Server Administrator Guide

Before you install... Note: You can find additional information about technical specifications for Tableau Server on the Tableau web site, here. Make sure the computer on which you’re installing Tableau Server meets the following requirements: l Supported operating systems—Tableau Server is available in a 64bit version. You can install Tableau Server on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, Windows 8, Windows 8.1, or Windows 10. You may install Tableau Server on virtual or physical platforms. l Supported browsers—Tableau Server 10 supports Internet Explorer 11 in native mode, and the latest versions of Chrome, Firefox, and Safari. This has potential to impact: l Customers installing Tableau Server for the first time on Windows 8 or Windows Server 2012 (nonR2). For more information, see Internet Explorer Support. l Customers accessing embedded Tableau views in web pages that force Internet Explorer into compatibility mode. For more information, see Internet Explorer Compatibility Mode. l Minimum requirements—The computer you install Tableau Server on must meet or exceed the minimum hardware requirements. Tableau Server will not install if your computer does not meet the minimum requirements. l Minimum requirements are appropriate for testing and prototyping. l For production environments your computers should meet or exceed the minimum recommendations. For more information, see Minimum Hardware Requirements and Recommendations for Tableau Server on page 104. l Administrative account—The account under which you install Tableau Server must have permission to install software and services. l Optional: Run As Account—A Run As User account for the Tableau Server service to run under is useful if you’re using NT Authentication with data sources or if you’re planning on doing SQL Server impersonation. For more information, see Run As User on page 9 and SQL Server Impersonation on page 468. l IIS and port 80—Tableau Servers gateway listens on port 80, which is also used by Internet Information Services (IIS) by default. If you are installing Tableau Server on a machine thats also running IIS, you should modify the Tableaus gateway port number to 3 avoid conflict with IIS. See Tableau Server Ports on page 670 and Edit the Default Ports on page 29 for details. l Static IP addresses—Any computer running Tableau Server, whether its a single server installation or part of a cluster, must have a static IP address. For more information, see Hostname Support in Tableau Server on page 128. Configuration Information When you install and configure Tableau Server you may be asked for the following information: Option Description Your Information Server Account The server must have a user account that the service can use. The default is the builtin Windows Network Service account. If you use a specific user account you’ll need the domain name, user name, and password. Username: Password: Domain: Active Directory Instead of using Tableau’s builtin user management system, you can authenticate through Active Directory. If so, you’ll need the fullyqualified domain name. Active Directory Domain: Open port in Windows firewall When selected Tableau Server will open the port used for http requests in the Windows Firewall software to allow other machines on your network to access the server. __ Yes __ No Ports By default Tableau Server requires several TCPIP ports to be available to the server. See the topic Tableau Server Ports on page 670 for the full list, including which ports must be available for all installations vs. distributed installations or failoverready installations. The default ports can be changed if there is a conflict. See Edit the Default Ports on page 29 to learn how. Drivers You may need to install additional database drivers. Download drivers from www.tableau.comsupportdrivers. Whats New and Whats Changed Find out about the new and changed features in Tableau Server: 4 l See the Whats New in Tableau Server topic in the Tableau Server online help for information about key new features. l See Whats Changed Things to Know Before You Upgrade for information about changes that may impact your users.

Server Administrator Guide

The Server Administrator Guide is your complete reference for handling administrative tasks onTableau Server

Before you install

Note: You can find additional information about technical specifications for Tableau

Server on the Tableau web site,here

Make sure the computer on which you’re installing Tableau Server meets the following

requirements:

l Supported operating systems—Tableau Server is available in a 64-bit version Youcan install Tableau Server on Windows Server 2008 R2, Windows Server 2012, WindowsServer 2012 R2, Windows 7, Windows 8, Windows 8.1, or Windows 10 You may installTableau Server on virtual or physical platforms

l Supported browsers—Tableau Server 10 supports Internet Explorer 11 in nativemode, and the latest versions of Chrome, Firefox, and Safari

This has potential to impact:

l Customers installing Tableau Server for the first time on Windows 8 or WindowsServer 2012 (non-R2) For more information, seeInternet Explorer Support

l Customers accessing embedded Tableau views in web pages that force InternetExplorer into compatibility mode For more information, seeInternet ExplorerCompatibility Mode

l Minimum requirements—The computer you install Tableau Server on must meet orexceed the minimum hardware requirements Tableau Server will not install if yourcomputer does not meet the minimum requirements

l Minimumrequirementsare appropriate for testing and prototyping

l For production environments your computers should meet or exceed the

minimumrecommendations.

