we are searching a best practice to setup our QlikView system (DMZ/Intranet).
We have two networks, a DMZ and an intranet. Our databases (infrastructure resource) are only accessible from the intranet and aren't accessible from the DMZ regarding security reasons. The clients should only be able to access to the QVWS or the IIS from internet. All other services should operate in the intranet only (QVS/QVP).
Is it possible to setup this?
Is this a recommended setup?
Which firewall rules do we have to create?
Thanks for your support.
On LAN :
QlikView Publisher [if you use it]
QlikView Web Server [for LAN base clients]
QlikView Web Server [for external client over the internet]
See for QlikView Ports for ports used to sort firewall.
You can setup a system in the DMZ and use publisher to publish the reports to that machine.
thank's for your answer. So it's possible only to push the reports to the webserver in the DMZ so i have not to allow communication from the DMZ to the intranet? How are user rights handled on the webserver with this setup? Is there a special configuration for that?
okay, but which communication directions do you allow? We only want to allow communication from the intranet to the dmz not from the dmz to the intranet (except stateful communication). Does this work with AD?
If you do not allow communications for the DMZ to your internal LAN then it won't work.
Unless you decide to use proprietary authentication and also host a QV Server and your qvw's in the DMZ which would be extremely insecure and not something I would ever do myself.
You can use the local directory for the QVS server to host the users.