Skip to main content

Ports

Qlik Sense Enterprise uses ports to communicate between web browsers (users) and proxies, and between services in single and multi-node deployments.

Ports overview

The following tables are an overview of the ports used in a Qlik Sense deployment.

Communication ports
Service Inbound Outbound Internal only

Qlik Sense Proxy Service (QPS)

80 (HTTP)

443 (HTTPS)

4243 (REST API)

4239 (QRS websocket)

4242 (QRS REST API)

4747 (Engine)

4899 (Printing)

4900 (Broker)

4949 (Data profiling)

7070 (Logging service)

4244 (Windows authentication)

Qlik Sense Engine Service (QES)

4747 (QES listen port)

7070 (Logging service)

4748 (notifications from QRS)

Qlik Sense Repository Service (QRS)

4242 (REST API)

4239 (from QPS - websocket)

4444 (Setup API - inbound on rim nodes)

 

4242 (REST API)

4243 (Proxy REST API)

4444 (Setup API – outbound on central node)

4747 (Engine)

4748 (Engine notification API)

5050 (Scheduler manager API)

7070 (Logging service)

9200 (License Service)

4545 (Migration service)

4570 (Certificate unlock)

Qlik Sense Scheduler Service (QSS)

5050 (Manager REST API)

5151 (Worker REST API)

5252 (Monitoring API - optional)

4242 (QRS REST API)

7070 (Logging Service)

5050 (Worker to Manager)

5151 (Manager to Worker)

No additional ports.

Qlik Sense Repository Database (QRD)

4432 (default listen port for database connections)

- No additional ports.

Qlik Sense Printing service (QPR)

4899 (QPR listen port)

-

443 (Sense web server - proxy)

4242 (QRS REST API)

8088 (CEF debugging)

Qlik License Service

-

443 (HTTPS)

9200

Broker service

4900

3003 (Converter service)

4555 (Chart sharing)

4949 (Data profiling)

4950 (Precedents service)

5928 (QSE Event Processor)

9028 (Hub service)

9031 (Capability service)

9032 (About Service)

9041 (Connector registry proxy - server)

9051 (Connector registry proxy - desktop)

9054 (Precedents service)

9079 (Depgraph service)

9080 (Web extension service)

9081 (Qlik Notifier Service)

9082 (Qlik Mobility Registrar)

9090 (DownloadPrep)

9098 (On-demand app service)

21060 (Resource Distribution Service)

46277 (Deployment based warnings service)

64210 (Open source graph database layer used by Precedents service)

-
Data profiling service

4949 (listen port for REST API and websocket)

 

4242 (QRS REST API)

4747 (QES)

App Distribution Service -

5926

No additional ports.
Hybrid Deployment Service -

5927

No additional ports.
Hybrid Setup Console - HSC

5929

- No additional ports.
Logging Service

7080

7081

- -
Qlik Catalog Service

4850

- -
NL Parser Service

4952

- -

NL Broker Service

4951

- -
Other ports
Service Purpose

Qlik Sense Service Dispatcher (QSD)

Starts up the following services:

  • Qlik License Service
  • Broker service
  • Data profiling service
  • App Distribution Service
Note: To allow access to the file share, ensure that you open the Microsoft Windows SMB port 445.

Ports used internally within a node

The ports in the following table are used between Qlik Sense services that run on the same node. In most cases, the ports do not have to be open through any firewalls.

Internal ports
Service Port Direction Purpose
Converter Service 3003 Internal

This port is used by the Converter Service which is utilized by QlikView converter.

QPS 4243 Inbound

Qlik Sense Proxy Service (QPS) REST API listen port.

If web ticketing is used for security, this port is used by the software or service that requests tickets for users. If the software or service is remote, this port needs to be open to the location from which it is called.

QRD 4432

Internal

Default listen port for the Qlik Sense Repository Database (QRD).

With shared persistence, this port is used to listen for connections from the Qlik Sense Repository Service (QRS).

Chart Sharing Service 4555 Internal

This port is used by the Chart Sharing Service for chart sharing between Qlik Sense users. The service is launched and managed by the Qlik Sense Service Dispatcher (QSD) when required.

This port uses HTTPS for communication.

QRS 4570 Internal

Certificate password verification port, only used within multi-node sites by Qlik Sense Repository Services (QRSs) on rim nodes to receive the password that unlocks a distributed certificate. The port can only be accessed from localhost and it is closed immediately after the certificate has been unlocked. The communication is always unencrypted.

