik.com/#!/project/56728f52d1e497241ae69865 into the Content Library within the QMC, and confirming that this can be accessed via the internal http://demo.qlikemm.com/anon/content/default/QlikSenseWebsocketTest.html and external demo-qlikemmnet.msappproxy.net/anon/content/default/QlikSenseWebsocketTest.html URLs. Failure could be caused by other network infrastructure such as Load Balancers or a Reverse Proxy between the Azure AD Application Proxy and Qlik Sense.

    Some logging may be produced by the Azure AD Application Proxy at "C:\ProgramData\Microsoft\Microsoft AAD Application Proxy Connector\".