14 Replies Latest reply on Mar 25, 2014 11:48 AM by Thom Gourley

    IP Subnet for mapvisual2.tableausoftware.com

    Richard King


      Hi,

       

      I'm seeing some issues with mapping and our Tableau implementation whereby maps aren't rendered due to issues getting out to the mapping servers.  Looking at the knowledge base I can see that firewall access on TCP 80 is required to mapvisual2.tableausoftware.com but that raises an issue:

       

      mapvisual2.tableausoftware.com is a DNS entry that represents a collection of 8 servers that appear to be hosted in the cloud.  An nslookup will tell me the IP addresses of those 8 servers but it seems that none of them have static IPs, so they will change very regularly.

       

      Obviously, for firewall rules this can present a bit of a problem (our firewall doesn't, and nor would I want it to, make decisions based on DNS lookups).  Does anyone know the subnet that is used for the map servers so I can give broad access to that and not have to worry about the specific IPs that are always changing?

       

      Thanks,

      Rich

        • 1. Re: IP Subnet for mapvisual2.tableausoftware.com
          Dan Cory

          Please contact support and they can help you with this.

           

          Dan

          1 of 1 people found this helpful
          • 2. Re: IP Subnet for mapvisual2.tableausoftware.com
            Toby Erkson

            I can't help but I can sympathize.  We have strict security and VIPs (Virtual IP) and what a PITA.  My networking guy is working with Tableau support.  No answers yet [from my guy] as my priority keeps getting trumped by other network stuff

            • 3. Re: IP Subnet for mapvisual2.tableausoftware.com
              Richard King

              I've contacted support to see if they can help with a subnet or a VIP.  If they can't help I guess that will leave me with two options:

               

              1. Give the server(s) really open access to the web (not desirable)
              2. Get things working through a proxy.  Currently if I set a proxy (using the "run as..." method advised in the knowledge base article) it seems to cause all sorts of trouble accessing data/views with the following error (despite being logged in as an administrator):

                To access this workbook, you must have the Connect permission for its data sources. Because you are logged in as Guest, you do not have this permission. Log in as a named user to try again

              Thanks,

              Rich

              • 4. Re: IP Subnet for mapvisual2.tableausoftware.com
                Richard King

                UPDATE:

                 

                Whilst waiting for the support guys I had a dig around the IPs myself and it appears that they are from the following Amazon Web Services Cloudfront ranges:

                 

                54.230.0.0/16

                54.240.128.0/18

                 

                Hopefully the support team will be able to confirm with me whether or not these are the only ranges in use, or if some of the other AWS ranges are also used.

                 

                Rich

                • 5. Re: IP Subnet for mapvisual2.tableausoftware.com
                  Allan Walker

                  Rich,


                  Here's an alternative mapping solution.

                   

                  Best Regards,

                   

                  Allan

                  • 6. Re: IP Subnet for mapvisual2.tableausoftware.com
                    Jake Baillie

                    Hi Richard,

                     

                    We (Urban Mapping) announced a new content delivery system for maps in Tableau at the Tableau Customer Conference in London last week. This enables faster maps access for users in Tableau, worldwide.

                     

                    The CDN uses location detection to direct your request to the tile server that is closest to/fastest for your location. There are 40 tile server endpoints in various locations throughout North America, South America, Europe, and Asia.

                     

                    The IP that mapvisual2.tableausoftware.com resolves to could come out of any of the following blocks:

                     

                    54.230.0.0/16

                    54.239.128.0/18

                    54.240.128.0/18

                    204.246.164.0/22

                    204.246.168.0/22

                    204.246.174.0/23

                    204.246.176.0/20

                    205.251.192.0/19

                    205.251.249.0/24

                    205.251.250.0/23

                    205.251.252.0/23

                    205.251.254.0/24

                    216.137.32.0/19


                    As Dan noted, you can contact support if you have any questions, or feel free to follow up with me directly.


