Who is this article for?IT personnel responsible for deploying Q-Pulse.
IT access will be required to implement this update.
Q-Pulse includes a number of web components that are normally stored on a server within the company infrastructure. This allows users who are internal to the business (i.e. within the network) to access the system.
However, if you need external users to access the system then you will need to provide a secure method of those users reaching your network.
In most cases this is done by a demilitarised zone (DMZ) which will host the web components with all of your data being stored within the network.
This article outlines some considerations for configuring Q-Pulse for external access.
Important Note: As this makes your data accessible externally to your environment we strongly recommend you perform your own risk assessment prior to configuring Q-Pulse this way, particularly around security.
1. Infrastructure Changes
Looking for details on the basic Q-Pulse infrastructure? Visit System Architecture for more details.
Q-Pulse Web components (such as Web Client, Web Reporting, API, Offline Auditing) can be configured on an external web server or DMZ Server.
It is important to note that Ideagen only supports Q-Pulse in this scenario and it is the responsibility of your local IT team to manage and support the configuration and security of external access.
With a DMZ in place your Q-Pulse infrastructure will operate as:
2. Ports Required
This is the list of ports that may be utilised:
- HTTP: Port 80 (Non-HTTPS Systems)
- HTTPS: Port 443 (HTTPS Systems)
- Q-Pulse Service: Port 747
- Q Pulse Dispatch Server (Messaging): Port 749
- SQL Server: Port 1433 (1433 is the default port however this may differ in your environment)
Note: Due to a restriction in the .NET Framework your DMZ server must be able to communicate to the SQL Server on port 1433.
3. Web Services API Example
The following example will demonstrate the required configuration for a Web Services (QPulse5WebServices). All configuration changes are made in the web.config file for this component. Each component will vary slightly however the keys should remain the same.
In the example configuration, this web service is hosted on a DMZ Server. The web services can also access the internal services hosting the Q-Pulse application.
The following endpoints are communicating to and from the main Q-Pulse Server that hosts the Q-Pulse Server Services:
- ServiceEndpoint
- MessageServiceEndPoint
- MessageDispatchServiceEndPoint
Ports 747 and 749 are the ports used for this communication and needs to be opened.
Additionally, the QPulseWebLocation endpoint assumes the QPulseWeb application is hosted on this DMZ Server and contains the External Servers IP or FQDN.
DataPortal Endpoints
This config also includes two service endpoints communicating to the QPulseDataPortal. This is the main endpoint for all Q-Pulse requests to be sent to the service.
In this example the QPulseDataPortal is only available on the internal Q-Pulse Server. Therefore this server must be able to reach this endpoint over port 80 (or 443 if HTTPS is used).
4. Other Components
You will find that the configuration files for each web client you want to be available externally will contain the same keys with the same names. It is important to use the above and compare with others.
As you will be hosting these web clients externally it is likely that HTTPS will be in place and recommended that the SSL Guide is followed to ensure all endpoints and binding are updated to communicate correctly and over the correct protocol. Please see How to Configure Q-Pulse 7 for SSL for details.
Article Comments
0 comments