Configuring Proxies for Tableau Server
In most enterprises, Tableau Server needs to communicate with the internet. Tableau Server was designed to operate inside a protected internal network. Do not set up Tableau Server directly on the internet or in a DMZ. Instead, communications between your network and the internet should be mediated using proxy servers. Forward proxy servers mediate traffic from inside the network to targets on the internet. Reverse proxy servers mediate traffic from the internet to targets inside the network.
Who should read this article?
This article is for IT professionals who are experienced with general networking and gateway proxy solutions. The article describes how and when Tableau requires internet access, and describes how to configure your network and Tableau to use forward and reverse proxy servers for access to and from the internet. There are many third-party proxy solutions available, so some of the content in the article is necessarily generic.
Important: We do not recommend installing Tableau Server on a computer that is running IIS. Additionally, if you are running antivirus software, you should follow the recommendations in the Knowledge Base to exclude the Tableau Server directories. The procedures in this chapter assume that you've installed Tableau Server onto a clean computer.
In this article:
How Tableau communicates with the internet
Tableau Server requires outbound access to the internet for these scenarios:
Working with maps. Tableau uses map data that is hosted externally.
Tableau Server needs to connect to maps.tableausoftware.com using port 443. If it cannot make this connection, maps may fail to load.
Licensing. Tableau products connect to the internet to activate license keys. Unless you activate Tableau software with the Offline Activation Tool, all Tableau products must have continuous access to the internet to validate their licenses.
Tableau Server needs to connection to the following internet locations for licensing purposes: licensing.tableau.com:443 (licensing.tableausoftware.com:443 for versions 8.2-9.x), crl.thawte.com, and ocsp.thawte.com. If Tableau Server cannot make a connection while attempting to activate its license, you will be prompted to do an offline activation.
Working with external or cloud-based data.
Tableau Server can run without internet access, but in most organizations, the scenarios in the list require Tableau to be able to access the internet.
To configure access to the internet from Tableau Server, you should use a forward proxy.
Note: Both Tableau Desktop and Tableau Server need to communicate with the internet for mapping, licensing, and external data. In this article, we focus on Tableau Server, which has specific requirements for configuring internet access. Do not set up Tableau Server on the computer that's acting as your organization's internet gateway.
In many enterprises, users also need to access Tableau Server from outside the network (that is, from the internet). For example, in many enterprises, users want to be able to reach Tableau Server from their mobile devices in order to interact with views that are stored on the server. To configure access to Tableau Server from the internet or from mobile devices, you should use a reverse proxy.
To enable communication from Tableau Server to the internet, deploy Tableau Server behind a forward proxy server. When Tableau Server needs access to the internet, it doesn't send the request directly to the internet. Instead, it sends the request to the forward proxy, which in turn forwards the request. Forward proxies help administrators manage traffic out to the internet for tasks such as load balancing, blocking access to sites, etc.
If you use a forward proxy, you must configure the computers that run Tableau Server inside the network to send traffic to the forward proxy.
Note: If you know that none of your users need access to map data or online data sources in the workbooks that they’ll be publishing to Tableau Server, and if you are configuring Tableau Server for offline licensing, you can skip this section. Otherwise, you'll need to configure Tableau Server to connect to the internet.
Configuring Tableau Server to work with a forward proxy
The steps for configuring internet options on the Tableau Server computer depend on which of these scenarios describes your enterprise:
Your organization doesn't use a forward proxy solution. If your organization is not running a proxy solution and the computer where you are installing Tableau Server can communicate with the internet, you don’t need to follow the procedures here.
A proxy solution is deployed, and automatic configuration files define connection settings. If your organization uses automatic configuration files (such as PAC or
.insfiles) to specify internet connection information, you can use this information in the Local Area Network (LAN) Settings dialog box in Windows. For more information, see Automatic Detection and Configuration of Browser Settings on the Microsoft support site.
A proxy solution is deployed, but automatic configuration files are not deployed. For this scenario, you must configure LAN settings on the Windows computer that is running Tableau Server so that connections to your proxy server are run under the security context of the Run As User account. You must also configure
localhostand other internal Tableau Server instances as exceptions.
The following procedure describes the steps for the last scenario—a proxy solution without automatic configuration files, where Tableau Server is running on Windows Server.
Note: If you are using a distributed installation of Tableau Server, perform the following procedures on the primary server and on each worker node.
Step 1: Add the Run As User account to the Local Administrators group
To perform this procedure, you must log onto the Tableau Server computer as the Run As User. By default, the "log on locally" policy is not applied to the Run As User account. Therefore, you must temporarily add the Run As User account to the Local Administrators group.