QES 4748 Internal This callback port is used by the Qlik Sense Repository Service (QRS) for sending HTTP events to the Qlik Sense Engine Service (QES).
Data Profiling Service 4949 Internal This port is used by the Data Profiling Service to access and modify the app load data model. It communicates directly with the Qlik Sense Engine Service (QES) on the node.
Broker Service 4900 Internal Default listen port for the Broker Service.
Hub Service 9028 Internal Default listen port for the Hub Service.
Capability Service 9031 Internal This port is used by the Capability Service to handle Qlik Sense system feature configuration.
About Service 9032 Internal Default listen port for inbound calls to the About Service.
Depgraph Service 9079 Internal This port is used by the Service Dispatcher launched microservices.
Web Extension Service 9080 Internal Default listen port for the Web Extension Service.
DownloadPrep 9090 Internal This port is used by the Service Dispatcher launched microservices.
On-demand App Service 9098 Internal Default listen port for the On-demand App Service.

Connector registry proxy (server)

9041 Internal This port is used by the distributed connectivity service for discovering and listing connectors.

Connector registry proxy (desktop)

9051 Internal This port is used by the distributed connectivity service for discovering and listing connectors.
Qlik Notifier Service 9081 Internal This port is used by the Qlik Notifier Service, which handles push notifications to mobile devices. It is installed on each node in a Qlik Sense Enterprise deployment.
Qlik Mobility Registrar 9082 Internal This port is used by the Qlik Mobility Registrar, which is installed on each node in a Qlik Sense Enterprise deployment.

Ports used from user web browser

The default ports are exposed to the Qlik Sense users and need to be open through any firewalls in the site.

Web browser ports
Service Port Direction Purpose Host
QPS 443 Inbound Inbound user web traffic when using HTTPS. Qlik Sense Proxy Service (QPS) in the site.
QPS 80 Inbound Inbound user web traffic when using HTTP (optional). Qlik Sense Proxy Service (QPS) in the site.
Map 443 Inbound User web traffic for standard map background. For users hosting their own map server, use the name of the host server. maps.qlikcloud.com
Map 443 Inbound User web traffic for satellite map background. services.arcgisonline.com

The following diagram shows the ports used for the communication between a web browser and as single note site.

The user's web browser connects to the Central node either on port 80 (http) or port 443 (https). The user's web browser connects to the Map Service on port 443 (https). Both of these connections are one-way connections. The Map service contains one Inbount port rule to allow Inbound traffic on port 443 (https). The Central node contains QSS, QRS, QSD, QPR, QPS, QRD, and QES. The Central node allows inbound traffic on port 80 (http) and port 443 (https).

Ports used between nodes and Qlik Sense services

The ports in this section are used for communication between the Qlik Sense services.

In a single node site, all ports listed in this section are used by the various services, but do not need access through firewalls.

In a multi-node site, the ports in use vary depending on the services installed and running on each node. The ports need to be open in any firewalls between the nodes, but do not have to be open to the Qlik Sense users.

Minimum ports used for communication in multi-node sites

The following ports must always be open between the nodes in a multi-node site. The ports must be open to allow for service health, and some specific operations.

Note: Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.
Service Port Direction Purpose
QRS 4242

Bi-directional between the central node and all proxy nodes

This port is used for a number of operations including new user registration.
QRD 4432 Inbound from Qlik Sense nodes to the repository database The default listen port used by all nodes in a site for connecting to the Qlik Sense Repository Database.
QRS 4444 Between the central node and all rim nodes

This port has two functions:

  • Security distribution port, only used by Qlik Sense Repository Services (QRSs) on rim nodes to receive a certificate from the primary QRS on the central node. The communication is always unencrypted, but the transferred certificate package is password-protected.

  • Qlik Sense Repository Service (QRS) state port, used to fetch the state of a QRS in a Qlik Sense site. The state is fetched using http://localhost:4444/status/servicestate.

    The returned state is one of the following:

    • 0: Initializing. Once the node has been initialized, the node state changes into one of the other states.
    • 1: Certificates not installed. There are no certificates installed on the node. The node stays in this state until it has received the certificate and the certificate password.
    • 2: Running. The node is up and running and all APIs have been initiated.

Ports used between manager and worker schedulers

The ports in the following table are used when a worker Qlik Sense Scheduler Service (QSS) is used.

Ports between manager and worker schedulers
Service Port Direction Purpose
QSS 5050 Inbound (from scheduler nodes only)

This port is used by the manager QSS on the central node to issue commands to and receive replies from worker QSS nodes.

