4 Replies Latest reply on Jun 3, 2016 2:35 PM by Robin Cottiss

    what ports need to be opened for communication between primary and workers?

    Judith Lanzo

      Our IT Infrastructure has strict rules about opening servers to talk to each other.  Can anyone explicitly list the ports that the primary needs access to on the workers and visa versa?  We are installing TS 9.3.1 on Window 2012 servers.  I have looked at the ports list on the online helps http://onlinehelp.tableau.com/current/server/en-us/help.htm#ports.htm?Highlight=ports .  Does the primary need to access all of these on all of the workers?  Does it depend on the processes that the workers are running?  Looking for any advice to submit the appropriate request with our infrastructure team.  As it stands they will not open up all of the ports listed because they do not think we need them all.  So I need explicitly confirm which source servers need to communicate to which ports on each target server.


      Thank You.

        • 1. Re: what ports need to be opened for communication between primary and workers?
          Kevin Hulbert

          Hi Judith,


          Technically speaking, yes, all the listed ports need to be available. However, we do not support running the Primary Gateway in the DMZ with the Workers placed behind the firewall As you've seen, there are a great number of ports required for communication which would not only make using a DMZ ineffective security, but can create communication issues between the nodes as well.


          As an alternative, and as the best practice, all nodes should be behind the firewall, with only Port 80 or 443 available for external access. Tableau should ideally be placed behind a reverse proxy and HTTPS enabled.


          Please let me know if you have any additional questions! Here are some reference links:


          Setting up Tableau Server on a Perimeter Network (DMZ) | Tableau Software

          Configuring Proxies for Tableau Server

          • 2. Re: what ports need to be opened for communication between primary and workers?
            Judith Lanzo

            Thanks @Kevin Hulbert,




            So I ended up setting up the distributed environment with primary and workers behind the firewall.  Everything was running fine.  We added a proxy server, I followed the instructions to configure the proxy for Tableau Server (using port 443 since using ssl) and after the config and starting the server the services came back with a status DEGRADED.  I tried restarting.  Same issue.  I set the settings back to default, and restarting again still degraded.  Firewall is open  from proxy server to ports 443/80 on primary server.  I ended up restoring from back up to get the server back in a running status.  Any suggestions/ideas?  Am I missing anything?  (Do I need to open ports 80/443 on workers as well?


            Let me know if you need any screenshots of the config.

            • 3. Re: what ports need to be opened for communication between primary and workers?
              Nathan Panuco

              Hi Judith:


              The server is likely showing as degraded because the primary cannot check on the status of the workers. All the ports listed in the above document will need to be opened on all of the computers in the Tableau Cluster for the application to work properly and not show as degraded. The Tableau Server application contains dozens of processes distributed across the multiple nodes and communicate with each other over multiple different ports: For example, backgrounders need to interface with postgres then use the data engine to manage extracts then authenticate on VizPortal, etc


              If you would like an "official" answer from Tableau on this question, please submit a case to the Technical Support team: http://www.tableau.com/support/request



              • 4. Re: what ports need to be opened for communication between primary and workers?
                Robin Cottiss

                Hello Judith,


                the the fact that you had it working in distributed mode before adding the proxy is interesting.


                Off the top of my head I can only think of one or two scenarios where adding the proxy could stop the cluster from restarting correctly. Do you know if your Tableau servers have a public and private ip address? This can happen in AWS EC2 instances. If you used the public ip addresses then that could be an issue. Make sure that the  ip addresses or host names that you used to configure the tableau servers are the internal ips/names. The reverse proxy will have a public dns name and it translates that public ip/name to the internal ip/name of the gateway. I say gateway not primary because you can choose to put gateways on any tableau server not just the primary.


                Also it is important that the  Internal ip addresses of all the tableau servers are static and not changing every time you reboot the servers.