Editing a virtual proxy

You can edit an existing virtual proxy.

Do the following:

1. Open the QMC: https://<QPS server name>/qmc

2. Select Virtual proxies on the QMC start page or from the Start drop-down menu to display the overview.

3. Select the virtual proxy that you want to edit and click Edit in the action bar. You can only edit virtual proxies for one proxy at a time.

4. Edit the properties in the Virtual proxy edit window:

   Identification

   All fields are mandatory and must not be empty.

   Identification properties

   Property	Description	Default value
   Description	The description of the virtual proxy.	Blank
   Prefix	The path name in the proxy’s URI that defines each additional path. Example: https://[node]/[prefix]/ Note the following: You can only use lowercase letters in the prefix. After upgrade to Qlik Sense 3.0, any uppercase letters in existing virtual proxies will automatically be replaced by lowercase letters. You can only use the following unreserved characters: (a-z, 0-9, "-", ".", "_" , "~"). For more information, see the Unreserved Characters section in the following document: Uniform Resource Identifier (URI): Generic Syntax	Blank
   Session inactivity timeout (minutes)	The maximum period of time with inactivity before timeout. After this, the session is invalid and the user is logged out from the system.	30 minutes
   Session cookie header name	The name of the HTTP header used for the session cookie. This value is blank by default and you must enter a value. Information noteFrom the February 2019 release, a suffix (-HTTP) is added to the session cookie header name when a user accesses the system over http. Tip noteIt can be useful to include the value of the Prefix property above as a suffix in the cookie name.	Blank

