4 Replies Latest reply on Feb 18, 2019 8:55 AM by Kevin Cheung

    Tableau Server 2018.3, Reverse Proxy Issue

    Kevin Cheung

      I'm looking for some insights to help us troubleshoot reverse proxy.


      Proxy server is configure with IIS on a vm with windows server 2016.


      After we ran the tsm command (tsm configuration set -k gateway.public.port -v 443) on the tableau server, we were not able to connect to the tableau server from Tableau Desktop to publish any workbook. It threw an error about no access to Tableau Server and check with Tableau Server admin. After we reset the port back to 80(tsm configuration set -k gateway.public.port -v 443), we were able to connect and publish from Tableau Desktop. Is there something causing this?


      Thanks in advances,




        • 1. Re: Tableau Server 2018.3, Reverse Proxy Issue
          Michael Gillespie

          Kevin, reverse proxy setup for Tableau is something you do on your external firewall to allow traffic from outside your network to connect to your internal Tableau Server without having to put that server in a DMZ.  It has nothing to do with how internal users connect to Tableau Server.


          What are you trying to accomplish?

          • 2. Re: Tableau Server 2018.3, Reverse Proxy Issue
            Kevin Cheung

            We are trying to have reverse proxy to allow internal Tableau contents be embedded to our public web page. This is header info that we configure to the reverse proxy.



            Here are the headers set for the Tableau reverse proxy server (dataviz.lsu.edu).



            Changing the gateway default port to 80 on the tableaudev server with the tsm commands seemed to fix the issue with publishing from your desktop.

            Connecting to either http://dataviz.lsu.edu or https://dataviz.lsu.edu from an outside network will present you with the SSO SAML page (which then successfully redirects you to our internal server xxxx.lsu.edu if you pass authentication),

            When clicking links of imbedded visualizations (like https://dataviz.lsu.edu/t/LSUExternalContents/views/... ) an error appears.

            Fairly certain the guest account is hitting the SSO SAML part of the page and then it can’t go any further.

            We can try to run the proxy as a specific user to try to get around SSO SAML, but I have had no luck with that so far.

            • 3. Re: Tableau Server 2018.3, Reverse Proxy Issue
              Michael Gillespie

              OK, following now.


              This link may start to shed some light: Guest access with SSO


              Something is in the back of my head that there Guest plus SSO/SAML can be tricky.  Not finding the reference I'm looking for though.


              The Guest account should not get a login prompt, but I'm fuzzy on how that works with SAML authentication vs. native Tableau authentication.

              • 4. Re: Tableau Server 2018.3, Reverse Proxy Issue
                Kevin Cheung



                Thanks for the guest access with SSO content.


                Here is what we did.

                Clean install 2018.3.3 Tableau Server to our dev environment VM.

                a.       Configure identity store to Active Directory

                b.       Configure External SSL

                c.       Authentication Method default to username and password

                d.       Restore prod maintenance (data) into the dev environment

                e.       Ran 3 tsm configuration commands for reverse proxy (did not run gateway.public.port)



                -          Able to see views from a share link using an external network (i.e. cellular service LTE)

                -          Able to get to the Tableau login page internally and externally

                -          Able to connect to Tableau Server dev from Tableau Desktop client through the proxy server path




                -          SAML Authentication server wide will not allow guest access to consume tableau embedded views or through a share link because SAML Shibboleth is expecting the guest access to authenticate. With SAML Authentication server wide, we can use Active Directory as the Identity Store.

                -          SAML Authentication specific site will allow guest access to consume to tableau embedded views or through a share link without having to authenticate through SAML Shibboleth. The major disadvantage is not able to use Active Directory as the Identity Store. This method requires us to use local identity store (not efficient).