Communicating with the Internet

In most enterprises, Tableau Server needs to communicate with the internet. Tableau Server was designed to operate inside a protected internal network. Do not set up Tableau Server directly on the internet or in a DMZ. Instead, communications between your network and the internet should be mediated using proxy servers. If the computer running Tableau Server cannot access the internet directly, then you may need to deploy forward proxy servers to mediate traffic from inside the network to targets on the internet. Tableau Server doesn't support pass-through or manual proxy authentication.

For inbound traffic, we recommend running Tableau Server behind reverse proxy servers.

How Tableau communicates with the internet

Tableau Server requires outbound access to the internet for these scenarios:

  • Working with maps. Tableau uses map data that is hosted externally.

    Tableau Server needs to connect to the following internet locations with port 443 to use maps:

    • mapsconfig.tableau.com
    • api.mapbox.com

    If Tableau cannot make these connections, maps may fail to load.

    You can test connectivity by accessing each of those addresses in a browser: https://mapsconfig.tableau.com/v1/config.json(Link opens in a new window) and https://api.mapbox.com/(Link opens in a new window) will prompt you to download a json file.

    If you use a proxy to connect to the internet and are unable to connect to api.mapbox.com, see Working with firewalls(Link opens in a new window) on the Mapbox website.

    For Tableau Server version 2019.1 and earlier, see the documentation for your version: Tableau Help(Link opens in a new window)

  • Connecting to the Tableau send-logs server.

    You can upload log files to Tableau when working with Support. See tsm maintenance send-logs(Link opens in a new window). To successfully upload files to Tableau, your Tableau Server must be able to communicate with the send-logs server on port 443:

    • report-issue.tableau.com:443

    • crash-artifacts-747369.s3.amazonaws.com

    • s3-us-west-2-w.amazonaws.com

    • s3-w-a.us-west-2.amazonaws.com

  • Sending Basic Product Data.

    The domain, prod.telemetry.tableausoftware.com, is used by Tableau to receive the Basic Product Data about process launch and shutdown. It is also used for the more general Product Usage Data.

    Traffic to this domain will occur on port 80 (for initial registration of our Product Data clients) and on port 443 (for all subsequent traffic).

    prod.telemetry.tableausoftware.com:80

    prod.telemetry.tableausoftware.com:443

  • Licensing. Tableau products connect to the internet to activate product keys. Unless you activate Tableau software with the Offline Activation Tool, all Tableau products must have access to the internet to validate licenses. Specifically Tableau requires internet access during the following licensing operations: activation, deactivation, and on the refresh maintenance date. For more information about these operations, see Manage Licenses(Link opens in a new window).

    Tableau Server needs to connect to the following internet locations when activating product keys, registering the product, and signing in to Tableau Cloud.

    • atr.licensing.tableau.com:443

    • licensing.tableau.com:443

    • register.tableau.com:443

    • o.ss2.us

    • s.ss2.us

    • crt.rootca1.amazontrust.com

    • crt.sca1b.amazontrust.com

    • crt.sca0a.amazontrust.com

    • crt.sca1a.amazontrust.com

    • crt.sca2a.amazontrust.com

    • crt.sca3a.amazontrust.com

    • crt.sca4a.amazontrust.com

    • *.digicert.com

    • ocsp.*.amazontrust.com

    • crl.*.amazontrust.com

    • crt.rootg2.amazontrust.com

    Requests to the above domains may be on port 80 or 443. Port 80 is used for certificate validation (revocation, certificate chain, etc). Port 443 is used for SSL connections.

    Requests to the ocsp.*.amazontrust.com and crl.*.amazontrust.com domains are managed by Amazon for certificate revocation information. See ACM certificate characteristics(Link opens in a new window) for more information. We recommend that you install the Amazon root certificates in the certificate trust store on the computer running Tableau. To download and install the Amazon root certificates, see Certificate Authorities(Link opens in a new window) on the Amazon Trust Services web site.

    If Tableau Server cannot make a connection while attempting to activate its license, you will be prompted to do an offline activation.

    To diagnose connectivity to Tableau's licensing server, paste the following URL into a browser or at a curl command prompt on the Tableau Server computer:

    https://atr.licensing.tableau.com/_status/healthz

    If Tableau Server is able to access the licensing server, it displays an "OK" message. Otherwise, an error such as "Can't reach this page" may be displayed. To resolve this issue, work with your networking team to unblock access to atr.licensing.tableau.com:443 on the Tableau Server computer.

    Specifically, for deployments where ATR is configured, see Step 4: Verify proxy settings do not conflict with Windows environment variables.

  • Working with external or cloud-based data.

    Tableau Server needs to connect to the following internet location for Anaplan, Box, Dropbox, Google Drive, Google Sheets, OneDrive, and Snowflake services:

    galop.connectors.tableau.com:443

  • Working with Tableau dashboard extensions.

    Tableau Server needs to connect to the following internet location to use Sandboxed dashboard extensions:

    extensions.tableauusercontent.com: 443

    For more information, see Manage Dashboard and Viz Extensions in Tableau Server.

  • Working with Slack.

    If you are integrating Tableau with a Slack workspace, there are a number of steps you need to take, including adding specific URLs to the Tableau allowlist. These are listed here(Link opens in a new window). For complete details on how to do this, see Integrate Tableau with a Slack Workspace.

Tableau Server can run without internet access. For more information about deploying Tableau Server in organizations without access to the internet, see Install Tableau Server in a Disconnected (Air-Gapped) Environment.

In many enterprises, users also need to access Tableau Server from outside the network (that is, from the internet). For example, in many enterprises, users want to be able to reach Tableau Server from their mobile devices in order to interact with views that are stored on the server. To configure access to Tableau Server from the internet or from mobile devices, you should use a reverse proxy. See Configuring Proxies and Load Balancers for Tableau Server.

As a security best practice, do not expose the TSM port (by default, 8850) to the internet.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!