QSS 5151 Inbound (from the central node only)

A worker QSS runs on a worker scheduler node and is accessed only by the manager QSS on the central node.

Ports used between a proxy node and an engine node

The ports in the following table define the minimum needed to allow regular user traffic and load balancing between a proxy node and an engine node.

Ports between proxy and engine nodes
Service Port Direction Purpose
QES 4747 Inbound (from proxy nodes)

Qlik Sense Engine Service (QES) listen port. This is the main port used by the QES.

The port is used via the Qlik Sense Proxy Service (QPS) for communication with the Qlik Sense clients.

QRS 4239 Inbound (from proxy nodes)

Qlik Sense Repository Service (QRS) WebSocket port.

The port is used via the Qlik Sense Proxy Service (QPS) by the Qlik Sense hub to obtain apps and stream lists.

QRS 4242 Inbound (from proxy nodes)

Qlik Sense Repository Service (QRS) REST API listen port.

This port is mainly accessed by local Qlik Sense services. However, the port must be open to all proxy nodes in a multi-node site to deliver images and static content.

Data Profiling Service 4949 Inbound (from proxy nodes)

This port is used by the Data Profiling Service when accessing and modifying the application load model. The service is launched and managed by the Qlik Sense Service Dispatcher (QSD) when required.

The port is access via the Qlik Sense Proxy Service (QPS).

Broker Service 4900 Inbound (from proxy nodes) Default listen port for the Broker Service.
Hub Service 9028 Inbound (from proxy nodes) Default listen port for the Hub Service. Open for local services such as the broker service on the engine node.

Ports used between a proxy node and a node running the printing service

The Qlik Sense Printing Service (QPR) may be installed on the same node as other services or on a separate node. The ports in the following table must be accessible between a QPS and all QPRs to which the QPS can load balance traffic.

Ports between proxy and printing nodes
Service Port Direction Purpose
QPR 4899 Inbound (from proxy nodes)

Qlik Sense Printing Service (QPR) port.

This port is used for printed export in Qlik Sense. The port is accessed by any node that runs a QPS.

Qlik Sense Desktop ports

The following ports are used by Qlik Sense Desktop.

Desktop ports
Component Port Direction
Qlik associative engine 9076 Internal
DataPrep Service 9072 Internal
Broker Service (Desktop) 4848 Internal/inbound
Capability Service 9075 Internal
About Service 9078 Internal
Broker Service 9070 Internal
NPrinting 9073 Internal
Hub Service 9071 Internal
Converter Service 9077 Internal
Dependency Graph Service 9033 Internal
Web Extension Service 9034 Internal
Connector Registry Proxy 9051 Internal
NL Broker Service 9055 Internal
NL Parser Service 9056 Internal

Qlik DataTransfer ports

Qlik DataTransfer uses the following ports:

Service Port Direction

Secure web browser communication (HTTPS)

Note: You must open this port in your firewall.
443 Outbound
Data Upload service 5505 Internal
Engine service 5506 Internal
Connector Registry proxy 5507 Internal

Ports examples

This section provides examples of the ports that are used in different Qlik Sense deployments.

Note: The diagrams in this section do not show all outbound proxy node ports. For a full list of proxy node ports see the Ports overview table.

Single node site

This example shows the ports that are used in a single node site.

The user's web browser connects to the Central node either on port 80 (http) or port 443 (https). The user's web browser connects to the Map Service on port 443 (https). Both of these connections are one-way connections. The Map service contains one Inbount port rule to allow Inbound traffic on port 443 (https). The Central node contains QSS, QRS, QSD, QPR, QPS, QRD, and QES. The Central node allows inbound traffic on port 80 (http) and port 443 (https).

Multi-node site

The following is an example of the ports that are used in a multi-node site that consists of five nodes.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection to the Proxy node. The proxy node has one-way connections to two Engine nodes, and a two-way connection to the Central node. The Central node has a two-way connection to the Scheduler node. The Proxy node contains QPS, QRS, and QSD. The proxy node contains Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), and 4444 (QRS). The Proxy node contains Outbound traffic on ports 4747 (Engine), 4239 (QRS websocket), 4242 (QRS), 4899 (Printing), 4900 (QSD), and 4949 (Data profiling). Both Engine nodes contain QES, QRS, QSD, and QPR. Both Engine nodes contain Inbound traffic on ports 4747 (QES), 4239 (QRS), 4242 (QRS), 4444 (QRS), 4899 (QPR), and 4949 (Data profiling). Both Engine nodes contain Outbound traffic on port 4242 (QRS). The Central node contains QSS, QRS, QSD, QPS, QRD, and QPR. The Central node contains Inbound traffic on ports 4242 (QRS), 4432 (QRD), 4900 (Broker service), and 5050 (QSS). The Central node contains Outbound traffic on ports 4242 (QRS), 4444 (QRS), and 5151 (QSS). The Scheduler node contains QSS, QRS, and QSD. The Scheduler node allows Inbound traffic on ports 4242 (QRS), 4444 (QRS), and 5151 (QSS). The Scheduler node allows Outbound traffic on ports 4242 (QRS), and 5050 (QSS).

