Qlik Community

Qlik NPrinting Discussions

Discussion Board for collaboration on Qlik NPrinting.

Announcements
IMPORTANT security patches for GeoAnalytics Server available to download: READ DETAILS
cancel
Showing results for 
Search instead for 
Did you mean: 
WMLouis
Contributor II
Contributor II

Advice Needed: Securely connecting Nprinting to a Sense server (Part 2 )

@Frank_S   This a continuation/resurrection of this thread: 

Advice Needed: Securely connecting Nprinting to a... - Qlik Community - 1784792

I wanted to reply and make sure I understand my options. 

This is the previous response that I believe is pertinent.  

"The NP connection used to connect to Qlik Sense apps must connect to a Qlik Sense virtual proxy that has window auth enabled. If needed, you can create a separate Virtual Proxy that meets these requirements and use that VProxy address and prefix with your NP connections as your QS proxy address."

 

and here are my specifics:

I have a Sense server that it not behind a vpn and I'd like to connect nprinting to it.

I think the best way to do this would be via a virtual proxy.  However, if I enter the virtual proxy into a browser, ie. https://qlikeserver.something.com/virtualproxy  , I'm presented with a popup that asks for the Username and Password.

Once I enter those credentials, I'm able to enter the site.  

So if a user were to have their credentials stolen, those credentials could be used via this proxy to bypass multi-factor authentication.  

 

Do I have any options here?

Can I tie a virtual proxy to respond to only a singe server?

Labels (1)
1 Solution

Accepted Solutions
Frank_S
Support
Support

Hello @WMLouis

The references are purely related to internal network functionality.

NPrinting requires a Qlik Sense Virtual Proxy that is configured with Windows Ticketing/Authentication/NTLM

 

https://help.qlik.com/en-US/nprinting/May2021/Content/NPrinting/DeployingQVNprinting/NPrinting-with-...

 

Microsoft Windows NTML authentication on the Qlik Sense proxy. SAML and JWT are not supported. If your (Qlik Sense) virtual proxy uses SAML or JWT authentication, you need to add a new virtual proxy with NTLM enabled for Qlik NPrinting connections.

 

The following must be correctly set up:

    -A Qlik Sense proxy.

    -A Qlik Sense virtual proxy.

    -A link between the proxy and virtual proxy.

    The Qlik Sense virtual proxy must be reachable from the Qlik NPrinting Engine machines to retrieve data to create reports. It must be reachable from the Qlik NPrinting Server to publish to the Qlik Sense hub.

 

Can I ask for clarification about your requirement?

Are you trying to run NPrinting On Demand reports when in the Qlik Sense hub and when doing so you are getting a second prompt to login?

 

I think there are at least 2 if not 3 points your making here.

 

1. "What is the correct Virtual Proxy type that can be used with NPrinting".

Answer: Windows/NTLM. Alternate methods (JWT, SAML etc) available in the Qlik Sense QMC are not supported.

 

2. "It is possible to connect through a VPN to access NPrinting".

Answer: I haven't tried it but it should be fine theoretically. This is something you can work on with your network administration and infrastructure security team.

 

3. "So if a user were to have their credentials stolen, those credentials could be used via this proxy to bypass multi-factor authentication"

Not clear here what you mean by "those credentials could be used via this proxy to bypass multi-factor authentication"

In any case and as a best practice, if a domain user credentials get stolen, then the breach should be reported to your internal security team and the password should be reset by your Active Directory domain administrator.

 

In a nutshell, NPrinting will work as designed and communicate as expected within your network when requirements are met. If you need to expose, NPrinting externally, that ideally should be a question for your internal IT team.

However if you want to secure your NPrinting web console, that is yet another conversation. Which would required 3rd party certificates to be properly configured as per the link below then configure your NPrinting server using the second link below:

 

Finally, if you need to configure a reverse proxy for external access, you may wish to share this with your internal IT team as well assuming you are trying to use your NP designer through a reverse proxy.

 

Hope this helps to give some guidance ...

 

 

 

We are just 'like' you and like to be liked when providing a helpful answer. You may also press the 'Solution Accepted' button if an answer provided resolves your question or issue... Cheers!

View solution in original post

1 Reply
Frank_S
Support
Support

Hello @WMLouis

The references are purely related to internal network functionality.

NPrinting requires a Qlik Sense Virtual Proxy that is configured with Windows Ticketing/Authentication/NTLM

 

https://help.qlik.com/en-US/nprinting/May2021/Content/NPrinting/DeployingQVNprinting/NPrinting-with-...

 

Microsoft Windows NTML authentication on the Qlik Sense proxy. SAML and JWT are not supported. If your (Qlik Sense) virtual proxy uses SAML or JWT authentication, you need to add a new virtual proxy with NTLM enabled for Qlik NPrinting connections.

 

The following must be correctly set up:

    -A Qlik Sense proxy.

    -A Qlik Sense virtual proxy.

    -A link between the proxy and virtual proxy.

    The Qlik Sense virtual proxy must be reachable from the Qlik NPrinting Engine machines to retrieve data to create reports. It must be reachable from the Qlik NPrinting Server to publish to the Qlik Sense hub.

 

Can I ask for clarification about your requirement?

Are you trying to run NPrinting On Demand reports when in the Qlik Sense hub and when doing so you are getting a second prompt to login?

 

I think there are at least 2 if not 3 points your making here.

 

1. "What is the correct Virtual Proxy type that can be used with NPrinting".

Answer: Windows/NTLM. Alternate methods (JWT, SAML etc) available in the Qlik Sense QMC are not supported.

 

2. "It is possible to connect through a VPN to access NPrinting".

Answer: I haven't tried it but it should be fine theoretically. This is something you can work on with your network administration and infrastructure security team.

 

3. "So if a user were to have their credentials stolen, those credentials could be used via this proxy to bypass multi-factor authentication"

Not clear here what you mean by "those credentials could be used via this proxy to bypass multi-factor authentication"

In any case and as a best practice, if a domain user credentials get stolen, then the breach should be reported to your internal security team and the password should be reset by your Active Directory domain administrator.

 

In a nutshell, NPrinting will work as designed and communicate as expected within your network when requirements are met. If you need to expose, NPrinting externally, that ideally should be a question for your internal IT team.

However if you want to secure your NPrinting web console, that is yet another conversation. Which would required 3rd party certificates to be properly configured as per the link below then configure your NPrinting server using the second link below:

 

Finally, if you need to configure a reverse proxy for external access, you may wish to share this with your internal IT team as well assuming you are trying to use your NP designer through a reverse proxy.

 

Hope this helps to give some guidance ...

 

 

 

We are just 'like' you and like to be liked when providing a helpful answer. You may also press the 'Solution Accepted' button if an answer provided resolves your question or issue... Cheers!