The main difficulty is to set authentication between the 2 servers and documents authorizations.
V11: You have to use DMS and custom users
- Check port 4747 and 4750 are opened on your firewall between QVWS (DMZ) and QVS
- Install QVWS (custom installation) on DMZ server
(if you want to use IIS instead if QVWS, install IIS support or start Qv settings service)
- In QEMC :
- add your web server (http://<yourwebserver>:4750/QVWS/Service)
- set DMS authorization instead of NTFS in System/Setup/Qlikview Servers/Security tab
- set Custom users in System/Setup/Qlikview Web Servers/QVWS@<yourwebserver>/Authentication/type
- create users in System/Setup/DSC/Custom Directory
- In Documents Grant Documents access authorisations to users
V10 : almost the same procedure excepted you can use local users or custom users
Are you running a QlikView Enterprise Edition license of Server? Otherwise, you will only be able to use NTLM and NTFS, so no possiblity to use Custom directories here.
If you are using the EE, then the QMC should allow you to create users and groups that will be stored into an XML file and controlled by QlikView, and not by the OS. That's OK if you have a very small number of users (less than 10). This is not intented to replace LDAP, IBM Tivoli, Windows AD, or any other security directory in the market.
Hope that helps.
Follow these steps:
- QMC, System, Setup, QlikView Server, Security, Authorization, DMS
- Go back to the Setup, Directory Service Connectors, Custom Directory
- Click on the green plus icon, and add a new group, you can name it as you want, and set any administrator password you want: these users have nothing to do with actual security users in the LDAP or active directory.
- Click Apply, the Custom directory is now created.
- In the Users tab, click on the green plus icon to add users or groups, set passwords and so.
Remember to click Apply after each action you do!
Hope that helps.
Thanks for your kind reply Miguel. But I still have the same error when I try to add something in step 3 above. I have no idea what I need to fill as Path.
I get this error:
DSC did not respond to request.
Last exception (for http://qlikpub1:4730/DSC/Service): The request channel timed out while waiting for a reply after 00:00:30. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.
If I leave the path empty I get "Enter a path in order to save the changes" which means I need a valid path here.
What is the valid path?
Make sure your license allows you to use Custom and DMS, and make sure DMS is set in the QlikView Server, Security tab. Make sure as well that port 4730 (if not the whole firewall) is open between that computer and the computer that hosts the DSC. If you have a proxy, you will need to add an exception to that port as well.
"Path" is the equivalent to "domain" in Active directory, you can set any small word here, i. e.: CUSTOM Therefore, the custom users will be CUSTOM\Username1, CUSTOM\Username2, and so...
Hi Maguel and thanks again.
I found out that when I klick "Apply" button for the first time after doing a change I get the error I posted before which says: "DSC did not respond to request. ...", but when I klick the same button for a second time I get no error and everything is fine. Things update just as I expected.
The error talk about a 30 seconds timeout. Is it someting I can change? if yes, how?
Check that you have installed the correct version of .NET (3.5.1 until QliKView 10 SR4 and .NET Client and Extended profile from QlikView 10 SR4 and higher versions including 11).
Check in the Windows Services console that all services are running fine.
Finally, check that your proxy is not relaying or avoiding somehow your connection to the Server.
Hope that helps.
We have .net 4, Qlikview Server x64 SP1 version 11.0.11282.0
The server is a virtual one. I work from inside the server to exclude any network issues.
I am not wich services that should be up. I included a picture of all stopped services on the server maybe you can give an idea of which is need and which is not.
I am trying to implement webserver in DMZ. I have an EE QV Server License.
Below is my configuration
QVS in NTFS
QVWS in NTLM (http and port 80)
only QVWS installed and authentication set as NTLM
QVWS pointing to above QVS and above DSC in QMC in QV Server
(HTTPS and 443, server certificate configured)
From Intranet, It is working fine and AD users are able to login and open QV Documents.
From Internet, I am able to open the URL from Internet. But only Local users of DMZ Server Machine are able to login and not the AD users.
Can you help me if i am technically correct or not.
Is it possible to enable AD user access through DMZ. Can you guide me on the configuration
In the last months my team tried to implement the same architecture you're describing, and we had several calls and "demo sessions" with QlikView Support.
In the end It came out that the DMZ QVWS cannot authenticate the users against the AD because it does not belong to the internal network (where the AD is).
The only way would be to "duplicate" the AD in the DMZ:
The alternative we are now looking for is to use Neoteris or F5 as reverse proxy.
Hope this helps.
Help needed for QV 11.2 Enterprise edition.
Requirement is to make the accessible from Internet with https:// URL by having qlikview webserver in the dmz zone. For internal users , do I need to have another qlikview webserver installed on the actual machine where QVS is installed along with other services. ?? For this also the communication needs to be secured.
Q2) Assuming I have two webservers one on dmz and one in qv server machine. Both needing to be secured communication. Can I hport enable port 443 and 80 for that purpose. If so, can some one explain how many SSL certificates need to be configured and on what machines?
Q3) if I add qlikview webserver on the dmz in qemc, the are some folder paths in the webserver settings tab. Like c:\programdata\ qlikview \webserver etc
For the new webserver that I add in qemc , should I change these path names to say
\\170.45. 2.1\C:\programdata\qlikview\webserver ?, where 220.127.116.11 is the ip address of the server in the DMZ
I am not sure if this right.
I am sorry for these questions, we don't have a development server or a test server to try settings. I have to do on production with a down time of 2 days. Request your kind help please
If the QVWS is in the DMZ and QVS in the Intranet, is using DMS and custom users the only option?
Cannot the QVWS simply pass the credentials to the QVS and that will use Active Directory to validate the user's credentials?
We have users that travel around the world and need to access some reports hosted by our internal QVS.
The idea is to let them use their domain users in the form of DOMAIN\user and get Active Driectory to do the authentication.