18 Replies Latest reply: Nov 20, 2014 6:38 PM by Chris Kahn RSS

    dmz server configure

      Hi Guys,

       

      I would like to give users external access withouth VPN.

       

      I can connect from server A(internal QV server) to dmz server > i added the dmz server in QMC and there is no error there.

      But when i open the accesspoint in the dmz server i get an error message: no server.

       

      - I've temporarly opened all ports between server A and the dmz server

      - selected in QMC the correct server to connect: QVS@serverA (accespoint>serverconnection>name)

      - i've installed on the dmz only the webserver (no iis)

       

      I did not configure any authorization allthough i would like to use Active directory also in DMZ, but this will propably not work. My other option is local users on dmz (or DMS settings if its only possible to only configure for the DMZ server, and still use AD internaly)

       

      But i for some reason i cannot connect to server A.

       

      Am i missing something? (could it be the login credentials in the services qlikview webservice or the login in the QMC?)

        • Re: dmz server configure
          Bill Britt

          Hi,

           

          Did you edit the Webserver config.xlm file to point to the QlikView Server? It is located at C:\ProgramData\QlikTech\WebServer

           

          Bill

            • Re: dmz server configure

              Hi Bill,

               

              Thanks for your reply.

               

              I've looked into that config file. It also seems to point to the qlikview server. In the log files it tries to connect to server A but it fails.

               

              I did not edit the config file.What should i edit?

                • Re: Re: dmz server configure
                  Bill Britt

                  HI,

                   

                  You will need to change

                   

                  <AddCluster>

                      <Name>QVS@qvlab</Name>

                      <LoadBalancing>CpuUsage</LoadBalancing>

                      <AlwaysTunnel>False</AlwaysTunnel>

                      <AddQvs>

                        <Machine>qvlab</Machine>

                        <Port>4747</Port>

                        <LinkMachineName>qvtest.net</LinkMachineName>

                        <Weight>1</Weight>

                        <Username />

                        <Password>Encrypted=DxdCGMWfOwU=</Password>

                      </AddQvs>

                    </AddCluster>

                   

                  To point to your QVS server.

                    • Re: dmz server configure

                      Hi Bill,

                       

                      It seems to be correct allready. Probably by the changes i did in the QMC.

                      NL01is159 is Server A (where QlikView server is installed)

                      NL01sa010 is server B (The dmz server)

                      Do you see anything off in the config?

                       

                       

                       

