When allowing external access to Qlik Sense, there are a handful of configuration steps needed on the server infrastructure to facilitate external access and potentially configuration steps needed on Qlik Sense itself.
For external access, the key questions are:
- What URL do you want users to use to access Qlik Sense? (e.g. https://ServerName.company.com vs. https://analytics.company.com)
- What type of authentication do you anticipate these external users to use?
- What kind of devices will those external users use? Do we need to have a third party certificate for seamless user access over HTTPS?
Routing & URL configuration:
, the main actionable steps are:
- If you want a friendly name for external (or internal) users, then you will need to follow up with your infrastructure / networking team to setup an appropriate DNS alias.
- If you to use a DNS alias then be sure to adjust the Virtual Proxy Whitelist for all Virtual Proxies which will be used by external users. See Error Message "An error occurred" When Connecting To Qlik Sense Hub for a walk through on how to adjust the Virtual Proxy Whitelist. In brief QMC > Virtual Proxies > Edit > Advanced > Host white list > Enter the DNS alias (e.g. analytics.company.com)
- There is no need to place the protocol prefix. So analytics.company.com is preferable over https://analytics.company.com
- Do remember this setting is on a per-virtual proxy basis. If you have multiple modes of authentication externally then this will be needed .
- Independent of the use of a DNS alias, you need to ensure that the appropriate ports are accessible externally.
- It is not uncommon for organizations to require that external users either access a server in a DMZ or to use a reverse proxy / network load balancer or other networking appliance at the edge of the network to allow users to access internal resources.
- Whether this is required or not is a question for the organization's infrastructure / networking team.
In order to determine which port(s) need to be accessible, the administrator needs to determine an answer to (2)
- When using standard Windows Authentication, the following ports are required to be accessible by default:
- HTTPS: 443 and 4244
- HTTP: 80 and 4248
- These ports can be customized in QMC > Proxies > Edit > Ports
- Do note that if using a networking device to tunnel users to Qlik Sense, that persistence needs to occur between these two ports used by Windows authentication so that sessions which come in via 443 can roll over to 4244 and back to 443. Speak to your administrators of the networking device for specifics on how to accomplish this for that particular device.
- When using all other forms of authentication, the HTTP or HTTPS port is all that is required. By default these values are 80 and 443 respectively.
After determining the entry point at step 1 (DNS alias vs. servername), the administrator needs to determine what sort of SSL certificate is required.
- Do note that iOS devices have a restrictive list of third party certificates which are trusted by Apple. See iOS devices cannot open QlikSense Apps on the HUB for a link to the Apple KB which outlines which vendors are trusted on iOS devices
- Do note that certain browsers require additional attributes to be on the SSL certificate. See Chrome 58+ and SSL Certificates for a Chrome specific requirement of Subject Alternative Names
- After determining any requirements for the SSL certificate from the above bullet points, they need to follow up internally with their security / certificate resources to determine the steps for generating a CSR to request a certificate from third party certificate vendor.