For more information, seeMinimum Hardware Requirements and

Recommendations for Tableau Server on page 104

l Administrative account—The account under which you install Tableau Server musthave permission to install software and services

l Optional: Run As Account—A Run As User account for the Tableau Server service torun under is useful if you’re using NT Authentication with data sources or if you’re

planning on doing SQL Server impersonation For more information, seeRun As User

on page 9andSQL Server Impersonation on page 468

l IIS and port 80—Tableau Server's gateway listens on port 80, which is also used by

avoid conflict with IIS SeeTableau Server Ports on page 670andEdit the Default Ports on page 29for details.

l Static IP addresses—Any computer running Tableau Server, whether it's a singleserver installation or part of a cluster, must have a static IP address For more

information, seeHostname Support in Tableau Server on page 128

Configuration Information

When you install and configure Tableau Server you may be asked for the following information:

Server

Account

The server must have a user account that the servicecan use The default is the built-in Windows NetworkService account If you use a specific user accountyou’ll need the domain name, user name, and pass-word

Active DirectoryDomain:

- Yes - No

Drivers

You may need to install additional database drivers Download drivers from

www.tableau.com/support/drivers

What's New and What's Changed

Find out about the new and changed features in Tableau Server:

l See the What's New in Tableau Server topic in the Tableau Server online help for ation about key new features.

inform-l SeeWhat's Changed - Things to Know Before You Upgradefor information aboutchanges that may impact your users

Minimum Hardware Requirements and Recommendations for Tableau Server

The following minimum hardware requirements and recommendations apply to all computersrunning Tableau Server, including physical hardware and virtual machines (VMs):

l Minimum requirementsare the minimum hardware your computer must have in order

to install Tableau Server If your computer does not meet these requirements, the Setupprogram will not install Tableau Server.These requirements are appropriate for testingand prototyping

l Minimum recommendationsare higher than minimum requirements, and representthe minimum hardware configuration you should use for a production installation ofTableau Server If your computer meets the minimum requirements but does not meetthese recommendations, the setup program will warn you but you can continue theinstallation

In addition, Tableau Server should not be installed on a physical computer or on a VM instancethat is also running resource-intensive applications such as databases or application servers

Note: If you install Tableau Server on a computer that meets the minimum requirementsbut does not have at least 8 cores and 16 GB of system memory, the default number ofall processes installed is reduced to one of each process by design For more

information about processes, seeServer Process Limits on page 84

Minimum Hardware Requirements

The computer on which you are installing or upgrading Tableau Server must meet the minimumhardware requirements If the setup program determines that your computer does not meet thefollowing requirements, you will not be able to install Tableau Server For more information onhow the Setup program determines hardware, see "Determining Computer Hardware," below.These minimum requirements are appropriate for a computer that you use for prototyping andtesting of Tableau Server They apply to single-node installations and to each computer in adistributed installation

Space

Minimum Hardware

Requirements

For the requirements:

l Free disk space is calculated after the Tableau Server Setup program is unzipped Thesetup program uses about 1 GB of space

l Core count is based on "physical" cores Physical cores can represent actual serverhardware or cores on a virtual machine (VM) Hyper-threading is ignored for the

purposes of counting cores

Note: For Tableau Server 10.0, you need a minimum of 2 physical cores If you are

installing on an Amazon EC2 instance, this means 4 vCPUs For more information, seeAmazon EC2 Instances

Minimum Hardware Recommendations

For production use, the computer on which you install or upgrade Tableau Server should meet

or exceed the minimum hardware recommendations These recommendations are general.Actual system needs for Tableau Server installations can vary based on many factors, includingnumber of users and the number and size of extracts If the setup program determines thatyour computer does not meet the following recommendations, you will get a warning, but youcan continue with the setup process