                    1 of 1 people found this helpful
                    • 7. Re: IP Subnet for mapvisual2.tableausoftware.com
                      Richard King

                      Hi,

                       

                      Thanks for all the suggestions, I followed Dan's advice and contacted support who were able to provide me with 2 IPs that can essentially be used to proxy traffic to the map data sites:

                       

                      mapvisual2.tableausoftware.com = 66.35.252.204

                      mapspatial.tableausoftware.com = 66.35.252.219

                       

                      This has allowed me to put in a workaround of:

                       

                      1. Allow TCP 80 outbound access from our worker servers to the 2 proxy IPs on the firewall
                      2. Put host file entries on the worker servers to point mapvisual2.tableausoftware.com & mapspatial.tableausoftware.com  to their proxy IPs.

                       

                      The reliance on host file entries isn't ideal but for the moment it is the best balance I can get between security and functionality.

                       

                      I completely agree with Jake and the Urban Mapping team that the use of AWS Cloudfront as a CDN for all the mapping data is an awesome move for performance.  Especially for publicly available websites, whole site delivery over AWS Cloudfront CDN is awesome but for hosting content that must be accessible from a solution that might be completely for internal use can throw up a security problems for a minority of users such as myself.

                       

                      I guess the easy solution is to open up access to all those AWS ranges but it gives broad access to content I have no control of - any AWS customer can be using those IPs for any content they want.

                       

                      The end result is - problem solved!  I reckon as people make more use of cloud services I'll have to open up those ranges (and others) anyway, but for now I'll cling to the old world for a bit longer

                       

                      Thanks for all the help and suggestions

                       

                      Rich

                      • 8. Re: IP Subnet for mapvisual2.tableausoftware.com
                        Sathish Pj

                        Hi Richard,

                         

                        I am trying to get the online maps displayed on the dashboards when executed from Tableau Server but it always return blank. I added the proxy but users started seeing "Forbidden Error" "To access this workbook, you must have the Connect permission for its data sources. Because you are logged in as Guest, you do not have this permission. Log in as a named user to try again"

                         

                        I see you have received the same error. can you please guide me how you got over it and make maps work from tableau server.

                         

                        Thanks,

                        Sathish.

                        • 9. Re: IP Subnet for mapvisual2.tableausoftware.com
                          Richard King

                          Hi Sathish,

                           

                          I didn't get that particular error when I was trying to work out a good method for accessing map data.  The error sounds like the problem could be unrelated to map server access and may be a more fundamental permissions/access issue with your data sources?

                           

                          It might be something Tableau Support can help you out with?

                           

                          Thanks,

                          Rich

                          • 10. Re: IP Subnet for mapvisual2.tableausoftware.com
                            Sathish Pj

                            Hi Rich,

                             

                            Appreciate your quick response.

                             

                            I was checking below update you made on June 18, 2013. As soon as I enabled proxy, I started seeing the access error even when logged in as admin. If the proxy is removed, everything works back to normal. I am currently working with our network resources to validate if the port 80 is enabled on the Tableau servers for outbound access to the maps servers. Is there anything else that we need to check specifically from network perspective to get online maps working?

                             

                                           "I've contacted support to see if they can help with a subnet or a VIP.  If they can't help I guess that will leave me with two options:

                             

                                           Give the server(s) really open access to the web (not desirable)

                            Get things working through a proxy.  Currently if I set a proxy (using the "run as..." method advised in the knowledge base article) it seems to cause all sorts of trouble accessing data/views with the following error (despite being logged in as an administrator):

                             

                                           To access this workbook, you must have the Connect permission for its data sources. Because you are logged in as Guest, you do not have this permission. Log in as a named user to try again"

                             

                             

                            Thanks,

                            Sathish.

                            • 11. Re: IP Subnet for mapvisual2.tableausoftware.com
                              Richard King

                              Hi,

                               

                              For a server setup, the options I can see to get maps working are:

                               

                              1. If you use a proxy in your environment to get to the web, then setup the options on your servers as recommended in the Tableau documentation.  If you have a single server environment this will need to be configured there or if you have a distributed setup then it will need to be configured on each worker server.

                                (Unfortunately I couldn't get this to work with our proxy setup)
                              2. If your environment uses a firewall that is enabled to do DNS lookups then you could remove all proxy settings from your server(s) and on your firewall allow port 80 access from your server(s) to the following URLs:

                                mapvisual2.tableausoftware.com
                                mapspartial.tableausoftware.com

                                The firewall will then resolve these URLs to the Amazon IPs to let you out.

