5 Replies Latest reply on Jun 7, 2013 7:12 AM by Russell Christopher

    Data Extracts Vs. Live Connections Outside Of A Corporate Firewall

    Daniel  Paduck

      Hi. We are new to Tableau and are currently using Tableau server.  We are going to have published dashboards outside of our firewall. I am curious as to what the standard practice is in regards to this.  Should there never be a live connection to the database and just use data extracts in this case?

       

      Thanks!

        • 1. Re: Data Extracts Vs. Live Connections Outside Of A Corporate Firewall
          Russell Christopher

          Hey Daniel -

           

          I don't think you'll find any hard and fast opinions on your question. And FYI, you can still continue to use a live connection even with your firewall. Tableau allows one to create and publish a Data Source to Tableau which connects to live database or a Data Extract and then consume it via Desktop:

           

          Unleashing the Tableau Data Server | Tableau Software

           

          So, your folks can still see "live" data, even if there isn't hole in the firewall to allow them to make a direct connection to the database server via Desktop. Instead, they'll user Tableau Server (behind the firewall) to ask the question for them.

           

          So I'll turn the question around - assuming your firewall isn't an issue (it's not), what approach do you prefer? Is your database fast enough to answer questions for users? Do you have enough time to build/refresh extracts at night during your batch window? Do you have any specific requirements around how "fresh" your data should be?

           

          Answers the questions above will probably inform your choice...

           

          Good luck!

          1 of 1 people found this helpful
          • 2. Re: Data Extracts Vs. Live Connections Outside Of A Corporate Firewall
            Daniel  Paduck

            Thanks for your response.  I believe that our database is fast enough to handle questions.  However, if we did do the extracts then they could be built at night.  A nightly refresh is fine as far as the freshness of the data is concerned.

             

            If you do a live connection to the database from the tableau server which sits outside of the firewall to the database that sits inside the firewall isn't that a security risk/hole?

             

            Thanks.

            • 3. Re: Data Extracts Vs. Live Connections Outside Of A Corporate Firewall
              Russell Christopher

              Hey Daniel -

               

              Yes. If Tableau is sitting outside your firewall, then this could be an issue- I didn't read closely enough and assumed you were putting Tableau behind your firewall, too. Any particular reason why you have it sitting where it is?

               

              It may be too late, but many people deploy with a reverse proxy in their DMZ which forwards to Tableau Server behind a firewall (in the same zone where your database lives). This would allow you to shield conversations between Tableau and your database "safer", but allow the resources to communicate with no complications.

               

              While more difficult to deploy, some users will put Tableau's "gateway" process in the DMZ and the rest of the components behind a firewall on a different machine. The Tableau gateway communicates through the firewall to the other Tableau components. Of course, those other components (like the VizQLServer process, which renders reports) can communicate directly (and safely) with your database.

               

              So you definitely have some options here if you do want to connect live to the database. You may just find easier to keep it simple and use extracts, however

              1 of 1 people found this helpful
              • 4. Re: Data Extracts Vs. Live Connections Outside Of A Corporate Firewall
                Daniel  Paduck

                I believe that the only reason they are putting the server outside of the firewall into the DMZ is so that any of our project managers can go to the website, log in and then view the reports.

                 

                I am just doing the development on this and do not have control of the server. Plus, I am pretty new to this too.

                 

                It sounds like it is possible to have the server sit behind the firewall, but still allow users to connect to it from outside of the firewall. Is that correct?  I guess I would prefer to do the live connections if it is at all possible without the security risks.

                 

                Thanks!

                • 5. Re: Data Extracts Vs. Live Connections Outside Of A Corporate Firewall
                  Russell Christopher

                  Right. If you tell the guys who own the server to search our Admin Guide for the keywords "reverse proxy" they'll find some good info.

                   

                  Good luck!