Quick guide to configure IIS as a Reverse Proxy with HTTPS and Qlik Sense

Environment:

Qlik Sense Enterprise on Windows 

This documentation is only for testing and use as a possible base for configuration. Anything not shown in the steps are considered default and no extra settings need to be applied/modified. Any issues with IIS or its configuration/use will need to be brought to the attention of Microsoft or the environments proper IT support team. Qlik does NOT support IIS nor its features/installation.
 
It is not guaranteed this will work in every environment, due to Corporate/IT policies. Use this information at your own discretion.

Environment:

• Central Node: qlikserver1.domainl.local
• IIS / Reverse Proxy: qlikserver2.domain.local
• Firewalls are OFF
• Single Domain
• Clean Environment and Open / Non-restrictive Group Policies
• OS: Windows 2012 R2, Windows 2016 Standard.
• Qlik Sense: November 2017, September 2020

! The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Items Required:

• Valid and trusted 3^rd party certificate chain for both the Qlik Sense Proxy server AND the IIS Reverse Proxy server
  • These certificates must be exportable, have the Private Key and the full certificate chain (including the Trusted Root)
  • These should be provided and installed prior to configuring the IIS Reverse Proxy
    • They CAN be installed after, but for this documentation they should already be in the environment.
  • Instructions on importing/installing the certificates for Qlik Sense and  the IIS server are located at the end of the documentation (Installing a 3rd Party certificate with its Trusted Root)
    • ​Example: TinyCerts.org – You can create your own CA and then certificates against that CA for any server name requested. Note: This option requires less steps but certificates issued via TinyCerts are not considered to be ready for production environments. Certificates issued by a Certificate Authority is recommended.
  • NOTE:  This test will NOT work if these are not provided and installed correctly
• IIS8 or later
  • Due to WebSocket connections not being supported in earlier versions
• The Virtual proxy used for testing has the IIS machines Server Name / FQDN / IP / Alias / Vanity URL in the Host white list (Review Step 8-A below for more information).
• Windows Active Directory – Authentication
  • The virtual proxy used for these instructions must be configured to use Windows authentication (not SAML/JWT/Forms/Header)

Steps

1. On the Windows Server, go to Add Roles and Features 
2. Install the Server Roles - Web Server (IIS)
   
   

    

3. Finish the installation.
4. Download and install AAR from Application Request Routing v3. Older environments may need to follow the steps under http://blogs.technet.com/b/erezs_iis_blog/archive/2013/11/27/installing-arr-manually-without-webpi.a... The following components are installed:
   1. Web Farm Framework module (not needed by ARR v3, see Microsoft Application Request Routing 3.0 (x64))
   2. External cache module
   3. URL Rewrite Module
   4. ARR
      NOTE: Links directly to these downloads will not be provided. The referenced blog provides them (as of 12/1/17) and were used in documentation. Microsoft Web Platform Installer (https://www.microsoft.com/web/downloads/platform.aspx) can be used to download the required components. Use your own discretion on how you download and install these IIS modules.
      
      
5. Return to the Add Roles and Features and activate WebSocket Protocol
   
   

    

6. Finish the Installation 
7. Run the Information Services (IIS) Manager
   1. Click on the Server and select Application Request Routing Cache
      
      

       

   2. Select Server Proxy Settings under Actions  - Proxy on the right side Activate the proxy by checking the box “Enable proxy”
      
      

       

   3. Activate the proxy by checking the box “Enable proxy”
      
      

       

8. Select the URL Rewrite under Actions – Advanced Routing
   
   
   
   
9. Click Add Rule(s) under Actions and select a Blank rule template. Name it QlikReverseProxyAll.
   
   
   

   1. Set https://qlikserver1.domain.local/{R:0} (NOTE: Use your own Qlik Sense Proxy URL) under Rewrite URL

   2. Add (.*) under Pattern

   3. Click on Apply under the Actions pane, then on Back to Rules.

10. Click Add Rule(s) under Actions and select a Blank rule template. Name the rule "WebSocket". Note that this rule is specially needed on newer versions of Qlik Sense where Websocket is used by default, and required to gain Hub access. Note: This rule works so long as the Subject Alternative Name used for the certificate used in binding on step 5 below has the Qlik Sense server name, NOT the proxy server name. So the DNS record (in this example qlikserver1.domain.local) needs to be updated to have the appropriate IP mapping (IP of the proxy server). The system's hosts file may be manipulated for testing, instead.
    
