KNOWLEDGE BASE

Enabling TLS Between Tableau Server Independent Gateway and Tableau Server


Published: 31 Mar 2022
Last Modified Date: 31 Mar 2022

Issue

Tableau Server Independent Gateway (TSIG) is a new feature of Tableau Server 2022.1. It provides a topology-aware reverse proxy for Tableau Server (TS) suitable for deployment in a network DMZ.

For TSIG, there are 3 different pathways that can potentially be protected with TLS:
  1. External requests to TSIG
  2. Requests proxied by TSIG to Tableau Server
  3. "Housekeeping" requests from Tableau Server to TSIG
Each can be independently configured for TLS. There is a problem preventing the use of TLS for the pathway between TSIG instances and Tableau Server. The other paths are not affected. In particular, a site which wants to secure traffic all the way to TS would be relaying traffic from TSIG to a TS internal Gateway instance, and from there on to the back-end service. It is that relay link to TS internal Gateway that may cause issues.

Environment

  • Tableau Server Independent Gateway for 2022.1
  • Tableau Server

Resolution

The workaround for this problem is manually editing the httpd.conf.ftl template on all TS nodes:
  1. Locate the template file within the TS software installation directory: packages/templates.XXXX.YYYY.ZZZZ/httpd.conf.ftl
  2. Make a backup copy of that file. Line 2817 of that file contains: ${ADD_BALANCER_GROUP_MEMBER("${scheme}://${TSIG_UNLOCAL(instance_data.host)}:${get_primary_port(instance_data)}")}
  3. Change that line to: ${ADD_BALANCER_GROUP_MEMBER("${scheme}://${TSIG_UNLOCAL(instance_data.host)}")} (that is, remove :${get_primary_port(instance_data)} everything from (and including) the rightmost colon up to (but not including) the closing double quote. Restart Tableau Server.
NOTE:
  • If you elect to use the workaround, you must separately edit that file on every Tableau Server node
  • The changes will be lost if you do a re-install of 2022.1.
  • It must also be done for any new Tableau Server nodes you activate later.

Cause

There is a problem preventing the use of TLS for the pathway between TSIG instances and Tableau Server. The other paths are not affected. In particular, a site which wants to secure traffic all the way to TS would be relaying traffic from TSIG to a TS internal Gateway instance, and from there on to the back-end service. It is that relay link to TS internal Gateway that may cause issues.

Additional Information

This behavior is caused by a Known Issue, ID 1381695, which will be corrected in a maintenance release.

Although the changes will be lost when upgrading from 2022.1 to a later major release or maintenance release, the upgrade will have the permanent issue resolution, making the above workaround moot.

Did this article resolve the issue?