When allowing external access to Qlik Sense, there are a handful of configuration steps needed on the server infrastructure to facilitate external access and potentially configuration steps needed on Qlik Sense itself.
For external access, the key questions are:
- What URL do you want users to use to access Qlik Sense? (e.g. https://ServerName.company.com vs. https://analytics.company.com)
- What type of authentication do you anticipate these external users to use?
- What kind of devices will those external users use? Do we need to have a third party certificate for seamless user access over HTTPS?
If you require more detailed assistance with your specific implementation, consider engaging with our active community or obtaining a direct engagement with our Consulting Services.
This article does not include step-by-step instructions on how to set up external network access.
Environment:
Qlik Sense Enterprise on Windows
Routing & URL configuration:
Regarding (1), the main actionable steps are:
- If you want a friendly name for external (or internal) users, then you will need to follow up with your infrastructure/networking team to set up an appropriate DNS alias.
- If you to use a DNS alias then be sure to adjust the Virtual Proxy Allowlist for all Virtual Proxies which will be used by external users. See "An error occurred Connection lost" or "Bad Request the http header is incorrect on Qlik Sense Hub" for a walkthrough on how to adjust the Virtual Proxy Allowlist. In brief QMC > Virtual Proxies > Edit > Advanced > Host white list > Enter the DNS alias (e.g. analytics.company.com)
- There is no need to place the protocol prefix. So analytics.company.com is preferable over https://analytics.company.com
- Do remember this setting is on a per-virtual proxy basis. If you have multiple modes of authentication externally then this will be needed.
- Any and all browsers, network devices, and network appliances are required to support HTML5 WebSockets: ref How To Check If The Browser Works With WebSockets
- Independent of the use of a DNS alias, you need to ensure that the appropriate ports are accessible externally.
- It is not uncommon for organizations to require that external users either access a server in a DMZ or to use a reverse proxy/network load balancer or other networking appliance at the edge of the network to allow users to access internal resources.
- Whether this is required or not is a question for the organization's infrastructure/networking team.
Port Requirements:
In order to determine which port(s) need to be accessible, the administrator needs to verify against the available ports list for the deployed Qlik Sense version.
See the Qlik Sense for administrators Help > Qlik Sense Enterprise on Windows Architecture > Ports for details.
SSL Certificates:
After determining the entry point at step 1 (DNS alias vs. servername), the administrator needs to determine what sort of SSL certificate is required.
- Do note that iOS devices have a restrictive list of third party certificates which are trusted by Apple. See iOS devices cannot open QlikSense Apps on the HUB for a link to the Apple KB which outlines which vendors are trusted on iOS devices
- For Per App VPN issues (iOS 13.3 and lower), see App Based VPN Solution (AirWatch / MobileIron and more) with Qlik Sense
- Do note that certain browsers require additional attributes to be on the SSL certificate. See Chrome 58+ and SSL Certificates for a Chrome specific requirement of Subject Alternative Names
- After determining any requirements for the SSL certificate from the above bullet points, they need to follow up internally with their security/certificate resources to determine the steps for generating a CSR to request a certificate from third-party certificate vendor.