    
    1. Use Wildcards to match the pattern *hub/qrsData?reloadUri*
    2. Rewrite URL: wss://qlikserver1.domain.local/{R:0}
    3. Make sure to check Stop processing of subsequent rules
    4. Click on Apply under the Actions pane, then on Back to Rules.
       
       
11. Click Add Rule(s) under Actions and select a Blank rule template. Name the rule "AuthForwarding".
    
    NOTE: As of Qlik Sense February 2018, the Port 4244 / AuthForwarding is NO longer needed for Windows Authentication and is NOT needed for any other authentication types (SAML / Header). This port has been made internal and doesn't need to be addressed by the Proxy. 
    
    
    

     

    1. Add “/windows_authentication/” under Pattern.
    2. Set "https://qlikserver1.domain.local:4244/{R:0}" (NOTE: Use your own Qlik Sense Proxy URL) under Rewrite URL
    3. Click on Apply under the Actions pane, then on Back to Rules.
        
12.  URL Rewrite should have at least two entries for Qlik Sense. See scenarios below. For b, make sure WebSocket is moved to the top by selecting it and clicking on Move Up.
    1. Scenario on older versions of Qlik Sense:
       
       
       
       
    2. Scenario in newer versions of Qlik Sense: 
       
       

        

13. Bind the valid and trusted 3^rd Party Certificate to IIS for HTTPS AND Port 443 (NOTE: This is not a Qlik operation)
    
    

     

14. Verify that the Proxy server (qlikserver1.domain.local) has a certificate that trusts the certificate now bound and used by the IIS Reverse Proxy
    
    NOTE: In this example we are using the same CA, with the same Trusted Root and the certificates are set for the two machines FQDN. This is not within Qlik control to give instructions on the exact setup and allowed actions within individual environments for this process.
    
    
15. Attempt and verify by logging into the Hub using the IIS server name
    
    
     

    Updating Media
    

    
    NOTE: If you did not add the IIS server (Name/FQDN/IP) to the Host white list for the Virtual Proxy that you’re connecting to, it will fail with a similar image. (Example shows HTTP, but the same will happen for HTTPS)
    
    

    

    1. You can mitigate this by adding the domain suffix. 
       
       

       
       
       In the example above you can see domain.local is added to fix the issue. This is because the URL does not originate from the Central, but from the IIS / Reverse Proxy server, so it doesn’t trust it. Adding the domain.local will trust any URL with domain.local in it. If you used an IP, it would fail as well due to this virtual proxy not trusting it. NOTE: Adding the server name/DNS Alias/IP/Vanity URL to this section should added when using Reverse Proxies as they will not be trusted by default.

 Installing a 3^rd Party certificate with its Trusted Root:
Install/import a valid certificate for the IIS Reverse Proxy server with a Trusted Root from a Certificate Authority. This will be used to make sure both the SSL certificate bound to the Qlik Sense Proxy and IIS to trust each other.

The images below are from a .PFX file that has both the Local Computer – Personal certificate for the FQDN of DC1.domain.local and the Trusted Root certificate. When imported or installed it will place both certificates in their proper locations.

NOTE: You may receive the certificate in a different format, please review with your CA / IT team to understand how to install and configure the certificates within your environments if these directions are not applicable

NOTE 2: The manual installation steps are below. These same steps can be used to import or install the certificate on both the Sense and IIS environments (this is not a Qlik specific operation).

https://help.qlik.com/en-US/sense/November2017/Subsystems/ManagementConsole/Content/change-to-signed... - States how to apply the new HTTPS/SSL thumbprint to the Proxy server on Qlik Sense.

Import the certificate

1. Launch Microsoft Management Console (mmc.exe) on the Proxy node
2. In the MMC, go to File > Add / Remove Snap-in...
3. Select Certificates and click Add
4. Select Computer account, click Next, select Local computer and click Finish
5. In the MMC, go to Certificates (Local Computer)/Personal
6. In the MMC, go to Actions > All Tasks > Import...
7. Browse to the certificate file provided to you from your CA / Export from the QMC
8. Follow the instructions on the screen to import the certificate, including the private key
9. Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
   1. Viewing the certificate when installed should have this entry:
10. Follow the same steps to for the Trusted Root, but place it in Certificates (Local Computer) > Trusted Root Certification > Certificates 

 
(More Generic information and steps: https://help.qlik.com/en-US/sense/November2017/Subsystems/ManagementConsole/Content/change-proxy-cer...)