   Authentication

   Authentication properties

   Property	Description	Default value
   Anonymous access mode	No anonymous user: Users must supply user identity and credentials. Allow anonymous user: Users enter as anonymous but can switch and log in with a user account. Always anonymous user: Users are always anonymous.	No anonymous user
   Authentication method	Ticket: a ticket is used for authentication. Header authentication static user directory: allows static header authentication, where the user directory is set in the QMC. Header authentication dynamic user directory: allows dynamic header authentication, where the user directory is fetched from the header. SAML: SAML2 is used for authentication. JWT: JSON Web Token is used for authentication. OIDC: OpenID Connect is used for authentication.	Ticket
   Header authentication header name	The name of the HTTP header that identifies users, when header authentication is allowed. Mandatory if you allow header authentication (by selecting either Header authentication static user directory or Header authentication dynamic user directory for the Authentication method property). Information noteHeader authentication only supports US-ASCII (UTF-8 is not supported).	Blank
   Header authentication static user directory	The name of the user directory where additional information can be fetched for header authenticated users. Mandatory if you allow static header authentication (by selecting Header authentication static user directory for the Authentication method property).	Blank
   Header authentication dynamic user directory	Mandatory if you allow dynamic header authentication (by selecting Header authentication dynamic user directory for the Authentication method property). The pattern you supply must contain ‘$ud’, ‘$id’ and a way to separate them. Example setting and matching header: $ud\\$id – matches USERDIRECTORY\userid (backslashes must be escaped with an additional \) $id@$ud – matches userid@USERDIRECTORY ($id and $ud can be in any order) $ud:::$id – matches USERDIRECTORY:::userid	Blank
   Windows authentication pattern	The chosen authentication pattern for logging in. If the User-Agent header contains the Windows authentication pattern string, Windows authentication is used. If there is no matching string, form authentication is used.	Windows
   Authentication module redirect URI	When using an external authentication module, the clients are redirected to this URI for authentication.	Blank (default module, that is Windows authentication Kerberos/NTLM)
   SAML single logout	Select the checkbox to enable a service provider initiated flow for SAML single logout. When selected, the metadata file generated for this virtual proxy will include single logout locations for POST and Redirect bindings.	Blank
   SAML host URI	The server name that is exposed to the client. This name is used by the client for accessing Qlik services, such as the QMC. The server name does not have to be the same as the machine name, but in most cases it is. You can use either http:// or https:// in the URI. To be able to use http://, you must select Allow HTTP on the edit page of the proxy that the virtual proxy is linked to. Mandatory if you allow SAML authentication (by selecting SAML for the Authentication method property).	Blank
   SAML entity ID	ID to identify the service provider. The ID must be unique. Mandatory if you allow SAML authentication (by selecting SAML for the Authentication method property).	Blank
   SAML IdP metadata	The metadata from the IdP is used to configure the service provider, and is essential for the SAML authentication to work. A common way of obtaining the metadata is to download it from the IdP website. Click the browse button and open the IdP metadata .xml file for upload. To avoid errors, you can click View content and verify that the file has the correct content and format. The configuration is incomplete without metadata.	-
   SAML attribute for user ID	The SAML attribute name for the attribute describing the user ID.Name or friendly name can be used to identify the attribute. I do not know the name of a mandatory SAML attribute	Blank
   SAML attribute for user directory	The SAML attribute name for the attribute describing the user directory. Name or friendly name can be used to identify the attribute.If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'. I do not know the name of a mandatory SAML attribute	Blank
   SAML signing algorithm	The hash algorithm used for signing SAML requests. In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider".	-
   SAML attribute mapping	Click Add new attribute to map SAML attributes to Qlik Sense attributes, and define if these are to be required by selecting Mandatory. Name or friendly name can be used to identify the attribute.If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'. Information noteSAML response based attributes are not taken into account when running product audit.	-
   JWT certificate	Add the JWT .X509 public key certificate in PEM format. The following is an example of a public key certificate. -----BEGIN CERTIFICATE----- MIIDYTCCAkmgAwIBAgIJAM/oG48ciCGeMA0GCSqGSIb3DQEBCwUAMEcxEDAOBgNV BAoMB0NvbXBhbnkxEzARBgNVBAMMCkpvaG4gRG9ubmUxHjAcBgkqhkiG9w0BCQEW D2pkZUBjb21wYW55LmNvbTAeFw0xNzAzMjAxMjMxNDhaFw0yNzAzMTgxMjMxNDha MEcxEDAOBgNVBAoMB0NvbXBhbnkxEzARBgNVBAMMCkpvaG4gRG9ubmUxHjAcBgkq hkiG9w0BCQEWD2pkZUBjb21wYW55LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALIaab/y0u/kVIZnUsRVJ9vaZ2coiB3dVl/PCa40fyZdOIK5CvbA d0mJhuM7m/L4PldKmWh7nsPVC6SHAwgVwXASPHZQ6qha9ENChI2NfvqY4hXTH//Y FYaGLuKHD7pE7Jqt7Bhdh1zbBjrzsr1eU4Owwv9W9DxM4tVx3Xx8AUCNRoEWgObz Oqw9CfYY7/AWB8Hnr8G22X/l0/i4uJhiIKDVEisZ55hiNTEyqwW/ew0ilI7EAngw L80D7WXpC2tCCe2V3fgUjQM4Q+0jEZGiARhzRhtaceuTBnnKq3+DnHmW4HzBuhZB CLMuWaJowkKaSfCQMel6u0/Evxc8i8FkPeMCAwEAAaNQME4wHQYDVR0OBBYEFNQ9 M2Y5WlRCyftHlD2oIk12YHyBMB8GA1UdIwQYMBaAFNQ9M2Y5WlRCyftHlD2oIk12 YHyBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHO46YLxtcMcanol PUC5nGdyYchZVHkd4F5MIe82mypwFszXGvpxKQXyAIPMkTIGb1wnE/wbCfB7moxX oFo+NoASER6wtt6FPHNcCiCXHm3B+2at16nOeMLfDefhQq03Q7qjfoa+7woAYole C9fTHGAl4TMIPThGSluiVLOLgHFUHpZryI6DdiEutXiH4afXaw0mScG36Z1uvHIq dPtjb/vDm1b9jvLITe8mZ8c2is1aBCLOdFvNupARxK7U3UD6HzGIh4x7eqo6Q9CK mKIz25FHrKTkyi1n/0+SAlOGp8PSnWrRZKmHkHbpfY5lpCuIBY9Cu2l1Xeq4QW5E AqFLKKE= -----END CERTIFICATE-----	Blank
   JWT attribute for user ID	The JWT attribute name for the attribute describing the user ID.	Blank
   JWT attribute for user directory	The JWT attribute name for the attribute describing the user directory. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.	-
   JWT attribute mapping	Click Add new attribute to map JWT attributes to Qlik Sense attributes. If the name value is enclosed in brackets, that value is used as a constant attribute value: [example] gives the constant attribute value 'example'.	Blank
   Disable optional OIDC attributes	Only to be used when syncing users through a user directory connector. When selected, the attributes name, groups, email, and picture coming from user directory connector sync are protected from being overwritten by the attributes from the OIDC.
   OpenID Connect metadata URI	The URL to the endpoint that provides configuration information for the OAuth clients to interface with the identity provider using the OpenID Connect protocol.
   Client ID	ID of the configured client at the identity provider for user authentication.
   Client secret	Secret for the client configured at the identity provider.
   Realm	Name to associate with the identity provider, used for naming consistency in multi-cloud. If the subject attribute value format is domainname\username, realm is optional. If not, realm is mandatory.
   sub	Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. Mandatory.
   name	Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. Mandatory.
   groups	Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.
   email	Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values. Mandatory.
   client_id	Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.
   picture	Statements (name/value pairs) about the entity/user and metadata about the OpenID Connect service. You can use multiple, comma-separated values.
   scope	Used in the OAuth 2.0 specification to specify the access privileges when issuing an access token. For example, use this option to add a groups scope in case the identity provider requires that to support a user groups feature.
   OIDC attribute mapping	Click Add new attribute to map OIDC attributes to Qlik Sense attributes, and define if these are to be required by selecting Mandatory. Name or friendly name can be used to identify the attribute.

