Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 11, 2021 7:07:39 AM
Dec 8, 2017 4:10:58 PM
Qlik Sense Enterprise on Windows
This documentation is only for testing and use as a possible base for configuration. Anything not shown in the steps are considered default and no extra settings need to be applied/modified. Any issues with IIS or its configuration/use will need to be brought to the attention of Microsoft or the environments proper IT support team. Qlik does NOT support IIS nor its features/installation.
It is not guaranteed this will work in every environment, due to Corporate/IT policies. Use this information at your own discretion.
! The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Items Required:
Set https://qlikserver1.domain.local/{R:0} (NOTE: Use your own Qlik Sense Proxy URL) under Rewrite URL
Add (.*) under Pattern
Click on Apply under the Actions pane, then on Back to Rules.
NOTE: If you did not add the IIS server (Name/FQDN/IP) to the Host white list for the Virtual Proxy that you’re connecting to, it will fail with a similar image. (Example shows HTTP, but the same will happen for HTTPS)
You can mitigate this by adding the domain suffix.
Installing a 3rd Party certificate with its Trusted Root:
Install/import a valid certificate for the IIS Reverse Proxy server with a Trusted Root from a Certificate Authority. This will be used to make sure both the SSL certificate bound to the Qlik Sense Proxy and IIS to trust each other.
The images below are from a .PFX file that has both the Local Computer – Personal certificate for the FQDN of DC1.domain.local and the Trusted Root certificate. When imported or installed it will place both certificates in their proper locations.
NOTE: You may receive the certificate in a different format, please review with your CA / IT team to understand how to install and configure the certificates within your environments if these directions are not applicable
NOTE 2: The manual installation steps are below. These same steps can be used to import or install the certificate on both the Sense and IIS environments (this is not a Qlik specific operation).
https://help.qlik.com/en-US/sense/November2017/Subsystems/ManagementConsole/Content/change-to-signed... - States how to apply the new HTTPS/SSL thumbprint to the Proxy server on Qlik Sense.
Import the certificate
(More Generic information and steps: https://help.qlik.com/en-US/sense/November2017/Subsystems/ManagementConsole/Content/change-proxy-cer...)
Hi @pbr , thank you for this great article !
in the prerequesites, you mentioned
does it mean it is not possible to use this with SAML authentication ?
Best regards
Joh
@jchoucq This was configured for an older version of Qlik Sense where another Port was needed for Windows Authentication (4244). The documentation was originally created for that Auth Method and wouldn't work for others with that excerpt there to note the point.
However, since Sense no longer uses it, the instructions should work for most authentication methods when using Step 12-b, depending on different factors such as where and how the auth module is located and accessed.
I did a quick test using the above instructions on Feb 2021 of Qlik Sense and did not need the Websocket URL Rewrite entry. The only stipulation is I could not log into Windows Authentication while local to the the Qlik Sense server (QlikServer1.domain.local) and would loop the browser login dialog. However, External worked for both URLs: QlikServer6.domain.local and QlikSense.domain.local, including from DC1. QlikServer6 is where the below screenshot is from and is what is running IIS in this environment.
--
SAML: This will work for Windows and Header (depending on injection method) at least, but SAML will likely fail due to the Reverse Rewrite Response Header forcing the IdP Redirect URL to be masked as well.
IE: https://qliksense.domain.local/saml will attempt to call to https://qliksense.domain.local/adfs/ls/?SAMLRequest= which is incorrect as the actual IdP URL call would be https://dc1.domain.local/adfs/ls/?SAMLRequest= where the AD FS is installed.
To fix this issue there's a few ways, but a simple one I found for testing is disabling the "Reverse rewrite host in response headers" under the Application Request Routing and performing:
%WINDIR%\System32\inetsrv\appcmd.exe set config -section:system.webServer/proxy /preserveHostHeader:"True" /commit:apphost
https://serverfault.com/questions/874780/net-issue-on-adfs-sso-behind-a-reverse-proxy
Note: This worked local from QlikServer1 without any issue unlike Windows.
--
Depending on Security concerns and needs, there's other ways to perform this as noted through the Response Headers - https://steveoams.com/blog/qlik-sense-reverse-proxy-config-for-iis and documented methods through Microsoft - https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/modifying-http-response-headers
Depending on the need, the Pattern could be different than (.*).
https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/creating-rewrite-rules-for-the-ur...
https://nicolas.guelpa.me/blog/2015/02/21/rewrite-redirect-iis.html
https://www.yaplex.com/blog/examples-of-my-most-useful-iis-rewrite-rules
Note: "Stop processing of subsequent rules" may need to be checked or unchecked depending on other rules, but for testing purposes, either / or works if there's no others.
Hope this helps!
thanks a lot @pbr for all these details on this specific subject which is clearly not easy for me 😉
Thanks again !