5 Replies Latest reply on May 17, 2018 6:55 PM by David Barham

    Allow internet access only to Tableau Server and not to the rest server

    Thanos Pappas

      Hello all,

       

      I am experiencing the following issue and I wonder whether anyone has any comments or ideas.

       

      I have installed Tableau Server on a Windows Server machine. I wan't to give internet access only to Tableau Server and not to other applications on the machine like for example Internet Explorer.

      In other words I want Tableau Server to connect to the Internet but Internet Explorer (or other applications) to be restricted from connecting to the web.

       

      If I understand well Tableau gets the Proxy Configuration from windows. One idea would be to not set windows for connecting to the web and manually set proxy configuration only for Tableau Server, but how is that done? Where is Tableau Server storing it's proxy configuration?

       

      Any ideas?

       

      Thanks a lot!

        • 1. Re: Allow internet access only to Tableau Server and not to the rest server
          Glen Robinson

          Hi Thanos

          Tableau Server and Desktop uses the Internet Settings as used by IE.

          Web Proxy and Firewall Settings | Tableau Software

          This is where you configure Tableau's proxy settings.

           

          As to how you restrict IE from being used.

          If Tableau is on a server, then by it's nature you are limiting who can use the server.

          Who are you trying to limit from using IE? If access to the server is restricted to only admins, then there shouldn't be much need for further restriction.

           

          Here is an article on restriction of IE.

          How To Block Internet Explorer From Accessing The Internet

          However, im not sure whether making the registry changes will also stop other applications from using the Internet Settings too, or just IE. Maybe worth trying

          As for other applications. What applications do you have in mind?

          Hope this helps

          Glen

          • 2. Re: Allow internet access only to Tableau Server and not to the rest server
            Thanos Pappas

            Thanks Glen for your answer.

             

            Actually the idea is not to restrict all other application but to allow only TableauServer. If that make some sense.

             

            It is actually this company's policy, they don't want their servers to have connection to the internet, so they said if possible to configure directly and only TableauServer with proxy configuration so the rest server won't be configured to access the web but only Tableau Server.

             

            So I thought as Tableau uses IE settings, I suppose it stores somewhere these settings. If I could have access where these settings are stored and manually edit them so TableauServer will be set and IE not.

             

            That was my idea, if possible.

             

            The concept is the server to not have access to the Internet except for Tableau Server

            If you have any other ideas there are  welcomed!!

             

            Thanks.

            • 3. Re: Allow internet access only to Tableau Server and not to the rest server
              Glen Robinson

              Hi Thanos

              Thanks. I understand your issue now.

              I dont know how feasible it is to only allow Tableau to connect to the Internet.

              For instance, you can write a script on a server which can connect to a website and pull data from it.

              Therefore an option could be to configure the Windows Firewall on the Tableau Server so that only Tableau Processes are allowed. (have never tried it, so cant say how much of a pain this would be)

               

              My only other thought is that the only Internet Access Tableau requires is for mapping.

              The article I linked to earlier lists the addresses required.

              Therefore you could just allow your proxy server to whitelist these addresses for your Tableau Server, with all other sites blocked. Or block everything, if you dont require maps.

               

              Hope this helps

              Glen

              • 4. Re: Allow internet access only to Tableau Server and not to the rest server
                Toby Erkson

                I agree with Glen.  Many of our servers aren't allowed access to the outside world for security reasons.  In order to get access rules have to be applied in the corporate proxies. 

                For example, the servers my Tableau Servers sit in cannot access the internet by default so when I need to perform an upgrade I have to download the file to my laptop and then copy the file to the Tableau Server.  However, for licensing and mapping our firewall/proxy IT team has set up rules that do allow those two functions to operate.  We use forward and reverse proxies and since I am not a networking or trained server person I have no flippin' clue how that stuff works, it's all blackbox-voodoo-7th-sense magic to me, but it works.

                 

                So what I'm saying is that you may need your IT folk, who are trained in this stuff, to help you out, either on your box or through you company's firewall/proxy software.

                • 5. Re: Allow internet access only to Tableau Server and not to the rest server
                  David Barham

                  I realise that this is an old question, but I hit it while searching so others might too.

                   

                  Our approach is to NOT have the Tableau server use the proxy server as that would give it the same internet access as the person logging into it.  Instead, IE on this server, for the service account running Tableau is configured to not use proxy.  Therefore, it has direct access to the internet.  However, our firewall blocks ALL access except for specifically whitelisted sites.  For the Tableau server, that is the licensing server, the Tableau maps server plus one other WMS server we use.

                   

                  If you lock down the proxy settings by group policy, then anyone logging into the Tableau server can only access the whitelisted internet sites and nothing else.  That's effectively as good as no internet access.