Contact Tableau for technical guidance

Nodes must meet or exceed the minimum hardwarerecommendations, except nodes running backgrounder, where 4cores may be acceptable

Determining Computer Hardware

To determine how many physical cores a computer has, the Tableau Server setup programqueries the operating system To view hardware information that the setup program detected

on your computer, open thetabadmin.logfile in the following folder on the computer whereyou are installing Tableau Server:

<install directory>\ProgramData\Tableau\Tableau

Server-\logs\tabadmin.log

In thetabadmin.logfile, look for lines similar to the following These lines provide

information about the physical and logical cores that the setup program detected and that itused to determine the core count that is being used for licensing

2015-04-09 14:22:29.533 -0700_DEBUG_10.36.2.32:<machine name>_:_pid=21488_0x2cd83560 user= request= Running hardware check

2015-04-09 14:22:29.713 -0700_DEBUG_10.36.2.32:<machine name>_:_pid=21488_0x2cd83560 user= request= Detected 12 cores and

34281857024 bytes of memory

2015-04-09 14:22:29.716 -0700_DEBUG_10.36.2.32:<machine name>_:_pid=21488_0x2cd83560 user= request= Hardware meets recom-mended specifications Default values will be used

Manually determining the number of cores on your computer

To determine manually how many physical cores your server has, you can use the WindowsManagement Instrumentation Command-line tool (WMIC) This is useful if you do not knowwhether your computer will meet the minimum hardware requirements for installing TableauServer

1 Open a command prompt

2 Enter the following command:

WMIC CPU Get DeviceID,NumberOfCores

The output will display the device ID or IDs and the number of physical cores thecomputer has

In this example, there are two CPUs, each with six cores, for a total of twelve physicalcores This computer would satisfy the minimum hardware requirements for installingTableau Server

The following command shows a longer version that lists the logical processors as well

as the physical cores

WMIC CPU Get

DeviceID,NumberOfCores,NumberOfLogicalProcessors,SocketDesignation

In the above example, the server has a total of twelve physical cores, resulting in 24logical cores

Domain Trust Requirements

When you run Tableau Server in an Active Directory environment across multiple domains(either in the same Active Directory forest or in different forests), some Tableau functionality isdependent on the trust relationship between the domains For example, some administratorsmanage users in domains that are separate from where they deploy server applications, such

as Tableau Server In other organizations, a Tableau Server deployment might be shared withexternal partners or with different partners in the organization Finally, Windows-authenticateddata sources, such as SQL Server, MSAS, or Oracle, that Tableau Server connects to may also

be in other domains

If it's feasible, we recommend configuring two-way trust between all domains that interact withTableau Server If this is not possible, Tableau Server can be configured to support user

authentication where a one-way trust has been configured In this case, a one-way trust

between domains is supported when the domain in which Tableau Server is installed is

configured to trust the domain where user accounts reside

The following illustration shows one-way trust between the domain where Tableau Server isinstalled and the domain where user accounts reside:

In this scenario, Tableau Server is in the dev.local domain, and users from the users.lan ActiveDirectory domain are imported into Tableau Server A one-way trust is required for this

scenario; specifically, the dev.local domain is configured to trust the users.lan domain Users inthe users.lan domain can access Tableau Server in the dev.local with their normal ActiveDirectory credentials However, you may need to update the domain nickname on TableauServer before users log on with the nickname Refer to theTableau Knowledge Basefor moreinformation

Kerberos single sign-on is supported in this one-way trust scenario

ReviewUser Management in Active Directory Deployments on page 676to understandhow multiple domains, domain naming, NetBIOS, and Active Directory user name formatinfluence Tableau user management

Connecting to live data in one-way trust scenarios

In the one-way trust scenario, users connecting to Tableau Server can connect to live datathat's hosted in the cloud or on any other data source on premises that does not rely on

Windows authentication

Data sources that require Windows-authentication might have additional authentication

requirements that complicate the scenario, or that can even prevent Tableau Server users fromconnecting This is because Tableau Server uses the Run As User account for authenticationwith such data sources If you are running Tableau Server in a different domain than datasources that use Windows authentication, verify that the Run As User account that is used forTableau Server can access the data source