                      <Config>

                        <ConfigVersion>11</ConfigVersion>

                        <DefaultUrl>http://_/</DefaultUrl>

                        <DefaultQvs>QVS@nl01is159</DefaultQvs>

                        <ConfigUrl>http://_:4750/QVWS/Service</ConfigUrl>

                        <TunnelUrl>/scripts/QVSTunnel.dll</TunnelUrl>

                        <QvsStatusUrl>/QvAJAXZfc/QvsStatus.aspx</QvsStatusUrl>

                        <LogLevel>Information</LogLevel>

                        <WriteStackTrace>False</WriteStackTrace>

                        <UseCompression>True</UseCompression>

                        <InstallationPath>C:\Program Files\QlikView\Server\Web Server</InstallationPath>

                        <QvsTimeout>60</QvsTimeout>

                        <QvsAuthenticationProt>Negotiate</QvsAuthenticationProt>

                        <QvpPort>-1</QvpPort>

                        <EnableUtilizationLogging>False</EnableUtilizationLogging>

                        <SessionCookieTimeOut>30</SessionCookieTimeOut>

                        <AddCluster>

                          <Name>QVS@nl01is159</Name>

                          <LoadBalancing>CpuUsage</LoadBalancing>

                          <AlwaysTunnel>False</AlwaysTunnel>

                          <AddQvs>

                            <Machine>nl01is159</Machine>

                            <Port>4747</Port>

                            <LinkMachineName>nl01is159</LinkMachineName>

                            <Weight>1</Weight>

                            <Username />

                            <Password>Encrypted=DxdCGMWfOwU=</Password>

                          </AddQvs>

                        </AddCluster>

                        <AddDSCCluster>

                          <CustomUserPort>4735</CustomUserPort>

                          <DirectoryServiceConnectorSettings>

                            <ID>ad31104b-f413-4623-b5ae-71352867396f</ID>

                            <Url>http://nl01is159:4730/DSC/Service</Url>

                            <Name>DSC@nl01is159</Name>

                            <Username>DxdCGMWfOwU=</Username>

                            <Password>DxdCGMWfOwU=</Password>

                            <LogLevel>Normal</LogLevel>

                            <ShowAlerts>true</ShowAlerts>

                          </DirectoryServiceConnectorSettings>

                        </AddDSCCluster>

                        <Authentication>

                          <AuthenticationLevel>Always</AuthenticationLevel>

                          <LoginAddress>/qlikview/login.htm</LoginAddress>

                          <LogoutAddress>logout.htm</LogoutAddress>

                          <GetTicket url="/QvAjaxZfc/GetTicket.aspx" />

                          <GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx" />

                          <HttpAuthentication url="https://_/scripts/GetTicket.asp" scheme="Basic" />

                          <HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="Ntlm" />

                        </Authentication>

                        <AccessPoint>

                          <Path>/QvAJAXZfc/AccessPoint.aspx</Path>

                          <AjaxClientPath>/QvAJAXZfc/opendoc.htm</AjaxClientPath>

                          <PluginClientPath>/QvPlugin/opendoc.htm</PluginClientPath>

                          <DefaultPreferedClient>Ajax</DefaultPreferedClient>

                          <DefaultView>Thumbnails</DefaultView>

                          <DefaultPagesize>12</DefaultPagesize>

                          <HighlightNotExecutedJobs>False</HighlightNotExecutedJobs>

                          <HighlightThresholdMinutes>60</HighlightThresholdMinutes>

                          <AllowCmdUrl>False</AllowCmdUrl>

                          <Target>_self</Target>

                          <RespectBrowsable>True</RespectBrowsable>

                          <SystemMessage />

                          <StatusRecheckInterval>60</StatusRecheckInterval>

                        </AccessPoint>

                • Re: dmz server configure

                  He Bill,

                   

                  Maybe you know this aswell: Currently i use local users on the DMZ server to acces their qlikview documents.

                  This works great but it will be hard to maintain 2 locals when the userbase grows. Also the users need 2 credentials.

                   

                  Is it easy without rebuilding a authorization page and procedure to tunnel the AD authentication and authorization?

                   

                  Thanks again!

                    • Re: dmz server configure
                      Bill Britt

                      HI,

                       

                      Yes, this should be able to be done. You would have to run the Server in DMS mode and create a director connector pointing to the server in the DMZ.  Then when you distribute a QVW with publisher you would pick the user in either the DMZ or AD.

                       

                      Bill

                        • Re: dmz server configure

                          Bill,

                          I read the Microsoft AD FS 2.0 integration with QlikView 11 and I had a couple of questions that I'm hoping you can point me in the right direction for.


                          1. Do the ADFS services get installed on the web server or a separate server in the DMZ based on the following step?

                          How to setup your AD FS 2.0 Server

                          Use the following procedure to install the AD FS 2.0 software on your Member Server.

                          The AdfsSetup.exe installation package will install AD FS 2.0 and all the prerequisite

                          software components that it requires.

                           

                          1. If I have an external SSL from a public CA do I need to create a self signed cert?

                          How to create a new self-signed certificate

                          Attached to this document, you will find a Power Shell Script saved into a ZIP file called

                          1. makecert.zip. Please use the included Power Shell script in your Power Shell editor and

                          do the following:

                           

                          1. 3. Since this is in the DMZ will I require an ADFS Proxy server in the DMZ and an ADFS server in my internal VLAN?
                        • Re: dmz server configure

                          Hi Jelco,

                           

                          I have the exact requirement as you have. Additionally i also need to have a QVWS running on QVS machine to server internal users. Both the webservers need to be secured. (https://)

                          Can you please tell me if you have implemented secured access and if so, which certificates have you configured?

                           

                          Hi Bill, if you also can help please.

                           

                          Santosh

                        • Re: dmz server configure

                          You can also use Certificates , this way you dont have to create a local account to impersonate an account created on the machine in DMZ

                          • Re: dmz server configure

                            @Santosh to work with https i've binded a wildcard certificate to the 443 port.  You can found here how to do that: http://community.qlik.com/message/193912#193912

                             

                            I asume Andreas means client based certificates. I don't want to use this because then i need to install something @ all the clients.

                             

                            @Bill is there a guide or something on how to create the director connector or tunneling the AD trough the dmz? I don't want to destroy my internal server distribution/authorization by doing somehting wrong:p