There are a couple of questions regarding this topic on this forum. Here is my working solution for reference, and to adapt to your situation. Hope this helps. No guarantee that this works in your environment. Feedback welcome.
Installation of Tableau Server 9.0 for external access. SSL-encryption provided by reverse proxy (nginx); Reverse Proxy and Tableau Server communicate using plain HTTP (as do clients from the internal network).
- SSL certificate for Reverse Proxy. In this case a wildcard certificate for mydomain.tld.
- Firewall rules controlling access to Tableau Server. In this case implemented using shorewall.
- Windows 7 Professional as runtime environment for Tableau Server (designed as lab system for development of demo scenarios)
- Proper DNS setup and working bi-directional http communication between reverse proxy and Tableau server
We use a proxmox virtualization server (Debian based) to operate our dev lab. Our reverse proxy lives inside an OpenVZ container, the Tableau Server inside a KVM virtual machine (for real fast I/O you're probably better off using a physical server - for our dev lab it's o.k.).
- Configure Win 7 Pro to allow incoming HTTP traffic from proxy server and outgoing SMTP for status mails
- Configure nginx to proxy SSL requests for server tableau.mydomain.tld to Tableau Server
- Configure Tableau Server using tabadmin for operation behind reverse proxy
Both Win 7 Pro firewall and external firewall need to allow HTTP (bi-directional) and SMTP (outgoing).
These shorewall rules were used (HTTPS rule is strictly speaking not required - adapt this to your firewall). Zone "net" refers to external IP's, and "dmz" to subnet 192.168.123.0/24 in this setup.
In my case nginx needed specifically X-Forwarded-Proto. Without that external requests never got a proper response, but rather an empty page.
CAVEAT: tableau.mydomain.tld resolves to the same address as mydomain.tld for external requests, but internally (i.e. both on the nginx, and on the Tableau machine) to 192.168.123.123. So all https requests to the external IP aaa.bbb.ccc.ddd on port 443 are forwarded to port 443 of the reverse proxy 192.168.123.10 which then dispatches them to the proper internal servers.
This nginx config uses a virtual host to redirect all https request for tableau.mydomain.tld to the internal IP 192.168.123.123. Having tableau.mydomain.tld internally to this IP address was achieved using dnsmasq. While the "official" DNS records point tableau.mydomain.tld to the same external IP as to mydomain.tld (say aaa.bbb.ccc.ddd), dnsmasq internally does a dead simple /etc/hosts lookup to find the correct internal IP address 192.168.123.123.
Further http://onlinehelp.tableau.com/current/server/en-us/tabadmin_cmd.htm#set for tabadmin reference.
X-Forward-Proto gotcha from http://kb.tableau.com/articles/issue/cannot-connect-via-ssl-proxy.