Proxy node in demilitarized zone

This example shows the ports that are used in a multi-node site when deploying a proxy node in a demilitarized zone.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection to the Proxy node. The Proxy node has a two-way connection to the Central node. The Proxy node contains QPS, QRS, QSD, and QPR. The Proxy node allows Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), and 4444 (QRS). The Proxy node allows Outbound traffic on ports 4242 (QRS), 4747 (Engine), 4239 (QRS websocket), 4899 (Printing), 4949 (Data profiling), and 4900 (QSD). The Central node contains QPS, QRS, QSD, QPR, QES, QRD, QSS. The Central node allows Inbound traffic on ports 4242 (QRS), 4747 (QES), 4239 (QRS), 4899 (QPR), 4949 (Data profiling), 4900 (Broker service), 9028 (Hub service), and 4432 (QRD). The Central node allows Outbound traffic on ports 4242 (QRS) and 4444 (QRS).

Separate proxy and engine node

This example shows the ports that are used in a multi-node site when deploying a separate proxy and engine node. The proxy load balancing excludes the engine on the central node.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection to the Proxy and Engine node. The Proxy and Engine node uses a two-way connection to connect to the Central node. The Proxy and Engine node contains QPS, QRS, QPR, QES, and QSD. The Proxy and Engine node allows Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), and 4444 (QRS). The Proxy and Engine node allows Outbound traffic on ports 4900 (QSD), 4899 (Printing), and 4242 (QRS). The Central node contains QPS, QRS, QSD, QPR, QES, QRD, and QSS. The Central node allows Inbound traffic on 4900 (Broker service), 4899 (QPR), 4432 (QRD), 4242 (QRS). The Central node allows Outbound traffic on ports 4242 (QRS) and 4444 (QRS).

High availability proxy and engine nodes

This example shows the ports that are used in a multi-node site when deploying more than one proxy and engine node. The proxy load balancing excludes the engine on the central node.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection on either port 80 (http) or port 443 (https) to connect to the Network load balancer. The Network load balancer uses a one-way connection on either port 80 (http) or 443 (https) to connect to two identical Proxy and Engine nodes. Both Proxy and Engine nodes use a one-way connection on port 4899 (QPR) to connect to the Central node/scheduler. Both of the Proxy and Engine nodes contain QPS, QSD, QPR, QES, and QRS. Both of the Proxy and Engine nodes allow Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), 4899 (QPR), 4747 (QES), 4239 (QRS), 4949 (Data profiling), and 4444 (QRS). Both of the Proxy and Engine nodes allow Outbound traffic on ports 4242 (QRS), 4899 (Printing), 4747 (Engine), 4239 (QRS websocket), 4900 (QSD), and 4949 (Data profiling). The Central node/scheduler contains QPS, QRS, QSD, QPR, QES, QRD, and QSS. The Central node/scheduler allows Inbound traffic on ports 4900 (Broker service), 4899 (QPR), 4432 (QRD), and 4242 (QRS). The Central node/scheduler allows Outbound traffic on ports 4242 (QRS) and 4444 (QRS).

