IIRC, QlikView doesn't allow mixing authentication systems on the same web server.
Providing AD access to internet visitors should be pretty easy (although a bit insecure and not without a forced login dialog). Restricting the second web server in the DMZ to accept only custom users is doable as well (AD users will use the internal web server, and when on the road they could use VPN to enter the domain). But providing access to all of them from the same web server at the same time?
To start you need to have an Extranet license to allow users that are not in your AD to access from the internet. Customer users are not really used from more than testing and can't be used with other directory Service connectors.
You will need to develop some form of SSO solution for this.
Glad to know about the extranet license requirement.
For now, i'll be configuring to provide QlikView Accesspoint access to our AD users over internet.
I should have clarified earlier, but, we did create two Web Servers.
One for intranet usage and the other for internet usage.
The intranet usage Web Server is working fine and users are able to access QlikView access point.
The challenge I am facing is to securely provide access to these same users over the internet when they are outside the network through DMZ server.
You have mentioned two issues which I am concerned about:
1. Insecure (If its insecure, what would be the best practice approach?)
2. cannot getaway without a forced login dialog ( so, is SSO not possible? )
Aside from what Bill suggested, you can create a solution that uses IIS (in the DMZ) and client certificates. The SSO will happen because IIS can be configured to tie specific client certificates to specific AD users. As much secure as possible and without additional login prompts.
Good explanations and examples can be found on the community.