Configure Local Firewall

This topic explains how to configure the firewall on the computer running Tableau Server.

A local firewall should be enabled on the operating system to protect Tableau Server in single and multi-node deployments. In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server.

We recommend that you configure the firewall so that only two ports are accessible to external traffic: the gateway port and the tabadmincontroller port. By default, these are ports 80 and 8850 respectively. Additionally, if you are running in a distributed deployment, then you will need to open the port range, 27000-27009, so licensing can communicate across nodes.

The gateway port is used for HTTP connection to Tableau Server. We recommend that you use SSL for the gateway port. If you will be using SSL, then the port must be 443 because Tableau Server does not support other ports for SSL. The procedures below describe how to configure the firewall for the gateway port. Configure the Tableau Server gateway (Configure Initial Node Settings) to match the port you set here.

The examples below describe how to configure the firewall on single and multi-node deployments of Tableau Server running on RHEL/CentOS distributions. The examples use Firewalld, which is the default firewall on CentOS.

Single-node configuration

  1. Open a bash shell and run the following TSM command to retrieve the port number for the tabadmincontroller port:

    tsm topology list-ports

    Make a note of the tabadmincontroller port. By default, this port is 8850.

  2. Start firewalld:

    sudo systemctl start firewalld

  3. Verify that the default zone is a high-security zone, such as public. If it is not, we recommend changing it to a high-security zone.

    sudo firewall-cmd --get-default-zone

    sudo firewall-cmd --set-default-zone=public

  4. Add ports for the gateway port and the tabadmincontroller port. In the example below we use the default ports (80 and 8850).

    sudo firewall-cmd --permanent --add-port=80/tcp

    sudo firewall-cmd --permanent --add-port=8850/tcp

  5. Reload the firewall and verify the settings.

    sudo firewall-cmd --reload

    sudo firewall-cmd --list-all

Multi-node cluster configuration

In addition to enabling ports, configuring the firewall on a multi-node cluster requires additional steps to ensure that nodes can communicate with each other.

Before you begin

You will need the IP address for each node in the cluster. The example here uses <node1IP> as a placeholder for the initial node IP address, and <node2IP> and <node3IP> as placeholders for the IP addresses of two additional nodes.

Step 1: Configure initial node.

  1. Open a bash shell and run the following TSM command to retrieve the port number for the tabadmincontroller port:

    tsm topology list-ports

    Make a note of the tabadmincontroller port. By default, this port is 8850.

  2. Run the following commands to determine the range of port numbers that TSM may dynamically select. You will specify this range later in this procedure. Make a note of the port range.

    tsm configuration get -k ports.range.min

    tsm configuration get -k ports.range.max

    A typical range is 8000 to 9000.

  3. Start firewalld:

    sudo systemctl start firewalld

  4. Verify that the default zone is a high-security zone, such as public. If it is not, we recommend changing it to a high-security zone.

    firewall-cmd --get-default-zone

    sudo firewall-cmd --set-default-zone=public

  5. Add ports for the gateway port and the tabadmincontroller port. In the example below we use the default ports (80 and 8850). You must also add a port range (27000-27010) to enable licensing communication between nodes.

    sudo firewall-cmd --permanent --add-port=80/tcp

    sudo firewall-cmd --permanent --add-port=8850/tcp

    sudo firewall-cmd --permanent --add-port=27000-27010/tcp

  6. Configure the firewall to allow all traffic from the other nodes in the cluster. For the ports option, specify the range you noted in Step 2. Run the command for each of the additional nodes in your cluster. For example:

    sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node2IP>/32 port port=8000-9000 protocol=tcp accept'

    sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node3IP>/32 port port=8000-9000 protocol=tcp accept'

  7. Reload the firewall and verify the settings.

    sudo firewall-cmd --reload

    firewall-cmd --list-all

Step 2: Configure additional nodes

Each node in the cluster must be able to communicate with the initial node and with the other nodes.

Run this procedure on each additional node in the cluster. In this example, the node at IP address, <node2IP>, communicates with the initial node at <node1IP> and a third node at <node3IP>.

  1. Start firewalld:

    sudo systemctl start firewalld

  2. Verify that the default zone is a high-security zone, such as public. If it is not, we recommend changing it to a high-security zone.

    firewall-cmd --get-default-zone

    sudo firewall-cmd --set-default-zone=public

  3. Configure the firewall to allow gateway and tabadmincontroller access from the other nodes in the cluster. For example:

    sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node1IP>/32 port port=80 protocol=tcp accept'

    sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node1IP>/32 port port=8000-9000 protocol=tcp accept'

    sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node3IP>/32 port port=80 protocol=tcp accept'

    sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=<node3IP>/32 port port=8000-9000 protocol=tcp accept'

    In this example, since the tabadmincontroller port (8850) is included in the port range, it is not explicitly specified in a command.

  4. Reload the firewall and verify the settings.

    sudo firewall-cmd --reload

    firewall-cmd --list-all

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.