Configure Tableau Server with Independent Gateway
This topic describes how to configure Tableau Server with Independent Gateway for different connection scenarios and for a custom authentication module.
For installation procedure, see Install Tableau Server with Independent Gateway.
For an end-to-end deployment example running on Tableau Server for Linux in AWS, see Configuring Web Tier(Link opens in a new window) in the Enterprise Deployment Guide.
Direct vs relay connection
The Independent Gateway can communicate directly with the back-end Tableau Server processes over multiple ports. We refer to this communication as direct connection.
Alternatively. you can configure Independent Gateway to relay client communication over a single port to the gateway process on Tableau Server. We refer to this as a relay connection.
The TSM configuration key that sets the connection type is gateway.tsig.proxy_tls_optional
.
The following sections describe how these connections differ and how to set them.
Direct connection
In this configuration, the Independent Gateway communicates directly with the backend processes on Tableau Server over multiple ports. This requires that you open the ports between the firewall that separates Independent Gateway from the Tableau Server back end deployment.
The current implementation of Independent Gateway does not support TLS connections on these processes.
A direct connection allows Independent Gateway to communicate with the backend Tableau Server processes without proxying through the Gateway process. Direct connection provides better performance than the alternative relay connection.
Configuration
Direct connection is the default configuration. As such you do not need to run a command to set it. However, should you need to reset to the default direct connection, run the following commands:
tsm configuration set -k gateway.tsig.proxy_tls_optional -v all --force-keys tsm pending-changes apply
Manage port ingress
After installation, Independent Gateway must be able to communicate with Tableau Server over multiple ports. These ports are dynamically assigned during setup and are in the range, TCP 8000-9000. The specific ports and corresponding processes used to communicate to Tableau Server are written to a CSV file on the computer running Independent Gateway at TSIG_DATA/config/httpd/proxy_targets.csv
.
Note: Independent Gateway is an implementation built on Apache httpd. All TSM commands that reference file locations use forward slashes, even on Windows. This is an Apache httpd convention.
Use proxy_targets.csv
to set or automate port ingress configuration through your network to Tableau Server. We recommend automating port ingress configuration since the ports may change if the topology Tableau Server deployment changes. Adding nodes or reconfiguring processes on the Tableau Server deployment will trigger changes to the port access required by Independent Gateway.
Relay connection
In a relay connection configuration, the Independent Gateway does not connect directly to the backend processes. Instead, the Independent Gateway relays communication to the Gateway process on the backend Tableau Server deployment over HTTP. This relay process results in an extra hop and therefore degrades performance as compared to the direct connection configuration.
One benefit of configuring Independent Gateway as a relay connection is to secure traffic with TLS. See Configure TLS on Independent Gateway.
Configuration
To configure Independent Gateway for relay connection to Tableau Server, run the following commands:
tsm configuration set -k gateway.tsig.proxy_tls_optional -v none --force-keys tsm pending-changes apply
Housekeeping protocol
Both direct and relay connections require communication with the Tableau Server housekeeping (HK) protocol. The HK process maintains configuration state between the backend Tableau Server deployment and the Independent Gateway. During installation the Tableau Server must be able to communicate with Independent Gateway over port 21319.
Housekeeping protocol communication details:
- The HK requests check Independent Gateway status and update configuration as needed. There is no customer data in these requests. The configurations do not include passwords or other secrets.
- The configuration files do contain details about the Tableau Server cluster topology so that Independent Gateway can perform reverse proxy functions. Cluster topology configuration can be considered sensitive because the configuration could provide targeting information to an attacker. Note that such configuration data would only be useful to attackers who could then access the Tableau Server cluster.
- The configuration update files include a check of the hashed contents. This provides an extra layer of security to validate the integrity of the configuration files that are used to update Independent Gateway.
By default, the HK process uses TCP 21319.
Beginning with Tableau Server 2022.1.2, TLS is supported on HK connection. See Configure TLS on Independent Gateway.
Change the HK port
You can change the port used by the HK protocol as part of the Independent Gateway initialization.
To change the port after installation, you can re-run the post-install script to provide a different value for TSIG_HK_PORT
. By default, the script is at C:\Program Files\Tableau\Tableau Server\independentgateway\scripts\initialize-tsig.bat
.
Log file locations
The most useful log entries on Tableau Server are in the tabadminagent
log file directory. However, if you are running Tableau Server in a cluster, you must look on each instance to locate the latest tabadminagent logs.
On the Independent Gateway, the following log files are written to the TSIG_DATA/logs/
directory.
access.log
: Independent Gateway will write toaccess.log
for logging that is generated by the httpd.conf.stub configuration. Timestamped log files (e.g.access_date.log
) are generated by httpd.conf configuration.error.log
startup.log
These logs are also relayed verbatim to the Tableau Server deployment and stored in sub-directories of the Cluster Controller logs directory. As such, the Independent Gateway logs are included in the ziplog file generated by tsm maintenance ziplogs
command.
Troubleshooting
For troubleshooting tips, see Troubleshooting Tableau Server Independent Gateway(Link opens in a new window) in the Enterprise Deployment Guide (EDG). The EDG provides example deployment of Tableau Server on Linux. The troubleshooting steps are useful for Windows or Linux versions of Tableau Server.