Quick guide to configure IIS as a Reverse Proxy with HTTPS and Qlik Sense

 
NOTE: Qlik does NOT support IIS or its features / installation. This documentation is only for testing and use as a possible base for configuration. Anything not shown in the steps are considered default and no extra settings need to be applied/modified. Any issues with IIS or its configuration / use will need to be brought to the attention of Microsoft or the environments proper IT support team.
 
We CANNOT guarantee this will work in every environment, due to Corporate/IT policies. Use this information at your own discretion.
 
Environment:

• Central Node: qlikserver1.domainl.local
• IIS / Reverse Proxy: qlikserver2.domain.local
• Firewalls are OFF
• Single Domain
• Clean Environment and Open / Non-restrictive Group Policies
• OS: Windows 2012 R2
• Qlik Sense: November 2017

Items Required:

• Valid and trusted 3^rd party certificate chain for both the Qlik Sense Proxy server AND the IIS Reverse Proxy server
  • These certificates must be exportable, have the Private Key and the full certificate chain (including the Trusted Root)
  • These should be provided and installed prior to configuring the IIS Reverse Proxy
    • They CAN be installed after, but for this documentation they should already be in the environment.
  • Instructions on importing / installing the certificates for Qlik Sense and  the IIS server are located at the end of the documentation (Installing a 3rd Party certificate with its Trusted Root)
    • ​Example: TinyCerts.org – You can create your own CA and then certificates against that CA for any server name requested. Note: This option requires less steps in the long run, but would need to have access to a Certificate Authority and it prepared ahead of time.
  • NOTE:  This test will NOT work if these are not provided and installed correctly
• IIS8 or later
  • Due to WebSocket connections not being supported in earlier versions
• The Virtual proxy used for testing has the IIS machines Server Name / FQDN / IP / Alias / Vanity URL in the Host white list (Review Step 8-A below for more information)
• Windows Active Directory – Authentication
  • The virtual proxy used for these instructions must be configured to use Windows authentication (not SAML/JWT/Forms/Header)

 

1. Add Roles and Features 
   1. Install the Server Roles - Web Server (IIS) ​
      1. ​
   2. Continue and install the Role services for IIS​
      1. ​
   3. Finish the installation
      1.  ​
2. Go here (http://blogs.technet.com/b/erezs_iis_blog/archive/2013/11/27/installing-arr-manually-without-webpi.aspx) and follow the steps for downloading and installing the: 
   1. Web Farm Framework module
   2. External cache module
   3. URL Rewrite Module
   4. ARR
      1. NOTE: Links directly to these downloads will not be provided. The referenced blog provides them (as of 12/1/17) and were used in documentation. Microsoft Web Platform Installer (https://www.microsoft.com/web/downloads/platform.aspx) can be used to download the required components. Use your own discretion on how you download and install these IIS modules.
3. Return to the Add Roles and Features and activate WebSocket Protocol
   1.  
      1. Finish the Installation of IIS with the proper Roles
4. Run the Information services  (IIS) Manager
   1. Click on the Server and select Application Request Routing Cache
      1. ​
   2. Select Server Proxy Settings under Actions  - Proxy on the right side Activate the proxy by checking the box “Enable proxy”
      1. 
   3. Activate the proxy by checking the box “Enable proxy”
      1. 
5. Select the URL Rewrite under Actions – Advanced Routing
   1.  
      1. Click Add Rule(s) under Actions and select a Blank rule template
         1. 
      2. Name the rule QlikReverseProxyAll 
         1. 
            1. Add "(.*)" under Pattern
            2. Set "https://qlikserver1.domain.local/{R:0}" (NOTE: Use your own Qlik Sense Proxy URL) under Rewrite URL
      3. Create another rule named AuthForwarding
         1. ​ 
            1. Add “/windows_authentication/” under Pattern.
            2. Set "https://qlikserver1.domain.local:4244/{R:0}" (NOTE: Use your own Qlik Sense Proxy URL) under Rewrite URL
      4. URL Rewrite should have two entries for Qlik Sense
         1. NOTE: As of Qlik Sense February 2018, the Port 4244 / AuthForwarding is NO longer needed for Windows Authentication and is NOT needed for any other authentication types (SAML / Header). This port has been made internal and doesn't need to be addressed by the Proxy. 
         2. 
6. Bind the valid and trusted 3^rd Party Certificate to IIS for HTTPS AND Port 443 (NOTE: This is not a Qlik operation)
   1. 
7. Verify that the Proxy server (qlikserver1.domain.local) has a certificate that trusts the certificate now bound and used by the IIS Reverse Proxy
   1. NOTE: In this example we are using the same CA, with the same Trusted Root and the certificates are set for the two machines FQDN. This is not within Qlik control to give instructions on the exact setup and allowed actions within individual environments for this process.
   2. Example error in Chrome if IIS has a valid 3^rd party Certificate, but Qlik Sense does not
      1. 
8. Attempt and verify by logging into the Hub using the IIS server name
   1. 
      1. NOTE: If you did not add the IIS server (Name/FQDN/IP) to the Host white list for the Virtual Proxy that you’re connecting to, it will fail with a similar image. (Example shows HTTP, but the same will happen for HTTPS)
         1. 
            1. You can mitigate this by adding the domain suffix.
               1. 
            2. In the example above you can see domain.local is added to fix the issue. This is because the URL does not originate from the Central, but from the IIS / Reverse Proxy server, so it doesn’t trust it. Adding the domain.local will trust any URL with domain.local in it. If you used an IP, it would fail as well due to this virtual proxy not trusting it. NOTE: Adding the server name/DNS Alias/IP/Vanity URL to this section should added when using Reverse Proxies as they will not be trusted by default.

