-
1. Re: Tableau Server Internet security - isolating the Gateway service
Jeff Strauss
Jan 17, 2018 7:30 AM
What is the problem with having the gateway inside the firewall? This is what we do in our totally secure solution and we route all external traffic via the reverse-proxy. And during setup of, we need to specify to only accept traffic via the proxy IP's via the tabadmin set gateway.trusted ...
-
2. Re: Tableau Server Internet security - isolating the Gateway service
Thanks Jeff. In both cases the Gateway would be behind a firewall.
In the deployment examples I have seen the flow would be:
Client --> External Firewall --> Proxy --> Tableau Server
However, what I would like to see is:
Client --> External Firewall --> Proxy --> Tableau Gateway --> Internal Firewall --> Tableau Server (all the non-GW services)
With this method the termination and the authentication (I believe) would be in a separate secure network zone therefore if compromised limiting exposure to the DMZ services rather than the application network/services. Similar logic is often applied to splitting the application services and the data.
-
3. Re: Tableau Server Internet security - isolating the Gateway service
Jeff Strauss
Jan 17, 2018 10:15 AM
1 of 1 people found this helpfulI see. You should be able to deploy the gateway onto its own node via the server config panel. See this example High Availability where the primary node has the gateway and search/browse, in reality if you only want the gateway running here without any other processes (besides cluster controller which is on every node by default), then you can do this. And then gateway isn't needed anywhere else. Also, having the gateway on its own node doesn't count toward your licensed allocation of cores.
-
4. Re: Tableau Server Internet security - isolating the Gateway service
Thanks again Jeff. This is the confirmation I wanted to hear from the community. The 3-server deployment for HA did give me hope that this was achievable and as an added bonus this approach appears to map well into a HA/scaled out design if the requirements changed.
-
5. Re: Tableau Server Internet security - isolating the Gateway service
This transpired to be an unsatisfactory solution. Too many bi-directional ports needed to be open between the server running the gateway and the server running the other tableau services. Further, the use of high port ranges for the responses made a mockery of using a firewall.
-
6. Re: Tableau Server Internet security - isolating the Gateway service
Toby Erkson
Feb 6, 2018 8:50 AM
Frank Parkin wrote:
...Further, the use of high port ranges for the responses made a mockery of using a firewall.
Come again?
Did you come up with a solution? If not then you may want to work with Tableau Support.