Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Showing results for 
Search instead for 
Did you mean: 
geantbrun
Contributor
Contributor

Additional QSE instead of QAP

Suppose we want to expose to the public some dashboards we made with Qlik Sense and we don't want to put on the Internet our Production QSE site. From what I understand, one solution would be to buy a QAP licence and put the QAP server in DMZ (with a firewall between QSE and QAP). But would it be possible instead to install a second QSE that we put in DMZ? Would it be equivalent? Of course we would remove all the creation rights for the anonymous users for this QSE2. Possible or not?

Labels (1)
19 Replies
Levi_Turner
Employee
Employee

So the site would be separate? Rather than being potentially attached to the existing cluster?

geantbrun
Contributor
Contributor
Author

Thanks for help Levi. Could you define separate vs attached please? In my mind, it would be separate in the sense that QSE2 is not a mirror of QSE1 but I'm not sure if this is what you have in mind when you say "separate".

Levi_Turner
Employee
Employee

I was just clarifying whether you were intending to add a RIM node into a cluster to help service these users or rather just planning on adding a secondary site. It sounds like the later option. When it comes to anonymous users, the following license types are supported:

  • Token-Based: Using the Login Access Passes (legacy license type)
  • Core-Based (either QAP or Qlik Sense Enterprise)
  • Capability-Based: By using the Capacity Analyzer licenses

(taken from here)

You can certainly opt to use QAP over Qlik Sense Enterprise, but be mindful that QAP does not include the "client". When we say client, we mean the Hub and related interfaces. If you plan to deploy the Qlik Sense app as a mashup or similar integration then QAP would work. But if you were planning on relying on the client interface, either for the users or for development activities on the apps, then QSE is a better option.

geantbrun
Contributor
Contributor
Author

Suppose I opt for a second QSE (instead of QAP) which would reside in DMZ (see here for picture). Is it considered as "separate" and if yes, does it require a second licence or can it be deployed with the same licence as the one used to deploy QSE1 (which is token-based). 

Levi_Turner
Employee
Employee

This will work if you wanted to re-use the license on your existing site:

(type1) : https://i.imgur.com/5gCX2i1.png

This will not: 

(type2): https://i.imgur.com/kosWGRx.png

So:

  1. QSE architecture type 1
  2. Separate QSE site

(1) requires infra to be able to route users (e.g. a network application like Nginx or a network appliance like a network load balancer) with no additional license cost (assuming you have sufficient excess tokens to assign to a login access pool for the anonymous users accessing the RIM).

(2) does not require the additional Infra but comes with additional license cost.

geantbrun
Contributor
Contributor
Author

Sorry can you resend the picture #1, I don't see it in your last message.

Levi_Turner
Employee
Employee

Check now. For whatever reason the post got wonky.

geantbrun
Contributor
Contributor
Author

Thanks again Levi I see the difference in the architectures now (by the way, did you take those pictures from Qlik documentation and if yes, can you give me the link?). Thing I'm not sure to understand is why. I mean, why putting a firewall between QSE1 and QSE2 has implications on the need of a second licence? Is it because Qlik cannot calculate in this architecture the sum of the tokens consumed by internal and external users?

Levi_Turner
Employee
Employee

They are from some documentation I am working on in the context of hardening / securing a Qlik Sense site. Excerpt:

Qlik Specific Guidelines for External Audiences

When designing an architecture to support external audiences, network appliances or applications to route users inside of an organization's firewall is encouraged. This is needed due to each Qlik Sense node needing access to a common SMB share which hosts Qlik Sense applications, associated web files used in Qlik apps (e.g. thumbnail images, extensions), and is the location which log files are archived at. Using this example architecture as a reference of how many applications would be architected:

 

(type2): https://i.imgur.com/kosWGRx.png

This design would require the SMB share which is hosted on the Central node to be exposed to the Rim node which lives in the DMZ, in addition to a number of ports used by Qlik Sense Enterprise on Windows. This requirement is not encouraged from the Qlik side due to security implications of SMB traffic being allowed through an edge device entering a network. An alternative architecture which is conducive to the requirements of Qlik Sense Enterprise while also segregating consumption of applications for an external audience would be as follows:

(type1) : https://i.imgur.com/5gCX2i1.png