Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Highlighted
Partner
Partner

Why does Qlik insist on a separate port

Qlik Sense uses port 4244 to enable Windows authentication over HTTPS, and not the standard 443.

Is there a security reason why they cannot share the standard 442 port?

It's all behind the Qlik Proxy, which could relay 443 to 4244 for authentication paths, so I cannot see that there is a technical reason for requiring two different ports. (Apart from not prioritising the resources to implement this in the Qlik proxy.)

Or to rephrase the question:

Are there any security issue by adding a 3rd party reverse proxy in front of Qlik, that translates and redirects between 4244 and 443 for authentication purposes?

Anyone got any idea? Either one way or the other?

Regards,

Vegard

PS I know no more than one process can listen at a given port. So that's an initial technical reason. But hopefully not the whole answer.

1 Solution

Accepted Solutions
Employee
Employee

Re: Why does Qlik insist on a separate port

It is correct that there is no theoretical requirement to use a separate port for authentication. In this case the reason is that Qlik Sense relies on a standard .NET library for the NTLM and Kerberos authentication. This library has a limitation that it needs to be bound to a different port than the main application itself.

3 Replies
Employee
Employee

Re: Why does Qlik insist on a separate port

It is correct that there is no theoretical requirement to use a separate port for authentication. In this case the reason is that Qlik Sense relies on a standard .NET library for the NTLM and Kerberos authentication. This library has a limitation that it needs to be bound to a different port than the main application itself.

Partner
Partner

Re: Why does Qlik insist on a separate port

I guess the library does not support Microsoft's 'Net.Tcp Port Sharing Service', even though it's written in .Net.

And Qlik's NodeJS-code would also need this feature, or relay the requests to 4244.  Ah, well.



I take this answer to mean that there are no security issues that I've overlooked, if I put a reverse proxy on 443, relaying the requests to Qlik's 443, and the NTLM-module on port 4244.



Thank you for an informative reply!

Employee
Employee

Re: Why does Qlik insist on a separate port

Exactly, you can add a reverse proxy to enable single port interface towards client side.


As you mention, a reverse proxy is a solution to get HTTP port only communication towards client side. The practical complication is more commonly on a loadbalancer, if it does not support port grouping to keep 443 and 4244 on the same Qlik Sense engine node.


There is no need to be concerned about security due to the port redirect.