3 Replies Latest reply: Nov 14, 2017 3:45 PM by Toni Kautto RSS

    Why does Qlik insist on a separate port

    Vegard Bakke

      Qlik Sense uses port 4244 to enable Windows authentication over HTTPS, and not the standard 443.


      Is there a security reason why they cannot share the standard 442 port?


      It's all behind the Qlik Proxy, which could relay 443 to 4244 for authentication paths, so I cannot see that there is a technical reason for requiring two different ports. (Apart from not prioritising the resources to implement this in the Qlik proxy.)



      Or to rephrase the question:

      Are there any security issue by adding a 3rd party reverse proxy in front of Qlik, that translates and redirects between 4244 and 443 for authentication purposes?


      Anyone got any idea? Either one way or the other?






      PS I know no more than one process can listen at a given port. So that's an initial technical reason. But hopefully not the whole answer.

        • Re: Why does Qlik insist on a separate port
          Toni Kautto

          It is correct that there is no theoretical requirement to use a separate port for authentication. In this case the reason is that Qlik Sense relies on a standard .NET library for the NTLM and Kerberos authentication. This library has a limitation that it needs to be bound to a different port than the main application itself.

            • Re: Why does Qlik insist on a separate port
              Vegard Bakke

              I guess the library does not support Microsoft's 'Net.Tcp Port Sharing Service', even though it's written in .Net.

              And Qlik's NodeJS-code would also need this feature, or relay the requests to 4244.  Ah, well.

              I take this answer to mean that there are no security issues that I've overlooked, if I put a reverse proxy on 443, relaying the requests to Qlik's 443, and the NTLM-module on port 4244.

              Thank you for an informative reply!

                • Re: Why does Qlik insist on a separate port
                  Toni Kautto

                  Exactly, you can add a reverse proxy to enable single port interface towards client side.

                  As you mention, a reverse proxy is a solution to get HTTP port only communication towards client side. The practical complication is more commonly on a loadbalancer, if it does not support port grouping to keep 443 and 4244 on the same Qlik Sense engine node.

                  There is no need to be concerned about security due to the port redirect.