topic Additional QSE instead of QAP in Management & Governance

Additional QSE instead of QAP

geantbrun — Sat, 16 Nov 2024 04:37:30 GMT

Suppose we want to expose to the public some dashboards we made with Qlik Sense and we don't want to put on the Internet our Production QSE site. From what I understand, one solution would be to buy a QAP licence and put the QAP server in DMZ (with a firewall between QSE and QAP). But would it be possible instead to install a second QSE that we put in DMZ? Would it be equivalent? Of course we would remove all the creation rights for the anonymous users for this QSE2. Possible or not?

Re: Additional QSE instead of QAP

Levi_Turner — Thu, 19 Sep 2019 19:20:54 GMT

So the site would be separate? Rather than being potentially attached to the existing cluster?

Re: Additional QSE instead of QAP

geantbrun — Thu, 19 Sep 2019 19:32:43 GMT

Thanks for help Levi. Could you define separate vs attached please? In my mind, it would be separate in the sense that QSE2 is not a mirror of QSE1 but I'm not sure if this is what you have in mind when you say "separate".

Re: Additional QSE instead of QAP

Levi_Turner — Fri, 20 Sep 2019 12:59:34 GMT

I was just clarifying whether you were intending to add a RIM node into a cluster to help service these users or rather just planning on adding a secondary site. It sounds like the later option. When it comes to anonymous users, the following license types are supported:

Token-Based: Using the Login Access Passes (legacy license type)
Core-Based (either QAP or Qlik Sense Enterprise)
Capability-Based: By using the Capacity Analyzer licenses

(taken from here)

You can certainly opt to use QAP over Qlik Sense Enterprise, but be mindful that QAP does not include the "client". When we say client, we mean the Hub and related interfaces. If you plan to deploy the Qlik Sense app as a mashup or similar integration then QAP would work. But if you were planning on relying on the client interface, either for the users or for development activities on the apps, then QSE is a better option.

Re: Additional QSE instead of QAP

geantbrun — Fri, 20 Sep 2019 13:15:53 GMT

Suppose I opt for a second QSE (instead of QAP) which would reside in DMZ (see here for picture). Is it considered as "separate" and if yes, does it require a second licence or can it be deployed with the same licence as the one used to deploy QSE1 (which is token-based).

Re: Additional QSE instead of QAP

Levi_Turner — Fri, 20 Sep 2019 13:53:56 GMT

This will work if you wanted to re-use the license on your existing site:

(type1) : https://i.imgur.com/5gCX2i1.png

This will not:

(type2): https://i.imgur.com/kosWGRx.png

So:

QSE architecture type 1
Separate QSE site

(1) requires infra to be able to route users (e.g. a network application like Nginx or a network appliance like a network load balancer) with no additional license cost (assuming you have sufficient excess tokens to assign to a login access pool for the anonymous users accessing the RIM).

(2) does not require the additional Infra but comes with additional license cost.

Re: Additional QSE instead of QAP

geantbrun — Fri, 20 Sep 2019 13:49:00 GMT

Sorry can you resend the picture #1, I don't see it in your last message.

Re: Additional QSE instead of QAP

Levi_Turner — Fri, 20 Sep 2019 13:54:23 GMT

Check now. For whatever reason the post got wonky.

Re: Additional QSE instead of QAP

geantbrun — Fri, 20 Sep 2019 14:16:51 GMT

Thanks again Levi I see the difference in the architectures now (by the way, did you take those pictures from Qlik documentation and if yes, can you give me the link?). Thing I'm not sure to understand is why. I mean, why putting a firewall between QSE1 and QSE2 has implications on the need of a second licence? Is it because Qlik cannot calculate in this architecture the sum of the tokens consumed by internal and external users?

Re: Additional QSE instead of QAP

Levi_Turner — Fri, 20 Sep 2019 14:21:55 GMT

They are from some documentation I am working on in the context of hardening / securing a Qlik Sense site. Excerpt:

Qlik Specific Guidelines for External Audiences

When designing an architecture to support external audiences, network appliances or applications to route users inside of an organization's firewall is encouraged. This is needed due to each Qlik Sense node needing access to a common SMB share which hosts Qlik Sense applications, associated web files used in Qlik apps (e.g. thumbnail images, extensions), and is the location which log files are archived at. Using this example architecture as a reference of how many applications would be architected:

(type2): https://i.imgur.com/kosWGRx.png

This design would require the SMB share which is hosted on the Central node to be exposed to the Rim node which lives in the DMZ, in addition to a number of ports used by Qlik Sense Enterprise on Windows. This requirement is not encouraged from the Qlik side due to security implications of SMB traffic being allowed through an edge device entering a network. An alternative architecture which is conducive to the requirements of Qlik Sense Enterprise while also segregating consumption of applications for an external audience would be as follows:
(type1) : https://i.imgur.com/5gCX2i1.png

Re: Additional QSE instead of QAP

geantbrun — Fri, 20 Sep 2019 14:41:48 GMT

What does this button with red arrows represent in your first architecture diagram? And also, do you have an answer to the "why" question I asked in last message? Just curious.