   Load balancing

   Load balancing properties

   Property	Description	Default value
   Load balancing nodes	Click Add new server node to add load balancing to that node.	Blank

   Advanced

   Advanced properties

   Property	Description	Default value
   Extended security environment	Enabling this setting will send the following information about the client environment in the security header: OS, device, browser, and IP. If not selected, the user can run the same engine session simultaneously on multiple devices.	Blank
   Session cookie domain	By default the session cookie is valid only for the machine that the proxy is installed on. This (optional) property allows you to increase its validity to a larger domain. Example: company.com	Blank (default machine)
   Has secure attribute (https)	Option for session cookie that has the Secure attribute and uses https.	Selected
   SameSite attribute (https)	SameSite attribute values for https: No attribute, None, Lax, Strict For more information, see SameSite cookie attribute	Lax
   Has secure attribute (http)	Option for session cookie that has the Secure attribute and uses http.	Blank
   SameSite attribute (http)	SameSite attribute values for http: No attribute, None, Lax, Strict For more information, see SameSite cookie attribute	No attribute
   Additional response headers	Headers added to all HTTP responses back to the client. Example: Header1: value1 Header2: value2	Blank
   Host allow list	A list of host names following the RFC standards. Put literal IPv6 addresses within brackets. All values added here are validated starting from the bottom level. If, for example, domain.com is added, this means that all values ending with domain.com will be approved. If subdomain.domain.com is added, this means that all values ending with subdomain.domain.com will be approved. To support switching schema when using cross-origin resource sharing (CORS), the host allow list must include the schema to avoid requests being blocked by the CORS policy. Example:   If you have a mashup loaded from an unsecure web site (http://subdomain.domain.com) and Qlik Sense running secure (https://qlik.sense... ), the schema, (http://subdomain.domain.com), must be present in the host allow list. Information noteEven if the allow list is empty, the name of the machine where Qlik Sense is installed is still considered part of the allow list, although not visible.	Blank

   Integration

   Integration properties

   Property	Description	Default value
   Session module base URI	The address to an external session module, if any.	Blank (default module, that is in memory)
   Load balancing module base URI	The address to an external load balancing module that selects which Qlik Sense engine to use for the user’s session, if any.	Blank (default module, that is round robin)

   Client authentication link

   The client authentication link is used to authenticate the client against the Qlik Sense server.

   Information noteThe Client authentication link can be generated on any virtual proxy in the QMC. However, if the client authentication link will be retrieved from the hub, you must generate the link from the default virtual proxy on the central node.

   Client authentication link properties

   Property	Description	Default value
   Client authentication link host URI	The Qlik Sense URI that will be a part of the client authentication link.	Blank
   Client authentication link friendly name	A name that helps the user to identify the host. The friendly name will be a part of the client authentication link.	Blank
   Generate client authentication link	Click the button to generate a link that can be copied and distributed to users.	-

   Configuring client authentication

   Tags

   Information noteIf no QMC tags are available, this property group is empty.

   Click the text box to be display a list of the available tags. Start typing to reduce the list. Connected tags are displayed under the text box.

   Custom properties

   Information noteIf no custom properties are available, this property group is not displayed at all (or displayed but empty) and you must make a custom property available for this resource type before it will be displayed here.
5. Click Apply to save your changes. If a mandatory field is empty, Apply is disabled.