Separate scheduler node and high availability proxy and engine nodes

This example shows the ports that are used in a multi-node site when deploying a separate scheduler node and more than one proxy and engine node. The proxy load balancing excludes the engine on the central node.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection on either port 80 (http) or port 443 (https) to connect to the Network load balancer. The Network load balancer uses a one-way connection on either port 80 (http) or 443 (https) to connect to two identical Proxy and Engine nodes. Both Proxy and Engine nodes use a one-way connection on port 4899 (QPR) to connect to the Central node/scheduler. Both of the Proxy and Engine nodes contain QPS, QSD, QPR, QES, and QRS. Both of the Proxy and Engine nodes allow Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), 4899 (QPR), 4747 (QES), 4239 (QRS), 4949 (Data profiling), and 4444 (QRS). Both of the Proxy and Engine nodes allow Outbound traffic on ports 4242 (QRS), 4899 (Printing), 4747 (Engine), 4239 (QRS websocket), 4900 (QSD), and 4949 (Data profiling). Both of the Proxy and Engine nodes have one-way connections on port 4899 (QPR) to the Central node/scheduler. The Central node/scheduler contains QPS, QRS, QSD, QPR, QES, QRD, and QSS. The Central node/scheduler allows Inbound traffic on ports 4900 (Broker service), 4899 (QPR), 4432 (QRD), 4242 (QRS), and 5050 (QSS). The Central node/scheduler allows Outbound traffic on ports 4242 (QRS), 5151 (QSS), and 4444 (QRS). The Central node/scheduler has an Outbound connection on port 5151 (QSS) to the Scheduler node, and an Inbound connection on port 5050 (QSS) from the Scheduler node. The Scheduler node contains QES, QRS, and QSS. The Scheduler node allows Inbound traffic on ports 5151 (QSS) and 4444 (QRS). The Scheduler node allows Outbound traffic on port 5050 (QSS).

Separate proxy and scheduler nodes and high availability engine nodes

This example shows the ports that are used in a multi-node site when deploying separate proxy and scheduler nodes and more than one engine node. The proxy load balancing excludes the engine on the central node.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection on either port 80 (http) or 443 (https) to connect to the Proxy node. The Proxy node contains QPS, QSD, QRS, QPR. The Proxy node allows Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), and 4444 (QRS). The Proxy node allows Outbound traffic on ports 4242 (QRS), 4899 (Printing), 4747 (Engine), 4239 (QRS websocket), 4900 (QSD), and 4949 (Data profiling). The Proxy node has one-way outbound connections to the Central node and two identical Engine nodes. The Central node contains QPS, QRS, QSD, QPR, QES, QRD, and QSS. The Central node allows Inbound traffic on ports 4900 (Broker service), 4899 (QPR), 4432 (QRD), 4242 (QRS), and 5151 (QSS). The Central node allows Outbound traffic on ports 4242 (QRS), 5050 (QSS), and 4444 (QRS). The central node has an incoming connection from the Scheduler node on port 5151 (QSS) and an outgoing connection to the Scheduler node on port 5050 (QSS). Both Engine nodes only have incoming connections from the Proxy node. Both of the Engine nodes contain QES, QSD, QRS, and QPR. Both of the Engine nodes allow Inbound traffic on 4242 (QRS), 4899 (QPR), 4747 (QES), 4239 (QRS), 4949 (Data profiling), and 4444 (QRS). Both of the Engine nodes allow Outbound traffic on port 4242 (QRS).

Generic scale out

This example shows the ports that are used in a multi-node site when scaling the site by adding additional proxy, engine, or scheduler nodes. The proxy load balancing excludes the engine on the central node.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to these ports. Outbound ports indicate the destination of the communication from one node to other nodes in the environment. Firewall rules must allow the node to send outbound traffic to these outbound ports.

The user's web browser uses a one-way connection to the Proxy nodes (multiple) on either port 80 (http) or port 443 (https). The Proxy nodes connect to each other using inbound and outbound connections on port 4899. The Proxy nodes contain QPS, QSD, QRS, and QPR. The Proxy allow Inbound traffic on ports 80 (http), 443 (https), 4242 (QRS), 4444 (QRS), and 4899 (QPR). The Proxy nodes allow Outbound traffic on ports 4242 (QRS), 4899 (QPR), 4747 (Engine), 4239 (QRS websocket), 4949 (Data profiling), 4444 (QRS), 4900 (QSD). The Proxy nodes have a one-way outbound connection to multiple Engine nodes. Engine nodes contain QES, QSD, QRS, QPR. Engine nodes allow Inbound traffic on ports 4242 (QRS), 4899 (QPR), 4747 (QES), 4239 (QRS), 4949 (Data profiling), 4444 (QRS). Engine nodes allow Outbound traffic on ports 4242 (QRS) and 4444 (QRS). The Central node has incoming traffic on port 4899 from Proxy nodes, incoming traffic from Scheduler nodes on port 5151 (QSS), and outgoing traffic to Schedular nodes on port 5050 (QSS). The Central node contains QPS, QRS, QSD, QPR, QES, QRD, and QSS. The Central node allows Inbound traffic on ports 4900 (Broker service), 4899 (QPR), 4432 (QRD), 4242 (QRS), and 5151 (QSS). The Central node allows Outbound traffic on ports 4242 (QRS), 5050 (QSS), and 4444 (QRS).