What is the problem with having the gateway inside the firewall? This is what we do in our totally secure solution and we route all external traffic via the reverse-proxy. And during setup of, we need to specify to only accept traffic via the proxy IP's via the tabadmin set gateway.trusted ...
Thanks Jeff. In both cases the Gateway would be behind a firewall.
In the deployment examples I have seen the flow would be:
Client --> External Firewall --> Proxy --> Tableau Server
However, what I would like to see is:
Client --> External Firewall --> Proxy --> Tableau Gateway --> Internal Firewall --> Tableau Server (all the non-GW services)
With this method the termination and the authentication (I believe) would be in a separate secure network zone therefore if compromised limiting exposure to the DMZ services rather than the application network/services. Similar logic is often applied to splitting the application services and the data.
1 of 1 people found this helpful
I see. You should be able to deploy the gateway onto its own node via the server config panel. See this example High Availability where the primary node has the gateway and search/browse, in reality if you only want the gateway running here without any other processes (besides cluster controller which is on every node by default), then you can do this. And then gateway isn't needed anywhere else. Also, having the gateway on its own node doesn't count toward your licensed allocation of cores.
Thanks again Jeff. This is the confirmation I wanted to hear from the community. The 3-server deployment for HA did give me hope that this was achievable and as an added bonus this approach appears to map well into a HA/scaled out design if the requirements changed.
This transpired to be an unsatisfactory solution. Too many bi-directional ports needed to be open between the server running the gateway and the server running the other tableau services. Further, the use of high port ranges for the responses made a mockery of using a firewall.
Frank Parkin wrote:
...Further, the use of high port ranges for the responses made a mockery of using a firewall.
Did you come up with a solution? If not then you may want to work with Tableau Support.