Run As User

TheRun As Useris a Windows account that Tableau Server uses ("runs as") when it accessresources For example, Tableau Server reads and writes files on the computer where TableauServer is installed From the perspective of Windows, Tableau Server is doing this as the Run

As User In some cases, Tableau Server may use the Run As User account to access data fromexternal sources, such as databases or files on a shared network directory

As you plan your Tableau Server deployment, you need to determine if the default Run AsUser, configured to run under the context of the local Network Service account (NT

Authority\Network Service), will suffice for your needs If it does not, then you will need toupdate the Run As User to run under a domain account that has access to the resources in yourActive Directory domain(s)

In either case, it’s important to understand the security implications of the account that TableauServer uses for the Run As User Specifically, if Tableau Server needs to access other servers,file shares, or databases that use Windows authentication, then the account that is configuredfor Run As User will be used to access those resources The account that is configured for Run

As User must also have elevated permissions to the local Tableau Server A general bestsecurity practice is to limit the scope of all user accounts to the minimum required permissions

We make the same recommendation to you as you plan Run As User

You set or update the Run As User account in the Tableau Server Configuration utility Theutility sets permissions for the Run As User, but if you are unsure if the account you want to usefor Run As User satisfies the requirements, or if you have changed the Run As User and aregetting permission errors, seeRequired Run As User Account Settings on page 657

Default Run As User account: Network Service

The Network Service account is a predefined local account with limited permissions that exists

on all Windows computers While it has limited administrative access to the local computer onwhich it runs, it does have more access to resources than members of the Active Directorydefault Users group For example the Network Service group can write to the registry, the eventlog, and has special rights to log on for application services

By default, the Run As User is set to a local account called Network Service Use the defaultNetwork Service account when:

l You are using local authentication for Tableau Server.

l All users in your organization include extracted data in the workbooks that they areuploading to Tableau Server

l You are running Tableau Server in a single-server deployment

l External data sources that your users access through Tableau Server do not require dows NT integrated security or Kerberos In most data-access scenarios, Microsoft SQLServer, MSAS, Teradata, and Oracle databases require Windows NT integrated secur-ity

Win-While the Network Service account can be used to access resources on remote computerswithin the same Active Directory domain we do not recommend using the default account forsuch scenarios Instead, configure a domain account for Run As User if Tableau Server mustconnect to data sources in your environment SeeCreate and Update the Run As User Account below

Run As User account: Domain user

For all Active Directory scenarios, we recommend updating the Tableau Server Run As Userwith a domain user account Update the Run As User to a domain user account when datasources accessed through Tableau Server require Windows NT integrated security or

Kerberos

If you have deployed a distributed deployment of Tableau Server, then you can update the Run

As User account with either a domain user or a Windows workgroup user In either case, youmust use the same user account for all server nodes SeeDistributed Requirements on

page 125for more information

To configure your environment to use a domain account, seeCreate and Update the Run

As User Account below

Create and Update the Run As User Account

If you are operating in an environment where a majority of your data sources are authenticated

in the context of Active Directory (Windows NT integrated security) then you will need to

configure the Run As User to use a domain account, not the local account (Network Service)that's the default

There are two steps:

1 Create the Run As User account in Active Directory

2 Update Tableau Server to use the Run As User account

Creating the Run As User account

Follow these best practices:

l Create a dedicated account in Active Directory for the Tableau Server Run As useraccount In other words, don’t use an existing account By using a dedicated account you

can be sure that the data resources that you permission for Tableau Server are onlyaccessible by Tableau Server Run As User.

l Do not use an account with any kind of domain administrative permissions Specifically,when you create an account in Active Directory, create an account in the domain UserGroup Do not add the account that you create to any Active Directory security groupsthat needlessly elevate the permissions for the account

l Permission the data sources in your directory for this one account The account thatyou’ll use for Run As User only needs Read access to the appropriate data sources andnetwork shares

