2 Replies Latest reply on May 3, 2019 8:21 AM by Toby Erkson

    Mixing TS addresses with VA:  Server URL versus Virtual IP URL

    Toby Erkson

      Background

      We use a secure VIP URL (e.g. https://fancy-name.com/) for our users to view vizes on the TS (Tableau Server).  When publishing via Desktop they must connect directly to the TS using the server URL (e.g. http://company.server.intranet.com/).

       

      Situation

      I have a user with a VA workbook that has the following:

      VIZ_IMAGE(Testing_CCm/New_Summary?PROJECT='+ [PROJECT] + '|vizlink)
      

       

      The resulting URL link uses the actual server URL (e.g. http://company.server.intranet.com/), not the VIP URL(e.g. https://fancy-name.com/):

      Can you see any issues or potential problems with this?

       

       

      Side note:  We are unable to publish from Desktop to our TS using the VIP URL, it must be done by signing in using the server URL.  I don't know if this is a product limitation or some configuration I need to alter on the TS.  We are in an Active Directory environment and the VIP URL is the entry point to the TS for report consumers.

        • 1. Re: Mixing TS addresses with VA:  Server URL versus Virtual IP URL
          Matt Coles

          Yeah, I'd like to know more about what happens when users try to publish using the secure URL...it's better to fix that problem. Perhaps an issue with missing trusted entries in the config?

           

          When users hit a viz at http://company.server.intranet.com/, are they redirected to a secure link automatically? Can anyone outside of your corporate VPN access your Tableau Server? If they can, then yes, an unencrypted connection is a big problem. Within a VPN it's less so, but still not great, as internal users could still see all the traffic to and from Server, intercept it, and access data or information they shouldn't be able to.

          • 2. Re: Mixing TS addresses with VA:  Server URL versus Virtual IP URL
            Toby Erkson

            I agree, this does need to be addressed.  I'm planning to after a 2019 upgrade.

             

            Users are not redirected to the secure URL.  Using the server URL is still possible even though we tell them not to.  I'm really weak on the whole reverse proxy stuff and getting internal help with this is so maddening that I've given up for the time being.  Naturally we are using this but how it all works isn't clear to me so I can only make setting changes according to what the other team has told me to use.

             

            Nobody outside our VPN can access our TS.