6. Edit the fields under Associated items.

   Proxies

   Proxy properties

   Property	Description
   Node	The proxy name.
   Status	One of the following statuses is displayed: Running The service is running as per normal. Stopped The service has stopped. Disabled The service has been disabled. Tip noteClick in the Status column for more detailed information on the status. Checking the status of Qlik Sense services.
   Service listen port HTTPS (default)	The secure listen port for the proxy, which by default manages all Qlik Sense communication. Information noteMake sure that port 443 is available for the Qlik Sense Proxy Service (QPS) to use because the port is sometimes used by other software, for example, web servers.
   Allow HTTP	Status values: Yes or No. Yes: Unencrypted communication is allowed. This means that both https (secure communication) and (http) unencrypted communication is allowed. Information noteFrom the February 2019 release, a suffix (-HTTP) is added to the session cookie header name when a user accesses the system over http.
   Service listen port HTTP	The unencrypted listen port, used when HTTP connection is allowed.
   Authentication listen port	The listen port for the internal authentication module. Information noteWhen editing this port as a user without admin privileges, you need to run the repository in bootstrap mode before the changes take effect. See: Services
   Kerberos authentication	Status values: Yes or No. Yes: Kerberos authentication is enabled.
   REST API listen port	The listen port for the proxy API. Information noteWhen editing this port as a user without admin privileges, you need to run the repository in bootstrap mode before the changes take effect. See: Services
   SSL browser certificate thumbprint	The thumbprint of the Secure Sockets Layer (SSL) certificate that handles the encryption of traffic from the browser to the proxy. When editing a proxy certificate and the Qlik Sense services run with an account without administrator privileges (see Services), you need to configure the private key permissions for the certificate, (see Changing to a signed server proxy certificate).
   Keep-alive timeout (seconds)	The maximum timeout period for a single HTTP/HTTPS request before closing the connection. Protection against denial-of-service attacks. This means that if an ongoing request exceeds this period, Qlik Sense proxy will close the connection. Increase this value if your users work over slow connections and experience closed connections.
   Max header size (bytes)	The maximum total header size.
   Max header lines	The maximum number of lines in the header.
   Audit activity log level	Levels: Off or Basic (a limited set of entries)
   Audit security log level	Levels: Off or Basic (a limited set of entries)
   Service log level	Each level from Error to Info includes more information than the previous level.
   Audit log level	More detailed, user-based messages are saved to this logger, for example, proxy calls. Each level from Fatal to Debug includes more information than the previous level.
   Performance log level	All the performance messages are saved to this logger. For example, performance counters and number of connections, streams, sessions, tickets, web sockets and load balancing information. Each level from Fatal to Debug includes more information than the previous level.
   Security log level	All the certificates messages are saved to this logger. Each level from Fatal to Debug includes more information than the previous level.
   System log level	All the standard proxy messages are saved to this logger. Each level from Fatal to Debug includes more information than the previous level.
   Performance log interval (minutes)	The interval of performance logging.
   ID	The ID of the proxy.
   Created	The date and time when the proxy was created.
   Last modified	The date and time when the proxy was last modified.
   Modified by	By whom the proxy was modified.
   <Custom properties>	Custom properties, if any, are listed here.
   	Sort the list ascending or descending. Some columns do not support sorting.
   	Type a string to filter on, or, when available, select a predefined value. All rows that match your filter criteria are displayed. You can filter on multiple columns simultaneously to narrow your search. If a filter is applied to a column, is displayed. To remove your criteria, click Actions in the table header bar and select Clear filters and search. You can combine filtering with searching. Searching and filtering in the QMC
   Edit	Edit the selected proxy.
   Unlink	Unlink a proxy service from the selected proxy. Information noteA virtual proxy must be linked to a proxy service in order to work.
   Link	Link a proxy service to the selected proxy.
   Show more items	The overview shows a set number of items by default. To show more items, scroll to the end of the list and click Show more items. Sorting and filtering of items is always done on the full database list of items, not only the items that are displayed.

7. Click Apply in the action bar to save your changes.

   Information noteIn most cases, the proxy must be restarted when you apply changes to the virtual proxy. Sessions handled by the proxy, to which the virtual proxy is linked, are ended and the users are logged out. Changes to the following resources in the virtual proxy will not generate an automatic restart of the proxy: Tags, Custom properties, and Load balancing nodes.

Successfully updated is displayed at the bottom of the page.