Bridge Security

Tableau Bridge applies the following security designs:

  • All communication is initiated from behind the on-premises firewall and therefore does not require you to manage additional exceptions.
  • Data in transit, to and from Bridge, is encrypted.
  • Database credentials are stored on the computer using Windows credentials manager if the data source is set up to use Online refresh (formerly called Recommended) or Bridge (legacy) schedules. For Online refresh schedules, the credentials are passed on to the client that is selected to perform the refresh.

You can find more details about Bridge security in the sections below.

Transmission security

Data, to and from the Bridge client, is transmitted by a TLS 1.2 connection.

Authentication

There are two primary authentication points for Bridge.

Tableau Online

To connect to Tableau Online, a users Tableau Online credentials are entered through the Bridge client.

After 1) the credentials are entered, 2) an authorization token is returned by Tableau Online. The 3) token is stored on the computer where the client is running using the credentials manager of the Windows operating system. Bridge uses the token to perform various tasks such as downloading the refresh schedule information for an extract.

On-premises data

To access on-premises data, some data sources require authentication using database credentials. Depending on the connection type of the data source, the client handles database credentials in one of the following ways:

  • For live connections and extract connections that use Online refresh (formerly called Recommended) schedules, database credentials are sent at the time of the request and use a TLS 1.2 connection.

  • For extract connections that use Bridge (legacy) schedules, if the data source requires database credentials, these credentials must be entered in the client directly. The database credentials are stored on the computer using the credentials manager of the Windows operating system. The client sends the database credentials to the database, which is also behind the on-premises firewall, at the scheduled refresh time.

The client supports domain-based security (Active Directory) and user name/password credentials to access on-premises data.

Changes to on-premises firewall

The Bridge client requires no changes to the on-premises firewall. The client achieves this by making only outbound connections to Tableau Online. To allow outbound connections, the client uses the following protocols depending on the connection type used by the data source:

  • For live connections and extract connections that use Online refresh (formerly called Recommended) schedules, secure WebSockets (wss://).

  • For extract connections that use Bridge (legacy) schedules, HTTP Secure (https://).

Access to on-premises data

Connections to on-premises data are initiated by the Bridge client on behalf of Tableau Online. The process by which the connection is initiated depends on the connection type of the data source.

  • For live connections, the client 1) establishes a persistent connection to a Tableau Bridge service, which is the part of the client that resides on Tableau Online, using secure WebSockets (wss://). The client then waits for a response from Tableau Online before 2) initiating a live query to the on-premises data. The client 3) passes the query to the on-premises data, then 4) returns the on-premises data using 5) the same persistent connection.

  • For extract connections that use Online refresh (formerly called Recommended) schedules, the client 1) establishes a persistent connection to a Tableau Bridge service, which is the part of the client that resides on Tableau Online, using secure WebSockets (wss://). The client then waits for a request from Tableau Online for new refresh schedules. When the client receives the requests, 2) the client contacts Tableau Online using a secure connection (https://) for the data source (.tds) files. 3/4) Then the client connects to the on-premises data using the embedded credentials in the request. The client 5) creates an extract of the data and then 6) republishes the extract to Tableau Online using the Tableau Bridge service. Steps 2-6 can be occurring in parallel to allow multiple refresh requests to happen.

  • For extract connections that use Bridge (legacy) schedules, the client 1) contacts Tableau Online using a secure connection (https://) for new refresh schedules and data source (.tds) files. If 2) this information is available, at the scheduled time, 3/4) the client connects to the on-premises data using the stored credentials. The client 5) creates an extract of the data and then 6) republishes the extract to Tableau Online using a Tableau Bridge service. The Tableau Bridge service is a part of the client that resides on Tableau Online.

Additional security considerations

Optional forward proxy filtering

To ensure that your data is transmitted to Tableau Online only, you can implement domain-based filtering on outbound connections (forward proxy filtering) from the Bridge client.

The following list contains the partially qualified domain names that Bridge requires for outbound connections:

  • *.online.tableau.com
  • *.newrelic.com, used for client application performance monitoring
  • *.nr-data.net, used for client application performance monitoring
  • *.cloudfront.net, a CDN used for static content
  • *akamai, a CDN for some Tableau Online pods
  • crash-artifacts-747369.s3.amazonaws.com, used for receiving crash dump reports
  • s3-us-west-2-w.amazonaws.com, used for receiving crash dump reports
  • s3-w-a.us-west-2.amazonaws.com, used for receiving crash dump reports
Thanks for your feedback! There was an error submitting your feedback. Please try again.