I asked a colleague and here is his response:
If app.com is just a proxy, everything should work just fine and Tableau Server don’t even need to know about proxy in front of it. Just make sure that users can access Tableau Server through app.com and proxy preserves “Host” header and adds “X-FORWARDED-PROTO” if SSL offloading is in use.
This is how everything should work
- 1. User access page on “app.com” and request is handled by “app.internal.com”
- 2. App.internal.com requests a ticket on user’s behalf from tableau.internal.com
- 3. App.internal.com sends page to user via app.com. Among other things page contains Tableau Server URL with trusted tickets in it (i.e. http://tableauserver.app.com/trusted/12345/views/workbook/view?:embed=yes)
- 4. User’s browser goes to tableauserver.app.com, request relayed to Tableau Server.
- 5. Tableau Server recognizes ticket, creates a session and sends user a redirect to the actual page and cookie with session info.
- 6. User’s browser follows redirect link and pull data directly from the Tableau Server
We don’t support scenarios where intermediate server redeems ticket on user’s behalf and pulls view from Tableau Server for user. It might or might not work, but we always expect end-user’s browsers to talk to Tableau Server (even if request is routed through several proxies)
As of specific questions:
- We don’t check who redeems the ticket unless client IP matching is enabled (http://onlinehelp.tableau.com/current/server/en-us/help.htm#trusted_auth_optional.htm). As long as we recognize ticket provided in the URL, session is created.
- See above. If proxy preserves “Host” header and has “X-FORWARDED-PROTO” (when applicable), Tableau Server doesn’t even need to know about proxy
- Ticket is valid for 3 minutes or 1 use. Once redeemed, session is subject to regular Tableau Server “idle” timeouts.
Thank you so much for your reply. This solves my problem.
I have another question about ticket redeem: if the report is embedded on a web page of my app and takes more than 3 minutes to load the whole report, is the ticket still redeemable? Does Tableau server return any error code? Also, after the ticket is redeem, for how long can the user view/interact with the report on my web page?
The ticket is redeemed before we start to load the view so it should be okay if the page takes more than three minutes to load. If the ticket is invalid you'll receive a response which says that Tableau Server cannot locate an unexpired trusted ticket.
As for timeouts, there are a few timeout settings which will affect usage of the viz.
There is a standard vizqlserver timeout of 30 minutes which will drop all filter choices after 30 minutes of idle time.
There is a timeout which will log you out after 240 minutes (by default).
After 30 minute of idle time when all filter choices are dropped, the report session displays a Tableau Server Login Page when I click on the any of the filters (in app.external.com). Is there any way to display a time out error page or auto refresh instead of showing up a Tableau Login Page? I'm embedding the Tableau report into my web application so I don't want to expose the internal Tableau server to my users.
Another question: what is the parameter that I can set for the timeout window for filter and log out?
Its mentioned in response "Tableau Server doesn’t even need to know about proxy" - why is this the case?
The "Configure a reverse proxy server" section of Configuring Proxies for Tableau Server mentions settings such as gateway.trusted_hosts ... , why do they not need to be setup correctly in this scenario?
Thanks for your time.