7 Replies Latest reply on Feb 23, 2018 9:01 AM by Jeff Strauss

    Restrict Site to Specific IP Address Range

    Perry Shipman

      We have sensitive data which will be available via a Tableau Site.  We need to restrict access to specific workstations.  Other sites will not have this restriction

      • Is there a way to do this with a single server?
      • Are there methods by which a connection filter could access server variables or other Tableau systems variables that might include user IP?



        • 1. Re: Restrict Site to Specific IP Address Range
          Jeff Strauss

          This is an interesting thought provoking question.  Though I don't think I've seen it done at the site level, I can think of these possible alternatives:


          1. (Simplest) Site permissions can be set to only allow specific login ids into the site


          2. If you are using a live connection, depending on what type of database, you can pass the login credential to the database, and if the user has access, then they will be able to see the data rendered via the db to your dashboard


          3. If you are using trusted tickets, then there is the ability to turn on client ip matching for the redemption of the tickets Optional: Configure Client IP Matching


          4. If you have a load balancer reverse proxy in front of your Tableau Server, then you may be able to have routing rules setup with your load balancer that only allows a set of IP ranges through to your site  Configuring Proxies for Tableau Server

          • 2. Re: Restrict Site to Specific IP Address Range
            Jeff Strauss

            There is one more that I just thought of.  On the server, you can set firewall inbound rules to allow for a set of IP's, but I'm not sure if you can match to a specific site or not.  I personally haven't done this, but it seems do-able.


            • 3. Re: Restrict Site to Specific IP Address Range
              Toby Erkson

              I'll keep my reply simple

              Out of the box (simple, built-in functionality)?  No.

              Via custom methods unsupported by Tableau and maintained by you?  Yes (Jeff's excellent input).

              1 of 1 people found this helpful
              • 4. Re: Restrict Site to Specific IP Address Range
                Perry Shipman



                Thanks for the response and ideas.  I suspect that Toby is correct and that there is no easy solution.  I pondered yours and I am not sure they are a perfect fit for what we are trying to achieve (please correct me if I am wrong ).


                Below is a diagram of what we are trying to achieve.  Note that this might be most easily solution-ed by having a second independent Tableau server.  Note that in the image below, the address range is a representation of a VMWare VDI environment that is the only way to access Site B.  Note, also, that Mary, though she is credentialed to access Site B should not be able to do so from the address range (used to represent all other address space):


                Screen Shot 2018-02-23 at 6.16.31 AM.png

                • 5. Re: Restrict Site to Specific IP Address Range
                  Jeff Strauss

                  For sure.  I agree it can't be done out of the box, so that's why I offered up alternatives.


                  Even with a separate independent server, how would you restrict IP's?


                  I don't fully understand your pic, though I can tell you we have a shared cluster accessible by both internal employees "site B" and external clients "site A".  Internal employees can get to both sites, but external clients can only get to "site A".  How we achieved this for "site A" was by way of trusted tickets / reverse proxy config / firewall rules.  And while it got it a bit complex, it managed to save licensing costs by sharing the common infrastructure.

                  • 6. Re: Restrict Site to Specific IP Address Range
                    Perry Shipman

                    Jeff ... let me make sure we are using the same definitions to help me see if your model works ...

                    • In my image presented earlier, Tom and Mary are both internal employees who work for different agencies
                    • When I use the term Site I mean it in the Tableau server sense ... one server with multiple sites
                    • Mary's credentialed access to Site B only works if she is on a specific subnet
                    • Mary and Tom can both access Site A


                    I am not sure how we would use firewall rules and/or reverse proxy settings to manage a single Table website with multiple internal Tableau/Sites.  Wouldn't an inbound firewall rule for the address space limit access for all sites to that scope?


                    The trusted tickets idea actually has promise but my reading of this indicates that it is used for restricting Tableau Server Managers to certain IP's.  Have I misread this?

                    • 7. Re: Restrict Site to Specific IP Address Range
                      Jeff Strauss



                      Yes, we're referring to site the same way.  I think of it as a logical space within the same physical server.


                      In our implementation, we're not using trusted tickets with specific client IP matching.  I just mentioned this as an option because it sounded like that's what you wanted.  Rather, what we have deployed is the default method for trusted tickets where the trust is server to server in order to retrieve the trusted ticket.


                      It's the firewall / reverse proxy that applies the rules for the incoming traffic.  See the attached high level architecture.  For external clients, they are coming through a client access portal which is routing traffic through NGINX and then to the Tableau Server Marketer site via the Javascript API in order to render dashboards.  In order to ensure that they only have access to the Marketer site, their id's are only defined to this site, but then there are also rules setup within the NGINX load balancer to return a 404 error when the URL doesn't match to the Marketer site expected URL.