Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Suppose we want to expose to the public some dashboards we made with Qlik Sense and we don't want to put on the Internet our Production QSE site. From what I understand, one solution would be to buy a QAP licence and put the QAP server in DMZ (with a firewall between QSE and QAP). But would it be possible instead to install a second QSE that we put in DMZ? Would it be equivalent? Of course we would remove all the creation rights for the anonymous users for this QSE2. Possible or not?
What does this button with red arrows represent in your first architecture diagram? And also, do you have an answer to the "why" question I asked in last message? Just curious.
What red arrow? In type 1 at the top? It's a network appliance / application doing routing to Qlik Sense
Why does a DMZ have implications?
> This design would require the SMB share which is hosted on the Central node to be exposed to the Rim node which lives in the DMZ, in addition to a number of ports used by Qlik Sense Enterprise on Windows. This requirement is not encouraged from the Qlik side due to security implications of SMB traffic being allowed through an edge device entering a network.
Short-answer, you'd have to expose SMB to the edge of your network.
I understand, thank you Levi.
You say that it's not the architecture that you suggest but is that not that architecture that you suggest for QAP? See here.
Or stated in other terms: do we expose SMB to edge node in the QAP architecture (when QAP lives in DMZ)?
Other thing: in the architecture that you suggest (central+rim nodes behind firewall), how can you restrict external users to view only subset of applications and not all?
Thank you again for your help, it's very appreciated.
Sorry @Levi_Turner to bother you with my questions but I have to clarify which way to go with our Qlik architecture. So I would like to know:
I did not write that article so I cannot speak to why the author wrote what they wrote. This style of architecture is not recommended by Qlik.
An edge node in standard networking talk is a node which has direct exposure to the public internet.
RE type2b: If your organization is okay with exposing SMB traffic to the DMZ, then that style of deployment will work. But this type of exposure is generally not an encouraged practice by most organizations.
Security rules are the obvious way of securing access regardless of the deployment profile.
but I still don't see why it's more secure in your proposed architecture. I understand that the rim node (and so the SMB share) doesn't live in the DMZ but it's still accessible to external users right?
@Levi_Turner I realize that it was maybe not clear that my external users here are anonymous users.They don't authenticate. In my understanding, you cannot let them enter your internal network. You can put a DMZ in front of a firewall and let them access "open data". But you seem to say that as soon as you put a rim node, there is a SMB share exposed on this node and putting it accessible to everyone is a security concern. Is my summary correct?
> but I still don't see why it's more secure in your proposed architecture. I understand that the rim node (and so the SMB share) doesn't live in the DMZ but it's still accessible to external users right
Because exposing SMB shares is considered a major security concern for many organizations. Entirely unrelated to Qlik, the WannaCry ransomware attack was propagated through SMB shares.
I would strongly suggests consulting with your network or security teams to make a judgment of what topology makes sense for your internal requirements.
@Levi_Turner I understand from your explanations that exposing SMB share on DMZ is not a good idea. What I don't get is why is it more secure in your architecture? Anonymous users could make malicious HTTP requests and potentially get access to rim node with SMB share exposed. Don't you agree?