Technically speaking, yes, all the listed ports need to be available. However, we do not support running the Primary Gateway in the DMZ with the Workers placed behind the firewall As you've seen, there are a great number of ports required for communication which would not only make using a DMZ ineffective security, but can create communication issues between the nodes as well.
As an alternative, and as the best practice, all nodes should be behind the firewall, with only Port 80 or 443 available for external access. Tableau should ideally be placed behind a reverse proxy and HTTPS enabled.
Please let me know if you have any additional questions! Here are some reference links:
Thanks @Kevin Hulbert,
So I ended up setting up the distributed environment with primary and workers behind the firewall. Everything was running fine. We added a proxy server, I followed the instructions to configure the proxy for Tableau Server (using port 443 since using ssl) and after the config and starting the server the services came back with a status DEGRADED. I tried restarting. Same issue. I set the settings back to default, and restarting again still degraded. Firewall is open from proxy server to ports 443/80 on primary server. I ended up restoring from back up to get the server back in a running status. Any suggestions/ideas? Am I missing anything? (Do I need to open ports 80/443 on workers as well?
Let me know if you need any screenshots of the config.
The server is likely showing as degraded because the primary cannot check on the status of the workers. All the ports listed in the above document will need to be opened on all of the computers in the Tableau Cluster for the application to work properly and not show as degraded. The Tableau Server application contains dozens of processes distributed across the multiple nodes and communicate with each other over multiple different ports: For example, backgrounders need to interface with postgres then use the data engine to manage extracts then authenticate on VizPortal, etc
If you would like an "official" answer from Tableau on this question, please submit a case to the Technical Support team: http://www.tableau.com/support/request
the the fact that you had it working in distributed mode before adding the proxy is interesting.
Off the top of my head I can only think of one or two scenarios where adding the proxy could stop the cluster from restarting correctly. Do you know if your Tableau servers have a public and private ip address? This can happen in AWS EC2 instances. If you used the public ip addresses then that could be an issue. Make sure that the ip addresses or host names that you used to configure the tableau servers are the internal ips/names. The reverse proxy will have a public dns name and it translates that public ip/name to the internal ip/name of the gateway. I say gateway not primary because you can choose to put gateways on any tableau server not just the primary.
Also it is important that the Internal ip addresses of all the tableau servers are static and not changing every time you reboot the servers.