Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Suppose we want to expose to the public some dashboards we made with Qlik Sense and we don't want to put on the Internet our Production QSE site. From what I understand, one solution would be to buy a QAP licence and put the QAP server in DMZ (with a firewall between QSE and QAP). But would it be possible instead to install a second QSE that we put in DMZ? Would it be equivalent? Of course we would remove all the creation rights for the anonymous users for this QSE2. Possible or not?
So the site would be separate? Rather than being potentially attached to the existing cluster?
Thanks for help Levi. Could you define separate vs attached please? In my mind, it would be separate in the sense that QSE2 is not a mirror of QSE1 but I'm not sure if this is what you have in mind when you say "separate".
I was just clarifying whether you were intending to add a RIM node into a cluster to help service these users or rather just planning on adding a secondary site. It sounds like the later option. When it comes to anonymous users, the following license types are supported:
(taken from here)
You can certainly opt to use QAP over Qlik Sense Enterprise, but be mindful that QAP does not include the "client". When we say client, we mean the Hub and related interfaces. If you plan to deploy the Qlik Sense app as a mashup or similar integration then QAP would work. But if you were planning on relying on the client interface, either for the users or for development activities on the apps, then QSE is a better option.
Suppose I opt for a second QSE (instead of QAP) which would reside in DMZ (see here for picture). Is it considered as "separate" and if yes, does it require a second licence or can it be deployed with the same licence as the one used to deploy QSE1 (which is token-based).
This will work if you wanted to re-use the license on your existing site:
(type1) : https://i.imgur.com/5gCX2i1.png
This will not:
(type2): https://i.imgur.com/kosWGRx.png
So:
(1) requires infra to be able to route users (e.g. a network application like Nginx or a network appliance like a network load balancer) with no additional license cost (assuming you have sufficient excess tokens to assign to a login access pool for the anonymous users accessing the RIM).
(2) does not require the additional Infra but comes with additional license cost.
Sorry can you resend the picture #1, I don't see it in your last message.
Check now. For whatever reason the post got wonky.
Thanks again Levi I see the difference in the architectures now (by the way, did you take those pictures from Qlik documentation and if yes, can you give me the link?). Thing I'm not sure to understand is why. I mean, why putting a firewall between QSE1 and QSE2 has implications on the need of a second licence? Is it because Qlik cannot calculate in this architecture the sum of the tokens consumed by internal and external users?
They are from some documentation I am working on in the context of hardening / securing a Qlik Sense site. Excerpt:
Qlik Specific Guidelines for External Audiences
When designing an architecture to support external audiences, network appliances or applications to route users inside of an organization's firewall is encouraged. This is needed due to each Qlik Sense node needing access to a common SMB share which hosts Qlik Sense applications, associated web files used in Qlik apps (e.g. thumbnail images, extensions), and is the location which log files are archived at. Using this example architecture as a reference of how many applications would be architected:
(type2): https://i.imgur.com/kosWGRx.png
This design would require the SMB share which is hosted on the Central node to be exposed to the Rim node which lives in the DMZ, in addition to a number of ports used by Qlik Sense Enterprise on Windows. This requirement is not encouraged from the Qlik side due to security implications of SMB traffic being allowed through an edge device entering a network. An alternative architecture which is conducive to the requirements of Qlik Sense Enterprise while also segregating consumption of applications for an external audience would be as follows:
(type1) : https://i.imgur.com/5gCX2i1.png