External Web Server - Authentication on AD? - Qlik Community

Anonymous · ‎2015-08-25

We are setting up a separate server outside the company firewall to house a QVWS to serve QlikView to users that are working remotely. We are doing this so they do not require a VPN to access QlikView. These are employees, therefore we are hopefully avoiding the whole conversation regarding extranet. This client is on SBE without publisher and uses active directory to authenticate their users. Obviously, the AD is behind the company firewall. We are using Digital Certificates to talk between the two machines.

The problem we are anticipating is authentication. Still using AD, is there a way for the new QVWS to authenticate the external users? If so, does anybody have some specific documentation on these methods?

Also, should we have 2 QVWS instances? I am thinking we might still need one to cover internal users and one for the external users.

Any advice on this is much appreciated.

Bill_Britt · ‎2015-08-25

HI,

You could put a read only AD in the DMZ and that would allow the external users to authenticate.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Anonymous · ‎2015-08-26

Thanks for the input Bill. I will see if we can get that to happen.

tonyiantorno · ‎2015-08-26

Hi Bill,

Can this be done without the use of QV Digital certificates setup between QVS and QVWS/IIS?

Looking forward to your response.

Thanks

Bill_Britt · ‎2015-08-27

Yes, but it would be more secure.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

tonyiantorno · ‎2015-08-27

Hi Bill,

The digital Certs that QlikView (SBE) installs among the QV Services(servers) are only applicable when you are using DMS? Is this why you need the read only AD if you are using NTLM?

Trying to make sense of it all.

Thanks again,

Tony

Bill_Britt · ‎2015-08-27

Hi,

No, with SBE you are not able to use DMS mode. The Certs are used for the services to communicate with each other. You need the AD to ID the users.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

tonyiantorno · ‎2015-08-27

Hi Bill,

So I need to setup Windows 2012 R2 Server with an RODC with QVWS/IIS running which sits in the DMZ. The RO DC communicates with the AD DC via the appropriate ports and then it will pass thru to the QVS and the QV Access Point page should open.

Your response is greatly appreciated,

Tony

Bill_Britt · ‎2015-08-27

Hi Tony,

Yes that is the way I would do it and you are not exposing the real AD. The certificate setup will secure the communication of the QV services talking to each other.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

tonyiantorno · ‎2015-08-28

HI Bill,

I will let you know how things go.

Thanks again!

Tony