If you haven't installed Tableau Server on the computer yet, see Run As User for more information about creating the Run As User account. If you already installed Tableau Server and set the Run As User setting, you can determine the Run As User account name by logging onto Tableau Server. The Tableau Server Run As User is listed on the General tab of the Tableau Server Configuration window. To access the configuration utility, in the Windows Start menu, search for Configure Tableau Server.
Add the Run As User to the Local Administrators group using steps in Add a member to a local group on the Microsoft website. When you've finished configuring the forward proxy information, you'll remove the Run As User account from the Local Administrators group.
Step 2: Configure the proxy server in Windows LAN Settings
Using the Run As User account, log onto the computer where Tableau Server is installed or will be installed.
Open the Local Area Network (LAN) Settings dialog box. (A quick way to get to this dialog box is to search for
Internet Optionsin the Windows Start menu. In the Internet Properties dialog box, click the Connections tab, and then click LAN settings.)
Under Proxy server, select Use a proxy server for your LAN, enter the proxy server address and port, and then select Bypass proxy server for local addresses.
Leave this dialog box open and continue to the next step.
Step 3: Add exceptions to bypass the proxy server
You add exceptions to this proxy configuration to guarantee that all communications within a local Tableau Server cluster (if you have one now or will have one later) do not route to the proxy server.
In the LAN settings dialog box, click Advanced. (This button is available only if you've selected the option to use a proxy server for your LAN.)
In the Proxy Settings dialog box, enter
localhostin the Exceptions field. In addition, enter the server names and IP addresses of other Tableau Server computers in the same cluster. Use semicolons to separate items.
Close the proxy settings dialog box and the Local Area Network (LAN) Settings dialog box.
In the Internet Properties dialog box, click OK to apply the settings.
Stay logged onto the computer and continue to the next step.
Step 4: Test the proxy configuration
To test the new configurations, while still logged on as the Run As User on the Tableau Server computer, open a web browser and test the following Tableau mapping URL:
This is the URL:
If the configuration is working, you see a map of Miami and Havana. This indicates that the Tableau Server computer is able to access the internet through the proxy.
Step 5: Remove the Run As User account from the Local Administrator group
After you have tested the proxy settings, remove the Run As User account from the Local Administrators group. Leaving the Run As User in the administrator group unnecessarily elevates the permissions of the Run As User group and is a security risk.
Restart Tableau Server to ensure that all changes are implemented.
A reverse proxy is a server that receives requests from external (internet) clients and forwards them to Tableau Server. Why use a reverse proxy? The basic answer is security. A reverse proxy makes Tableau Server available to the internet without having to expose the individual IP address of that particular Tableau Server to the internet. A reverse proxy also acts as an authentication and pass-through device, so that no data is stored where people outside the company can get to it. This requirement can be important for organizations that are subject to various privacy regulations such as PCI, HIPAA, or SOX.
How a reverse proxy works with Tableau Server
The following diagram illustrates the communication path when a client makes a request to Tableau Server that is configured to work with a reverse proxy server.
An external client initiates a connection to Tableau Server. The client uses the public URL that's been configured for the reverse proxy server, such as
https://tableau.example.com. (The client doesn't know that it's accessing a reverse proxy.)
The reverse proxy maps that request in turn to a request to Tableau Server. The reverse proxy can be configured to authenticate the client (using SSL/TLS) as a precondition to passing the request to Tableau Server.
Tableau Server gets the request and sends its response to the reverse proxy.
The reverse proxy sends the content back to the client. As far as the client is concerned, it just had an interaction with Tableau Server, and has no way to know that the communication was mediated by the reverse proxy.
Proxy servers and SSL
For better security, you should configure reverse proxy servers to use SSL for any traffic that's external to your network. This helps to ensure privacy, content integrity, and authentication. Unless you've deployed other security measures to protect traffic between your internet gateway and Tableau Server, we also recommend configuring SSL between the gateway proxy and Tableau Server. You can use internal or self-signed certificates to encrypt traffic between Tableau Servers and other internal computers.
Reverse proxy and user authentication
Tableau Server will always authenticate users. This means that even if you are authenticating inbound connections at the gateway for your organization, Tableau Server will still authenticate the user. Therefore, we recommend a transparent scenario where Tableau Desktop, Tableau Mobile, or browser user requests are not prompted for authentication at the gateway. This recommendation doesn't prohibit using SSL for client/server system-level authentication at the gateway proxy, in fact, we strongly recommend SSL system-level authentication.
You can use SAML, OpenID Connect, or Trusted Tickets with a reverse proxy.
If your organization is authenticating with Active Directory:
- Active Directory with Enable automatic logon (SSPI) is not supported with a reverse proxy.