                                (This wasn't an option for me with how we like to run our firewall)
                              3. Remove all proxy settings from your server(s) and setup a rule on your firewall that allows direct access on TCP 80 from your server(s) to all AWS IP ranges.

                                (I didn't like this option as I considered the rule needed as too broad in the access it gives in comparison with what it needs.  This option also introduces a management overhead as Amazon are often changing/expanding their ranges)
                              4. The final option I can think of is the one mentioned in my earlier post.  This is the option I went with:

                                - Remove all the proxy settings on your server(s)
                                - Put the host file entries mentioned in my previous post on your server(s)
                                - On your firewall allow TCP 80 access from your server(s) to the 2 IPs used in your host file entries.

                               

                              Hopefully, one of those options will help you.  It sounds like you were trying option 1 at the moment and it's not working, so maybe one of options 2-4 will help?

                               

                              Thanks,

                              Rich

                              • 12. Re: IP Subnet for mapvisual2.tableausoftware.com
                                Sathish Pj

                                Thanks so much Rich.

                                 

                                Thanks,

                                Sathish.

                                • 13. Re: IP Subnet for mapvisual2.tableausoftware.com
                                  Thom Gourley

                                  Thanks for posting this, Richard.  I am working with Tableau Support on essentially this same issue.  At the time I opened the case, I didn't quite know the precise search terms and didn't hit your post.  But after diagnosing the problem, searched again with different key words and found this thread.

                                   

                                  Just for the record:  I set up an outbound proxy as in your option "1."  While this enabled maps, I eventually got reports from one of my site admins that their data source connections were broken for visualizations outside of workbooks which were using previously published data sources.  Visualizations within workbooks were not broken.  [I think I said that correctly, but I am not a Desktop user - just a sysadmin.  ;-) ]

                                   

                                  So this seems like a possible design quirk in TS.  Hopefully the design team has this on their radar.

                                   

                                  So it appears that I may be forced into the host file workaround, which is not appealing since it does not offer the same flexibility as an outbound proxy.  Just wanted to post this comment for others who hit this same error.

                                  • 14. Re: IP Subnet for mapvisual2.tableausoftware.com
                                    Thom Gourley

                                    We came up with a solution, although I can’t be certain that my problem was exactly the same as Richard's.  So here are the basics of my situation:

                                     

                                    1. Distributed server:  We have one primary and one worker.
                                    2. The primary server only runs the gateway (webserver) and no other [Tableau] processes.
                                    3. I configure a proxy on the same subnet as primary and worker machines listening on port 80.
                                    4. As the “run as” service user on both the primary and the worker machines:  I enter IE internet options->Connections->LAN Settings, check the “Use  a proxy...” option and click the “Advanced” button.  Proxy IP with port 80 is entered into both the HTTP and Secure entries.
                                    5. On the primary: Stopped the server, ran the tabadmin commands for setting up the proxy as described in the Admin Guide.  (Note that the tabadmin to set the proxy port can be skipped, since 80 is its default.)
                                    6. Restarted Tableau Server.

                                     

                                    At this point, the proxy worked for outgoing mapping services, BUT all data sources (not extracts) were broken, giving the same error as documented by Richard:

                                     

                                    To access this workbook, you must have the Connect permission for its data sources. Because you are logged in as Guest, you do not have this permission. Log in as a named user to try again

                                     

                                    Our proxy techie found errors in the proxy logs indicating that the primary was rejecting connections from the worker – and more specifically that those attempts were going though the proxy. 

                                     

                                    So we decided to try using the IE settings on the worker to exclude the primary.   (On the worker machine as “run as” go to the Advanced settings and enter the IP of the primary and also the url for good measure into the “Exceptions” box.)

                                     

                                    This worked and eliminated the errors from data sources.  Now we have both outbound to the internet and data sources that work without complaining.

                                     

                                    I would like to encourage Tableau to document the whole proxy setup a little better.  The IE setup (a necessary step to make the proxy work) is not included in the Admin Guide.  And setting Exceptions to exclude Tableau Server's communications with itself is not documented anywhere that I have seen yet.  (Not sure if the data source connections are handled the same in a single server environment.)

                                     

                                    A little more detail in regards to Tableau Server’s networking internals would be helpful also.  Seems that many of Tableau’s support people aren’t aware of a lot of these details either.