Yes, it's possible. This will require hosting the canvas adapter on a java application server on premis and not on Heroku. Note that your users can only access the embedded dashboards on the company network or via vpn
Thank you very much for the info. So there is no way using this adapter to get around VPN or network? We have our sales team using SFDC via the web, off the network. Ideally they would see the embedded dashboards without needing to VPN in and not exposing tableau server to the internet. Again, this just may not be possible
No that would be a security risk if it was. You may be able to get away by setting up a reverse proxy for Tableau Server. One other option could be to use a tokenless VPN solution like GlobalProtect so the sales team are automatically vpn'd as soon as they connect to the network. It's transparant to the user and it's quite seemless.
Thank you very much for the info, those are great ideas.
I'm trying to set up a Salesforce integration where the Tableau and Sparkler servers are not exposed to the internet, but the Sparkler server is connecting through a proxy. The Salesforce IP addresses are whitelisted to the proxy but the Salesforce Canvas app previewer is getting a 403 error. The network guys say they aren't seeing any pings from the Salesforce IPs. I created a Visualforce page that calls keepAlive, it shows a successful response. Do you have any suggestions for debugging the Canvas app?
One other data point: I successfully created a Heroku Sparkler app and a have a Canvas app connected to it.
How did you setup the sparkler app on premise? Is it being served up with a trusted SSL certificate? What happens when you access the keepAlive page directly from the browser? Any browser warnings? You should be able to see some info in the logs depending on which application server you deployed sparkler on. One other piece to note is that Heroku uses environment variables so you will need to do the same depending on which OS you installed it on.
The proxy server uses a trusted SSL certificate, the Sparkler server is configured to use SSL on port 443 but it does not have its own certificate. I can't access the keepAlive page from the browser because only the Salesforce IP range is whitelisted. The Visualforce page that calls keepAlive shows no browser warnings, but the HTTP Get is done from the controller (server side) so I wouldn't see them.
I don't see anything in the Tomcat logs. I did set SPARKLER_LOG_LEVEL=TRACE to get more details.
I'm going to review with a network guy later this morning.
My setup is
<internal Tableau server> ---- <internal Sparkler server> ---- <internal proxy> ---- <Salesforce>
The Salesforce IPs are whitelisted by the proxy, but it turns out the Canvas requests are coming from the client, not the server. So the Canvas app is making requests to Sparkler, the proxy sees my IP and blocks access.
Does this mean that the Sparkler server has to be publicly accessible, or at least accessible by any IPs of the Salesforce user? My client uses a VPN. Will this work?
My setup now is:
<internal Tableau server> ---- <internal Sparkler server> ---- <Salesforce>
Since I'm in the VPN the Canvas app can see the internal servers. Now I'm getting a Trusted Ticket error:
java.io.IOException: Invalid trusted ticket. ticket=
The Sparkler log shows trustedTicket=null where its getting the request from Canvas. I set these environment variables on the Tomcat server that is running Sparkler:
Do I need to set SPARKLER_TRUSTED_CLIENT as well? What am I missing?
I will reach out to you directly. I need more specific info in order to assist. Taking this offline.
We are trying to setup Sprakler on-premise... Would like to know if this problem was resolved and if any insights can be shared.
Last I checked, everything looked good from Robert's configuration. The only piece that had to be ironed out was setting up Trusted authentication on Tableau Server.
I'm working on a separate doc outlining an on-prem install. Can't give an ETA but hopefully it will be available soon. Feel free to take the plunge. The main items that need to be resolved is using system environment variables(depending on your OS) and setting up SSL. I can post once the on-prem doc is available. Thanks
Background: The Sparkler is to be installed in de-militarized zone. We want to create a DEV, TEST and PROD environment.
Few quick questions ...
- Our DMZ is Load balanced. Do we need to have any special consideration around persistent connection while installing Sparkler within our DMZ
- The Sparkler being in DMZ has to connect with the internal servers within MZ. What ports etc. do we need our firewall team to open?
- What certificates and configuration do we need to install on the Sparkler (within DMZ), Tableau Server (within MZ)
We were able to get the Canvas app to display in a Visualforce page (thanks Samson!). One of the last hurdles was the TABLEAU_TRUSTED_TICKET_SITE_ID environment variable in the Sparkler configuration - note that it is case sensitive.
Both the Tableau server and the Sparkler server require a valid SSL certificate issued by a CA. If you get any security warnings in the browser the Canvas app will not display.
I'm still working with IT on this. They have a publicly visible proxy for both, but only the Sparkler server has a certificate from an external CA. Also, the proxies have only whitelisted internal IPs. It works if I configure with the internal Tableau server and internal Sparkler server as long as I first connect to them in another tab and accept the certificates.
Awesome, that's great to hear. Yeah, the site id is case sensitive on Tableau Server. Was hoping to find a way to prevent this. I will note this in the docs.
Thanks for following up Robert.