19 Replies Latest reply: Oct 21, 2013 8:25 AM by Bill Britt RSS

    How to setup QV Webserver in DMZ mode

    Jeroen Jordaan

      Hi All,
      I have little knowledge of firewalls and such, but can anyone tell me how to setup a QlikView Web Server in DMZ mode? Is there perhaps a guide and what are the requirements?
      We are running a SB Edition of QlikView Server and I want to access severall QV documents outside our domain without a VPN connection.
      Thx for youre help.

          • How to setup QV Webserver in DMZ mode
            Jeroen Jordaan

            We are using V10 but a customer want it also and the are using V11

              • How to setup QV Webserver in DMZ mode

                The main difficulty is to set authentication between the 2 servers and documents authorizations.

                 

                V11: You have to use DMS and custom users

                 

                 

                - Check port 4747 and 4750 are opened on your firewall between QVWS (DMZ) and QVS

                 

                - Install QVWS (custom installation) on DMZ server

                (if you want to use IIS instead if QVWS, install IIS support or start Qv settings service)

                 

                - In QEMC :

                 

                     - add your web server (http://<yourwebserver>:4750/QVWS/Service)

                 

                     - set DMS authorization instead of NTFS in System/Setup/Qlikview Servers/Security tab

                 

                     - set Custom users in System/Setup/Qlikview Web Servers/QVWS@<yourwebserver>/Authentication/type

                 

                     - create users in System/Setup/DSC/Custom Directory

                 

                     - In Documents Grant Documents access authorisations to users

                 

                 

                V10 : almost the same procedure excepted you can use local users or custom users

                  • Re: How to setup QV Webserver in DMZ mode

                    I need to know what to use in Custom Directory Path when trying to add new cutom users- the step before the last in your guide-. I get a default value like "Custom". But I get time-out when I use it. Do you know what we should use there?

                      • Re: How to setup QV Webserver in DMZ mode
                        Miguel Angel Baeyens de Arce

                        Hi Adel,

                         

                        Are you running a QlikView Enterprise Edition license of Server? Otherwise, you will only be able to use NTLM and NTFS, so no possiblity to use Custom directories here.

                         

                        If you are using the EE, then the QMC should allow you to create users and groups that will be stored into an XML file and controlled by QlikView, and not by the OS. That's OK if you have a very small number of users (less than 10). This is not intented to replace LDAP, IBM Tivoli, Windows AD, or any other security directory in the market.

                         

                        Hope that helps.

                         

                        Miguel

                          • Re: How to setup QV Webserver in DMZ mode

                            We have EE license. Can you help me in how to register users and groups in QMC?

                            We have plans to use LDAP in the future but for now LDAP is not ready for that yet and we have to do it manually.

                              • Re: How to setup QV Webserver in DMZ mode
                                Miguel Angel Baeyens de Arce

                                Hi Adel,

                                 

                                Follow these steps:

                                • QMC, System, Setup, QlikView Server, Security, Authorization, DMS
                                • Go back to the Setup, Directory Service Connectors, Custom Directory
                                • Click on the green plus icon, and add a new group, you can name it as you want, and set any administrator password you want: these users have nothing to do with actual security users in the LDAP or active directory.
                                • Click Apply, the Custom directory is now created.
                                • In the Users tab, click on the green plus icon to add users or groups, set passwords and so.

                                Remember to click Apply after each action you do!

                                 

                                Hope that helps.

                                 

                                Miguel

                                  • Re: How to setup QV Webserver in DMZ mode

                                    Thanks for your kind reply Miguel. But I still have the same error when I try to add something in step 3 above. I have no idea what I need to fill as Path.

                                     

                                    I get this error:

                                    "

                                    DSC did not respond to request.

                                    Last exception (for http://qlikpub1:4730/DSC/Service): The request channel timed out while waiting for a reply after 00:00:30. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.

                                    "

                                    If I leave the path empty I get "Enter a path in order to save the changes" which means I need a valid path here.

                                    What is the valid path?

                                    • Re: How to setup QV Webserver in DMZ mode

                                      Dear @Miguel_Angel_Baeyens

                                       

                                      I am trying to implement webserver in DMZ. I have an EE QV Server License.

                                      Below is my configuration

                                      INTRANET:
                                      QVS in NTFS
                                      QDS
                                      DSC
                                      QMC
                                      QVWS in NTLM (http and port 80)

                                      DMZ SERVER:
                                      only QVWS installed and authentication set as NTLM
                                      QVWS pointing to above QVS and above DSC in QMC in QV Server
                                      (HTTPS and 443, server certificate configured)

                                      From Intranet, It is working fine and AD users are able to login and open QV Documents.

                                      From Internet, I am able to open the URL from Internet. But only Local users of DMZ Server Machine are able to login and not the AD users.

                                      Can you help me if i am technically correct or not.
                                      Is it possible to enable AD user access through DMZ. Can you guide me on the configuration


                                        • Re: How to setup QV Webserver in DMZ mode

                                          Hi Santosh.

                                           

                                          In the last months my team tried to implement the same architecture you're describing, and we had several calls and "demo sessions" with QlikView Support.

                                           

                                          In the end It came out that the DMZ QVWS cannot authenticate the users against the AD because it does not belong to the internal network (where the AD is).

                                           

                                          The only way would be to "duplicate" the AD in the DMZ:

                                           

                                          img.jpg

                                           

                                          The alternative we are now looking for is to use Neoteris or F5 as reverse proxy.

                                           

                                          Hope this helps.

                                           

                                          Best Regards,

                                          Fabrizio

                                    • Re: How to setup QV Webserver in DMZ mode

                                      Help needed for QV 11.2 Enterprise edition.

                                       

                                      Requirement is to make the accessible from Internet with https:// URL by having qlikview webserver in the dmz zone. For internal users , do I need to have another qlikview webserver installed on the actual machine where QVS is installed along with other services. ?? For this also the communication needs to be secured.

                                       

                                      Q2) Assuming I have two webservers one on dmz and one in qv server machine. Both needing to be secured communication. Can I hport enable port 443 and 80 for that purpose. If so, can some one explain how many SSL certificates need to be configured and on what machines?

                                       

                                      Q3) if I add qlikview webserver on the dmz in qemc, the are some folder paths in the webserver settings tab. Like c:\programdata\ qlikview \webserver etc

                                      For the new webserver that I add in qemc , should I change these path names to say

                                      \\170.45. 2.1\C:\programdata\qlikview\webserver ?, where 170.45.2.1 is the ip address of the server in the DMZ

                                      I am not sure if this right.

                                       

                                      I am sorry for these questions, we don't have a development server or a test server to try settings. I have to do on production with a down time of 2 days. Request your kind help please

                                       

                                      Regards,

                                      Santosh

                            • Re: How to setup QV Webserver in DMZ mode

                              Hi.

                               

                              If the QVWS is in the DMZ and QVS in the Intranet, is using DMS and custom users the only option?

                               

                              Cannot the QVWS simply pass the credentials to the QVS and that will use Active Directory to validate the user's credentials?

                               

                              We have users that travel around the world and need to access some reports hosted by our internal QVS.

                              The idea is to let them use their domain users in the form of DOMAIN\user and get Active Driectory to do the authentication.

                               

                              Thanks

                              Fabrizio