Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
rothtd
Creator III
Creator III

QV 11 Service Architecture (3 servers)

Can any of you weigh in on where the Directory Service Connector service should reside in a 3 server architecture (QV 11 SR1)?

I would like the environment to look like this:

Target Architecture.png

From what I have read in the WhitePapers I should deploy the services like this:

Option 1:

Service Architecture 1.png

My issue is that the Directory Services Connector talks to Active Directory (obviously) so we need to be careful about firewall restrictions. Because we want to access this environment externally our network team wants this configuration:

Option 2:

Service Architecture 2.png

Do you have any thoughts regarding this? How are your environments configured?

Thanks in advance!

1 Solution

Accepted Solutions
danielrozental
Master II
Master II

Looks ok to me, there are no restrictions on how many directory services you can run, so you could actually run 3, one in each server.

Also, your NAS storage should be attached to a windows machine.

View solution in original post

9 Replies
danielrozental
Master II
Master II

Looks ok to me, there are no restrictions on how many directory services you can run, so you could actually run 3, one in each server.

Also, your NAS storage should be attached to a windows machine.

rothtd
Creator III
Creator III
Author

Thanks so much. I prefer option 2. Our storage is completely windows based so no worries there.

danielrozental
Master II
Master II

If you look at the "QV 11 Upgrade and Migration Document", really interesting document, they put the Directory Service with the Server.

I guess it's better for configuration or distribution tasks to take a little longer and have users access faster.

Besides, if your publisher server goes down users access will not be affected, so I'll go with option 1.

rothtd
Creator III
Creator III
Author

I appreciate your response. So option 1 was my origional choice, but our networking team wants option 2. We have a requirement to make QV externally available, so our networking team doesn't want the 'Presentation Servers' to talk to Active Directory. If we go with option 2 then the 'Preparation server' can be internal and allowed to speak to AD, while the presentation servers can be treated as external and can be restricted from talking to AD directly. I'm sure this security question is not uncommon - thoughts? Am I misunderstanding something here? I don't think QV Server and QV Web Server need to talk to the directory - correct?

Thanks - I appreciate your feedback!

danielrozental
Master II
Master II

I do believe QlikView Web Server would talk to the Directory to resolve group members if you do authorization by groups.

There's probably not going to be much difference either way.

rothtd
Creator III
Creator III
Author

I'm a little confused by your response - wouldn't QlikView Web Server utilize the Directory Connector to speak to the directory to resolve group members; and therefore the Web Server would not speak to the directory directly but rather through the Directory Connector? Are you saying the Windows OS on the web server would speak to Active Directory to resolve group memberships?

Thanks for your time!

danielrozental
Master II
Master II

Yes, sorry, I meant that the webserver would do the group resolution through the directory service connector.

rothtd
Creator III
Creator III
Author

Thanks!

rothtd
Creator III
Creator III
Author

As a follow up I deployed the Directory Services Connector on all three servers in the above diagram and this configuration is working well for me. I would suggest that others with the same configuration should do the same.