Re: DMZ Server Setup for AD users over Internet fr... - Qlik Community

Anonymous · ‎2015-08-20

Hi All,

We currently have users who can access QlikView dashboards over our intranet.

These users login with their Active Directory credentials.

We are using DMS authorization.

I am looking for a way to provide access to these users in Active Directory over the internet.

I am also looking for a way to provide access to the users over the internet who are not in our Active directory.

I would like to use our DMZ server to handle this.

So far, I have tried to follow others experiences on this forum but, been unsuccessful in configuring our DMZ server to accept AD users credentials to login to Access Point.

Please let me know, if possible a step-by-step approach ( screenshots are awesome )how I can acheive this.

(

However, I am able to create Users under System > Setup > Directory Service Connectors > Custom Directory > Users

Then, I copied ..\DirectoryServiceConnector\CustomDirectoryData.xml file from Server to Intranet Web Server directory.

I am able to successfully login over the internet using these User Credentials.

But, I dont think this is a sustainable approach when having a large number of Users.

)

Peter_Cammaert · ‎2015-08-20

IIRC, QlikView doesn't allow mixing authentication systems on the same web server.

Providing AD access to internet visitors should be pretty easy (although a bit insecure and not without a forced login dialog). Restricting the second web server in the DMZ to accept only custom users is doable as well (AD users will use the internal web server, and when on the road they could use VPN to enter the domain). But providing access to all of them from the same web server at the same time?

Bill_Britt · ‎2015-08-20

HI,

To start you need to have an Extranet license to allow users that are not in your AD to access from the internet. Customer users are not really used from more than testing and can't be used with other directory Service connectors.

You will need to develop some form of SSO solution for this.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Anonymous · ‎2015-08-25

Hi Bill,

Glad to know about the extranet license requirement.

For now, i'll be configuring to provide QlikView Accesspoint access to our AD users over internet.

Hi Peter,

I should have clarified earlier, but, we did create two Web Servers.

One for intranet usage and the other for internet usage.

The intranet usage Web Server is working fine and users are able to access QlikView access point.

The challenge I am facing is to securely provide access to these same users over the internet when they are outside the network through DMZ server.

You have mentioned two issues which I am concerned about:

1. Insecure (If its insecure, what would be the best practice approach?)

2. cannot getaway without a forced login dialog ( so, is SSO not possible? )

Bill_Britt · ‎2015-08-25

Hi,

The only want to get rid of the login prompt is to put the URL in the Trusted sites in IE on the Users side.

On the secured issues with the AD users, you can always but a Read Only AD server in the DMZ.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Peter_Cammaert · ‎2015-08-25

Aside from what Bill suggested, you can create a solution that uses IIS (in the DMZ) and client certificates. The SSO will happen because IIS can be configured to tie specific client certificates to specific AD users. As much secure as possible and without additional login prompts.

Good explanations and examples can be found on the community.

Peter

DMZ Server Setup for AD users over Internet from Outside the Network