4 Replies Latest reply on Jun 13, 2016 9:46 AM by Ryan Stacklin

    Remote Access to Status...still needs authentication

    Ryan Stacklin

      Hello...

       

      I am trying to access the XML status of a remote server, but I do not want to have to authenticate.  I've attempted the following:

       

      - This article (Get Process Status as XML) states "You must be signed in to Tableau Server to view the machine-readable process status, or have enabled remote access."

      - So I go to this article (Enable Remote Access) and it explains how to add in a machine's IP using "tabadmin set wgserver.systeminfo.allow_referrer_ips" so that I do not need to authenticate.

       

      I therefore added my IP to the config of the server, and I've checked the workgroup.yml file and I verify that my laptop IP does show up (restarted Tableau too).  When I go to the browser and enter the systeminfo.xml URL, I get "Not enough permissions".

      I am able to log in to the server via the browser, enter "https://<server>/admin/systeminfo.xml" and get a result.

       

      My expectation is that I should be able to hit that URL from my laptop and get the systeminfo without having to authenticate.  Am I wrong in assuming this?  Am I implementing this incorrectly?

       

      BTW, the end goal is implementing an automated script that alerts me when an individual service is "Down".  Explained in this article.

      Another BTW, it appears that in v10 XML Endpoints will be deprecated.  At the end of the article, it explains that the "systeminfo" endpoint will still be available.  Article.

       

      I'd appreciate any insight on my issue.

       

      Thanks!

       

      Ryan

        • 1. Re: Remote Access to Status...still needs authentication
          Jeff D

          HI Ryan, bit of a long shot, but check the http log (access.log) to make sure that your laptop is really coming in at the ipv4 address you specified.  Server Log File Locations

          • 2. Re: Remote Access to Status...still needs authentication
            Ryan Stacklin

            Thanks Jeff.  Your long shot wasn't wrong because I in fact did have to correct the IP address.  But, it still did not resolve the issue.  Your suggestion gave me a new path to investigate (came to me as I was reviewing the access.log file).  The server I've been using to test is set up as Primary-Worker-Worker with a load balancer.  Maybe that configuration is obscuring my IP address.  I have another server that is only a single machine.  On that single machine I white listed my laptop IP and the xml request worked without authentication.  That's a positive result.  So, I now have to figure out what, in the HA configuration, is restricting my IP.  I will next check the X-forward settings and results to start.  Thanks again.

            • 3. Re: Remote Access to Status...still needs authentication
              Jeff Strauss

              you seem to be on the right track.  I just have a question though, have you tried entering the host computer name instead of the IP?  The article says this is supported, however last time I tried, it didn't work.  http://onlinehelp.tableau.com/current/server/en-us/help.htm#service_remote.htm 

               

              Also, you may want to have a look at this blog topic:  Enterprise automated monitoring

              • 4. Re: Remote Access to Status...still needs authentication
                Ryan Stacklin

                I was successful in getting this to work.  Overall, here are the steps I took:

                 

                - Ensured the X-forward was setup correctly and forwarding the IP of the requesting machine.

                 

                - Updated the "wgserver.systeminfo.allow_referrer_ips" with the IP's of the machines that would be sending the GET to my server.  Verified via access.log that I was indeed using the correct IP's.

                 

                - Updated "gateway.trusted " with all of the EGRESS IP addresses of the load balancer.  I originally had only the IP address of the load balancer (the one you'd set in your DNS).  I did not realize that the load balancer had a whole separate range of IP's it was using to send traffic to the servers.  More attention to the access.log and I would have realized that earlier.

                 

                Once I could get the system info without having to authenticate, I set up the Powershell script to run from a remote server.  I then used Windows Scheduler (instead of Powershell) to run the script every 15 minutes (at least to start).

                1 of 1 people found this helpful