Kevin, reverse proxy setup for Tableau is something you do on your external firewall to allow traffic from outside your network to connect to your internal Tableau Server without having to put that server in a DMZ. It has nothing to do with how internal users connect to Tableau Server.
What are you trying to accomplish?
We are trying to have reverse proxy to allow internal Tableau contents be embedded to our public web page. This is header info that we configure to the reverse proxy.
Here are the headers set for the Tableau reverse proxy server (dataviz.lsu.edu).
Changing the gateway default port to 80 on the tableaudev server with the tsm commands seemed to fix the issue with publishing from your desktop.
Connecting to either http://dataviz.lsu.edu or https://dataviz.lsu.edu from an outside network will present you with the SSO SAML page (which then successfully redirects you to our internal server xxxx.lsu.edu if you pass authentication),
When clicking links of imbedded visualizations (like https://dataviz.lsu.edu/t/LSUExternalContents/views/... ) an error appears.
Fairly certain the guest account is hitting the SSO SAML part of the page and then it can’t go any further.
We can try to run the proxy as a specific user to try to get around SSO SAML, but I have had no luck with that so far.
OK, following now.
This link may start to shed some light: Guest access with SSO
Something is in the back of my head that there Guest plus SSO/SAML can be tricky. Not finding the reference I'm looking for though.
The Guest account should not get a login prompt, but I'm fuzzy on how that works with SAML authentication vs. native Tableau authentication.
Thanks for the guest access with SSO content.
Here is what we did.
Clean install 2018.3.3 Tableau Server to our dev environment VM.
a. Configure identity store to Active Directory
b. Configure External SSL
c. Authentication Method default to username and password
d. Restore prod maintenance (data) into the dev environment
e. Ran 3 tsm configuration commands for reverse proxy (did not run gateway.public.port)
- Able to see views from a share link using an external network (i.e. cellular service LTE)
- Able to get to the Tableau login page internally and externally
- Able to connect to Tableau Server dev from Tableau Desktop client through the proxy server path
- SAML Authentication server wide will not allow guest access to consume tableau embedded views or through a share link because SAML Shibboleth is expecting the guest access to authenticate. With SAML Authentication server wide, we can use Active Directory as the Identity Store.
- SAML Authentication specific site will allow guest access to consume to tableau embedded views or through a share link without having to authenticate through SAML Shibboleth. The major disadvantage is not able to use Active Directory as the Identity Store. This method requires us to use local identity store (not efficient).