I understand, thank you Levi.

You say that it's not the architecture that you suggest but is that not that architecture that you suggest for QAP?  See here.

Or stated in other terms: do we expose SMB to edge node in the QAP architecture (when QAP lives in DMZ)? 

Other thing: in the architecture that you suggest (central+rim nodes behind firewall), how can you restrict external users to view only subset of applications and not all?

Thank you again for your help, it's very appreciated.

Sorry @Levi_Turner  to bother you with my questions but I have to clarify which way to go with our Qlik architecture. So I would like to know:

• do we expose SMB share to edge node in the suggested QAP architecture (when QAP lives in DMZ)? 
• can you be more specific about what constitutes exactly an edge node? I understand that it's a node that lives on the Internet but suppose it's in a DMZ with a firewall between external users and this DMZ (and another one between QSE2/QAP and QSE1). Is it still an edge node (and corollary: is it still exposing SMB share to the world?). See picture attached.

• do we expose SMB share to edge node in the suggested QAP architecture (when QAP lives in DMZ)? 

I did not write that article so I cannot speak to why the author wrote what they wrote. This style of architecture is not recommended by Qlik.

• can you be more specific about what constitutes exactly an edge node? I understand that it's a node that lives on the Internet but suppose it's in a DMZ with a firewall between external users and this DMZ (and another one between QSE2/QAP and QSE1). Is it still an edge node (and corollary: is it still exposing SMB share to the world?). See picture attached.

An edge node in standard networking talk is a node which has direct exposure to the public internet.

RE type2b: If your organization is okay with exposing SMB traffic to the DMZ, then that style of deployment will work. But this type of exposure is generally not an encouraged practice by most organizations.

• Other thing: in the architecture that you suggest (central+rim nodes behind firewall), how can you restrict external users to view only subset of applications and not all?

Security rules are the obvious way of securing access regardless of the deployment profile.

but I still don't see why it's more secure in your proposed architecture. I understand that the rim node (and so the SMB share) doesn't live in the DMZ but it's still accessible to external users right?

@Levi_Turner  I realize that it was maybe not clear that my external users here are anonymous users.They don't authenticate. In my understanding, you cannot let them enter your internal network. You can put a DMZ in front of a firewall and let them access "open data". But you seem to say that as soon as you put a rim node, there is a SMB share exposed on this node and putting it accessible to everyone is a security concern. Is my summary correct? 

> but I still don't see why it's more secure in your proposed architecture. I understand that the rim node (and so the SMB share) doesn't live in the DMZ but it's still accessible to external users right

Because exposing SMB shares is considered a major security concern for many organizations. Entirely unrelated to Qlik, the WannaCry ransomware attack was propagated through SMB shares.

I would strongly suggests consulting with your network or security teams to make a judgment of what topology makes sense for your internal requirements.

@Levi_Turner I understand from your explanations that exposing SMB share on DMZ is not a good idea. What I don't get is why is it more secure in your architecture? Anonymous users could make malicious HTTP requests and potentially get access to rim node with SMB share exposed. Don't you agree?