3 Replies Latest reply on Dec 10, 2018 2:44 AM by Bryan Fernandez

    Trusted authentication using private IP

    Kavin Abelak

      A bit of background:

      I have Tableau Server for Linux (2018.3) setup on a RHEL instance on AWS. TS sits in a private subnet with no access to the internet (We access it using VPN). I have a webserver sitting in a private subnet, with connection to the internet via a load balancer and NAT.

       

      The old solution:

      Previously, when TS was sitting in a public subnet with access to the internet, I was using trusted authentication as described in the php code below and everything was great. Clients would log into our application, and the embedded Tableau Dashboards would appear based on their username.

       

      The requirement:

      Due to the sensitive nature of our data, I would like to have the webserver and TS communicate via private IP (so as not to ferry traffic through the internet). As such, I moved TS into a private subnet with no direct access to the internet.

       

      The problem:

      When I change https://mytableauserverul/trusted to 10.0.0.1/trusted (the private IP where TS sits), a timeout happens. I suspect the client cannot resolve 10.0.0.1 and thus hangs.

       

      The question(s):

      How do I make the webserver communicate with TS via private IP while using trusted authentication? And if this is not the way to go about my requirement, any ideas would be appreciated.

       

       

       

       

      Old php embed code:

      if($sTableauUser)

      {

              // Tableau configs

              $sTableauUrl  = "https://mytableauserverurl/trusted/";

              $sParams      = ":embed=yes&:toolbar=no&:tabs=no&:showAppBanner=false&:refresh=yes&:embed_code_version=3";

              $sViews       = "/views/".TABLEAU_VIEW."/TaskOverview?";

              $sLoginParams = "username=".$sTableauUser;

       

              $sCurlRequest = curl_init();

       

              curl_setopt($sCurlRequest, CURLOPT_URL, $sTableauUrl);

              curl_setopt($sCurlRequest, CURLOPT_POST, 1);

              curl_setopt($sCurlRequest, CURLOPT_POSTFIELDS, $sLoginParams);

              curl_setopt($sCurlRequest, CURLOPT_RETURNTRANSFER, true);

              curl_setopt($sCurlRequest, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded"));

       

              $sTicket = curl_exec($sCurlRequest);

       

              curl_close($sCurlRequest);

       

              if($sTicket == -1)

              {

                      // Handle error

                      echo "<h3 class='headerFont'>".$_LANG["no_generate_tableau"]."</h3>";

              }

              else

              {

                      echo "<iframe src=", $sTableauUrl, $sTicket, $sViews, $sParams, "' width='1366' height='600'></iframe>";        }

      }

        • 1. Re: Trusted authentication using private IP
          Bryan Fernandez

          Hi,

           

          I think you should check your webservers internet access or routing to your AWS server,

          you said you move it and now no internet access.

           

          This is more of a network issue than Tableau.

          Check your webservers connectivity through internet.

          Remember that PHP works on  the server side, thus, external IPs,public IPS and

          NATs and Proxy should be configured in your webserver.

           

          Check if your webserver if can communicate to your AWS,

          Clients access only the webservers resources and if the resources are available from the webserver,

          the webserver will get the data from external sources and return it back to the client.

           

          Regards,

          Bryan

          • 2. Re: Trusted authentication using private IP
            Kavin Abelak

            Hi Bryan,

             

            Thanks for your comment.

             

            The tableau server is available via the internet gateway and ELB, and so it has connectivity to the internet (the architecture is roughly: Tableau Server for healthcare on AWS - Quick Start). So when I use https://mytableauserverul/trusted, the code works fine and the embedded dashboard loads up. My understanding is that the webserver is retrieving the dashboard from tableau server via the public internet. I would like the webserver to retrieve the dashboard internally via a private IP (eg: 10.0.0.1/trusted). That would mean that both the request and the dashboard get pushed to the webserver without passing via the public internet and hence minimising any risk of the data being hijacked.

             

            Any ideas much appreciated.

            • 3. Re: Trusted authentication using private IP
              Bryan Fernandez

              Hi,

               

              You could try to use NAT service to translate your AWS domain name and/or public address to

              private IP address. Configure it using your load balancer and its possible.

              Public ip AWS => Private IP of AWS then use that IP inside of your PHP source code.

              Some of my previous trick was doing a port forwarding to my public ip addresses.,

               

              Regards,

              Bryan