 
Installing a 3^rd Party certificate with its Trusted Root:
Install/import a valid certificate for the IIS Reverse Proxy server with a Trusted Root from a Certificate Authority. This will be used to make sure both the SSL certificate bound to the Qlik Sense Proxy and IIS to trust each other.

The images below are from a .PFX file that has both the Local Computer – Personal certificate for the FQDN of DC1.domain.local and the Trusted Root certificate. When imported or installed it will place both certificates in their proper locations.

NOTE: You may receive the certificate in a different format, please review with your CA / IT team to understand how to install and configure the certificates within your environments if these directions are not applicable

NOTE 2: The manual installation steps are below. These same steps can be used to import or install the certificate on both the Sense and IIS environments (this is not a Qlik specific operation).

https://help.qlik.com/en-US/sense/November2017/Subsystems/ManagementConsole/Content/change-to-signed-server-proxy-certificate.htm - States how to apply the new HTTPS/SSL thumbprint to the Proxy server on Qlik Sense.



 






Confirm the certificate is installed correctly:
 




Import the certificate

1. Launch Microsoft Management Console (mmc.exe) on the Proxy node
2. In the MMC, go to File > Add / Remove Snap-in...
3. Select Certificates and click Add
4. Select Computer account, click Next, select Local computer and click Finish
5. In the MMC, go to Certificates (Local Computer)/Personal
6. In the MMC, go to Actions > All Tasks > Import...
7. Browse to the certificate file provided to you from your CA / Export from the QMC
8. Follow the instructions on the screen to import the certificate, including the private key
9. Verify the new certificate has been imported into Certificates (Local Computer) > Personal > Certificates and that it contains a private key
   1. Viewing the certificate when installed should have this entry:
10. Follow the same steps to for the Trusted Root, but place it in Certificates (Local Computer) > Trusted Root Certification > Certificates 

 
(More Generic information and steps: https://help.qlik.com/en-US/sense/November2017/Subsystems/ManagementConsole/Content/change-proxy-certificate.htm)

Note: For Logout Functionality, review article Qlik Sense: Logout button not working when accessing through a reverse proxy