When allowing external access to Qlik Sense, there are a handful of configuration steps needed on the server infrastructure to facilitate external access and potentially configuration steps needed on Qlik Sense itself.
For external access, the key questions are:
- What URL do you want users to use to access Qlik Sense? (e.g. https://ServerName.company.com vs. https://analytics.company.com)
- What type of authentication do you anticipate these external users to use?
- What kind of devices will those external users use? Do we need to have a third party certificate for seamless user access over HTTPS?
Routing & URL configuration:
, the main actionable steps are:
- If you want a friendly name for external (or internal) users, then you will need to follow up with your infrastructure / networking team to setup an appropriate DNS alias.
- If you to use a DNS alias then be sure to adjust the Virtual Proxy Whitelist for all Virtual Proxies which will be used by external users. See Error Message "An error occurred" When Connecting To Qlik Sense Hub for a walk through on how to adjust the Virtual Proxy Whitelist. In brief QMC > Virtual Proxies > Edit > Advanced > Host white list > Enter the DNS alias (e.g. analytics.company.com)
- There is no need to place the protocol prefix. So analytics.company.com is preferable over https://analytics.company.com
- Do remember this setting is on a per-virtual proxy basis. If you have multiple modes of authentication externally then this will be needed .
- Independent of the use of a DNS alias, you need to ensure that the appropriate ports are accessible externally.
- It is not uncommon for organizations to require that external users either access a server in a DMZ or to use a reverse proxy / network load balancer or other networking appliance at the edge of the network to allow users to access internal resources.
- Whether this is required or not is a question for the organization's infrastructure / networking team.
In order to determine which port(s) need to be accessible, the administrator needs to verify against the available ports list for the deployed Qlik Sense version.
See the Qlik Sense for administrators Help > Qlik Sense Enterprise on Windows Architecture > Ports
After determining the entry point at step 1 (DNS alias vs. servername), the administrator needs to determine what sort of SSL certificate is required.
- Do note that iOS devices have a restrictive list of third party certificates which are trusted by Apple. See iOS devices cannot open QlikSense Apps on the HUB for a link to the Apple KB which outlines which vendors are trusted on iOS devices
- Do note that certain browsers require additional attributes to be on the SSL certificate. See Chrome 58+ and SSL Certificates for a Chrome specific requirement of Subject Alternative Names
- After determining any requirements for the SSL certificate from the above bullet points, they need to follow up internally with their security / certificate resources to determine the steps for generating a CSR to request a certificate from third party certificate vendor.