Configure Tableau Server with Independent Gateway

This topic describes how to configure Tableau Server with Independent Gateway for different connection scenarios and for a custom authentication module.

For installation procedure, see Install Tableau Server with Independent Gateway.

For an end-to-end deployment example running on Tableau Server for Linux in AWS, see Configuring Web Tier(Link opens in a new window) in the Enterprise Deployment Guide.

Direct vs relay connection

The Independent Gateway can communicate directly with the back-end Tableau Server processes over multiple ports. We refer to this communication as direct connection.

Alternatively. you can configure Independent Gateway to relay client communication over a single port to the gateway process on Tableau Server. We refer to this as a relay connection.

The TSM configuration key that sets the connection type is gateway.tsig.proxy_tls_optional.

The following sections describe how these connections differ and how to set them.

Direct connection

In this configuration, the Independent Gateway communicates directly with the backend processes on Tableau Server over multiple ports. This requires that you open the ports between the firewall that separates Independent Gateway from the Tableau Server back end deployment.

The current implementation of Independent Gateway does not support TLS connections on these processes.

A direct connection allows Independent Gateway to communicate with the backend Tableau Server processes without proxying through the Gateway process. Direct connection provides better performance than the alternative relay connection.

Configuration

Direct connection is the default configuration. As such you do not need to run a command to set it. However, should you need to reset to the default direct connection, run the following commands:

tsm configuration set -k gateway.tsig.proxy_tls_optional -v all --force-keys   
tsm pending-changes apply

Manage port ingress

After installation, Independent Gateway must be able to communicate with Tableau Server over multiple ports. These ports are dynamically assigned during setup and are in the range, TCP 8000-9000. The specific ports and corresponding processes used to communicate to Tableau Server are written to a CSV file on the computer running Independent Gateway at TSIG_DATA/config/httpd/proxy_targets.csv.

In a default installation: /var/opt/tableau/tableau_tsig/config/httpd/proxy_targets.csv.

Use proxy_targets.csv to set or automate port ingress configuration through your network to Tableau Server. We recommend automating port ingress configuration since the ports may change if the topology Tableau Server deployment changes. Adding nodes or reconfiguring processes on the Tableau Server deployment will trigger changes to the port access required by Independent Gateway.

Relay connection

In a relay connection configuration, the Independent Gateway does not connect directly to the backend processes. Instead, the Independent Gateway relays communication to the Gateway process on the backend Tableau Server deployment over HTTP. This relay process results in an extra hop and therefore degrades performance as compared to the direct connection configuration.

One benefit of configuring Independent Gateway as a relay connection is to secure traffic with TLS. See Configure TLS on Independent Gateway.

Configuration

To configure Independent Gateway for relay connection to Tableau Server, run the following commands:

tsm configuration set -k gateway.tsig.proxy_tls_optional -v none --force-keys
tsm pending-changes apply

Housekeeping protocol

Both direct and relay connections require communication with the Tableau Server housekeeping (HK) protocol. The HK process maintains configuration state between the backend Tableau Server deployment and the Independent Gateway. During installation the Tableau Server must be able to communicate with Independent Gateway over port 21319.

Housekeeping protocol communication details:

  • The HK requests check Independent Gateway status and update configuration as needed. There is no customer data in these requests. The configurations do not include passwords or other secrets.
  • The configuration files do contain details about the Tableau Server cluster topology so that Independent Gateway can perform reverse proxy functions. Cluster topology configuration can be considered sensitive because the configuration could provide targeting information to an attacker. Note that such configuration data would only be useful to attackers who could then access the Tableau Server cluster.
  • The configuration update files include a check of the hashed contents. This provides an extra layer of security to validate the integrity of the configuration files that are used to update Independent Gateway.

By default, the HK process uses TCP 21319.

Beginning with Tableau Server 2022.1.2, TLS is supported on HK connection. See Configure TLS on Independent Gateway.

Change the HK port

You can change the port used by the HK protocol as part of the Independent Gateway initialization. See Help Output for initialize-tsig Script.

If you have already installed Independent Gateway, you can change the port by updating the TSIG_HK_PORT value in environment.bash.

By default, environment.bash is located at /etc/opt/tableau/tableau_tsig.

After you have updated the file you must restart tsig-httpd:

sudo su - tableau-tsig
systemctl --user restart tsig-httpd
exit

Log file locations

The most useful log entries on Tableau Server are in the tabadminagent log file directory. However, if you are running Tableau Server in a cluster, you must look on each instance to locate the latest tabadminagent logs.

On the Independent Gateway, the following log files are written to the TSIG_DATA/logs/ directory.

By default, this is at the path /var/opt/tableau/tableau_tsig/logs:

  • access.log: Independent Gateway will write to access.log for logging that is generated by the httpd.conf.stub configuration. Timestamped log files (e.g. access_date.log) are generated by httpd.conf configuration.
  • error.log
  • startup.log

These logs are also relayed verbatim to the Tableau Server deployment and stored in sub-directories of the Cluster Controller logs directory. As such, the Independent Gateway logs are included in the ziplog file generated by tsm maintenance ziplogs command.

Troubleshooting

For troubleshooting tips, see Troubleshooting Tableau Server Independent Gateway(Link opens in a new window) in the Enterprise Deployment Guide (EDG). The EDG provides example deployment of Tableau Server on Linux. The troubleshooting steps are useful for Windows or Linux versions of Tableau Server.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!