Re: Additional QSE instead of QAP

Levi_Turner — Fri, 20 Sep 2019 15:00:34 GMT

What red arrow? In type 1 at the top? It's a network appliance / application doing routing to Qlik Sense

Why does a DMZ have implications?

> This design would require the SMB share which is hosted on the Central node to be exposed to the Rim node which lives in the DMZ, in addition to a number of ports used by Qlik Sense Enterprise on Windows. This requirement is not encouraged from the Qlik side due to security implications of SMB traffic being allowed through an edge device entering a network.

Short-answer, you'd have to expose SMB to the edge of your network.

Re: Additional QSE instead of QAP

geantbrun — Fri, 20 Sep 2019 16:12:24 GMT

I understand, thank you Levi.

You say that it's not the architecture that you suggest but is that not that architecture that you suggest for QAP? See here.

Re: Additional QSE instead of QAP

geantbrun — Fri, 20 Sep 2019 17:44:59 GMT

Or stated in other terms: do we expose SMB to edge node in the QAP architecture (when QAP lives in DMZ)?

Other thing: in the architecture that you suggest (central+rim nodes behind firewall), how can you restrict external users to view only subset of applications and not all?

Thank you again for your help, it's very appreciated.

Re: Additional QSE instead of QAP

geantbrun — Mon, 23 Sep 2019 15:19:58 GMT

Sorry @Levi_Turner to bother you with my questions but I have to clarify which way to go with our Qlik architecture. So I would like to know:

do we expose SMB share to edge node in the suggested QAP architecture (when QAP lives in DMZ)?
can you be more specific about what constitutes exactly an edge node? I understand that it's a node that lives on the Internet but suppose it's in a DMZ with a firewall between external users and this DMZ (and another one between QSE2/QAP and QSE1). Is it still an edge node (and corollary: is it still exposing SMB share to the world?). See picture attached.

Re: Additional QSE instead of QAP

Levi_Turner — Mon, 23 Sep 2019 20:07:45 GMT

do we expose SMB share to edge node in the suggested QAP architecture (when QAP lives in DMZ)?

I did not write that article so I cannot speak to why the author wrote what they wrote. This style of architecture is not recommended by Qlik.

can you be more specific about what constitutes exactly an edge node? I understand that it's a node that lives on the Internet but suppose it's in a DMZ with a firewall between external users and this DMZ (and another one between QSE2/QAP and QSE1). Is it still an edge node (and corollary: is it still exposing SMB share to the world?). See picture attached.

An edge node in standard networking talk is a node which has direct exposure to the public internet.

RE type2b: If your organization is okay with exposing SMB traffic to the DMZ, then that style of deployment will work. But this type of exposure is generally not an encouraged practice by most organizations.

Other thing: in the architecture that you suggest (central+rim nodes behind firewall), how can you restrict external users to view only subset of applications and not all?

Security rules are the obvious way of securing access regardless of the deployment profile.

Re: Additional QSE instead of QAP

geantbrun — Mon, 23 Sep 2019 20:34:26 GMT

but I still don't see why it's more secure in your proposed architecture. I understand that the rim node (and so the SMB share) doesn't live in the DMZ but it's still accessible to external users right?

Re: Additional QSE instead of QAP

geantbrun — Wed, 25 Sep 2019 18:29:41 GMT

@Levi_Turner I realize that it was maybe not clear that my external users here are anonymous users.They don't authenticate. In my understanding, you cannot let them enter your internal network. You can put a DMZ in front of a firewall and let them access "open data". But you seem to say that as soon as you put a rim node, there is a SMB share exposed on this node and putting it accessible to everyone is a security concern. Is my summary correct?

Re: Additional QSE instead of QAP

Levi_Turner — Thu, 26 Sep 2019 14:24:38 GMT

> but I still don't see why it's more secure in your proposed architecture. I understand that the rim node (and so the SMB share) doesn't live in the DMZ but it's still accessible to external users right

Because exposing SMB shares is considered a major security concern for many organizations. Entirely unrelated to Qlik, the WannaCry ransomware attack was propagated through SMB shares.

I would strongly suggests consulting with your network or security teams to make a judgment of what topology makes sense for your internal requirements.

Re: Additional QSE instead of QAP

geantbrun — Wed, 02 Oct 2019 15:22:12 GMT

@Levi_Turner I understand from your explanations that exposing SMB share on DMZ is not a good idea. What I don't get is why is it more secure in your architecture? Anonymous users could make malicious HTTP requests and potentially get access to rim node with SMB share exposed. Don't you agree?