- Tableau Server must be configured for reverse proxy before configuring Tableau Server for Kerberos. For more information, see Configure Kerberos.
Configure Tableau Server to work with a reverse proxy server
Before you configure Tableau Server, you'll need to collect the following information about the proxy server configuration. To configure Tableau Server, you use the
tabadmin utility. The information you need to collect corresponds to options you'll need when you run tabadmin.
|Item||Description||Corresponding tabadmin option|
|IP address or
You can either enter an IP address or a CNAME for this option.
The public IP address or addresses of the proxy server. The IP address must be in IPv4 format, such as
If you are unable to provide a static IP, or if you are using cloud proxies or external load balancers, you can specify the CNAME (Canonical Name) DNS value that clients will use to connect to Tableau Server. This CNAME value must be configured on your reverse proxy solution to communicate with Tableau Server.
|FQDN||The fully qualified domain name that people use to reach Tableau Server, such as
|Non-FQDN||Any subdomain names for the proxy server. In the example of
|Aliases||Any public alternative names for the proxy server. In most cases, aliases are designated using CNAME values. An example would be a proxy server
|Ports||Port numbers for traffic from the client to the reverse proxy server.||
If you are using a distributed installation of Tableau Server, then run the following procedure on the primary node in your cluster.
Open a command prompt and navigate to the Tableau Server
Open a command prompt as an administrator:
Enter the following to change to the folder where
cd "C:\Program Files\Tableau\Tableau Server\10.3\bin"
Enter the following command to stop Tableau Server:
Enter the following command to set the FQDN that clients will use to reach Tableau Server through the proxy server, where
nameis the FQDN:
tabadmin set gateway.public.host "name"
For example, if Tableau Server is reached by entering
https://tableau.example.comin the browser, enter this command:
tabadmin set gateway.public.host "tableau.example.com"
Enter the following command to set the address or the CNAME of the proxy server, where
server_addressis the IPv4 address or CNAME value:
tabadmin set gateway.trusted "server_ip_address"
If your organization uses multiple proxy servers, enter multiple IPv4 addresses , separating them with commas. IP ranges are not supported. To improve start up and initialization of Tableau Server, minimize the number of entries for
Enter the following command to specify alternate names for the proxy server, such as its fully qualified domain name, any not fully qualified domain names, and any aliases. If there's more than one name, separate the names with a comma.
tabadmin set gateway.trusted_hosts "name1, name2, name3"
tabadmin set gateway.trusted_hosts "proxy1.example.com, proxy1, ftp.example.com, www.example.com"
If the proxy server is using SSL to communicate with the internet, run the following command, which tells Tableau that the reverse proxy server is using port 443 instead of port 80:
tabadmin set gateway.public.port "443"
Note: If the proxy server is using SSL to communicate with Tableau Server, SSL must be configured and enabled on Tableau Server. See Configure External SSL.
Enter the following command to commit the configuration change:
Enter the following command to restart the server:
Configure the reverse proxy server to work with Tableau Server
When a client accesses Tableau Server through a reverse proxy, specific message headers have to be preserved (or added). Specifically, all proxy servers in the message chain must be represented in the
The following graphic shows example headers for a single-hop message chain, where the proxy server is communicating directly with Tableau Server:
The following graphic shows example headers for a multiple-hop message chain, where the message traverses two proxy servers before connecting to Tableau Server:
The following table describes what these headers are and how they relate to the configuration settings on Tableau Server:
|Headers||Description||Related Tableau Server settings|
||Tableau Server needs these headers to determine the IP address of origin for requests.
||The IP address that you set in
||These headers are used to generate absolute links to Tableau Server when it replies to the client.
||The host names that are presented in
||This header is required if SSL is enabled for traffic from the client to the proxy, but not for traffic from the proxy to Tableau Server.
Port configuration on reverse proxy (inbound connections from client and outbound connections to Tableau Server) must be specified in the corresponding parameter:
If the proxy server is using SSL to communicate with Tableau Server, SSL must be configured and enabled on Tableau Server. See Configure External SSL.
Validate reverse proxy setup
To validate your reverse proxy setup, perform the following tasks from a computer on the internet.
|Log in to Tableau Server from Tableau Desktop.||Sign in to Tableau Server or Online|
|Publish to Tableau Server.||Publish a Workbook|
|Open workbook from Tableau Server.||Opening Workbooks from the Server|
|Log out Server (with Desktop).||Sign in to Tableau Server or Online|
|Log into Tableau Server from a web browser.||Sign in|
|Download workbook from a web browser.||Download Workbooks|
|Check to make sure tabcmd (from a non-server client) works.||tabcmd|