Updating the Run As User in Tableau Server

After you have created the Run As User account in Active Directory, configure Tableau Server

to use that account as the Run As User SeeConfigure General Server Options on page 39

for information on how to update the Run As User account After you update the Run As User,Tableau Server (tabadmin) will automatically configure permissions on the local computer forthe Run As User that you have entered

If you have installed Tableau Server on a drive other than the system drive, then you will need

to configure the system drive to allow the Run As User additional permissions The system drive

is the drive where Windows is installed For example, if you have installed Windows on the C:/drive, then C:/ is your system drive If you install Tableau Server on any other drive (D:/, E:/,etc), then you will need to configure permissions to allow the Run As User to read, execute, andmodify the system drive

Related tasks

The Run As User is central to many operations on Tableau Server, especially those that areinvolved with remote data access To avoid access errors, review the tasks here and follow thelinks for those that apply to your scenario

l If you are running Tableau Server in an organization with multiple Active Directory

domains, seeDomain Trust Requirements on page 7

l Enabling Kerberos single sign-on requires additional configuration related to the Run AsUser To enable Kerberos single sign-on with Tableau Server, seeKerberos on page

415

l Enabling impersonation requires additional configuration related to Run As User Todeploy and enable impersonation with Microsoft SQL Server, seeImpersonate with Embedded SQL Credentials on page 472

l If you have installed Tableau Server onto the non-system drive, then you will need tomanually set some permissions for the Run As User SeeRequired Run As User Account Settings on page 657for more information

Configuring Proxies for Tableau Server

In most enterprises, Tableau Server needs to communicate with the internet Communicationsbetween your network and the internet should be mediated using proxy servers Forward proxy

servers mediate traffic from inside the network to targets on the internet Reverse proxy serversmediate traffic from the internet to targets inside the network.

Who should read this article?

This article is for IT professionals who are experienced with general networking and gatewayproxy solutions The article describes how and when Tableau requires internet access, anddescribes how to configure your network and Tableau to use forward and reverse proxy

servers for access to and from the internet There are many third-party proxy solutions

available, so some of the content in the article is necessarily generic

In this article:

l How Tableau communicates with the internet

l Configure a forward proxy server

l Configure a reverse proxy server

How Tableau communicates with the internet

Tableau Server requires outbound access to the internet for these scenarios:

l Working with maps Tableau uses map data that is hosted externally By default, Tableauuses OpenStreetMaps for map data

Tableau Server needs to connect to maps.tableausoftware.com using port 443 If itcannot make this connection, maps may fail to load

l Licensing Tableau products connect to the internet to activate license keys Unless youactivate Tableau software with theOffline Activation Tool, all Tableau products musthave continuous access to the internet to validate their licenses

Tableau Server needs to connection to the following internet locations for licensingpurposes: licensing.tableau.com:443 (licensing.tableausoftware.com:443 for versions8.2-9.x), crl.thawte.com, and ocsp.thawte.com If Tableau Server cannot make a

connection while attempting to activate its license, you will be prompted to do an offlineactivation

l Working with external or cloud-based data

Tableau Server can run without internet access, but in most organizations, the scenarios in thelist require Tableau to be able to access the internet

To configure access to the internet from Tableau Server, you should use a forward proxy

Note:Both Tableau Desktop and Tableau Server need to communicate with the internetfor mapping, licensing, and external data In this article, we focus on Tableau Server,

which has specific requirements for configuring internet access Do not set up TableauServer on the computer that's acting as your organization's internet gateway

In many enterprises, users also need to access Tableau Server from outside the network (that

is, from the internet) For example, in many enterprises, users want to be able to reach TableauServer from their mobile devices in order to interact with views that are stored on the server Toconfigure access to Tableau Server from the internet or from mobile devices, you should use areverse proxy

Configure a forward proxy server

To enable communication from Tableau Server to the internet, deploy Tableau Server behind aforward proxy server When Tableau Server needs access to the internet, it doesn't send therequest directly to the internet Instead, it sends the request to the forward proxy, which in turnforwards the request Forward proxies help administrators manage traffic out to the internet fortasks such as load balancing, blocking access to sites, etc

If you use a forward proxy, you must configure the computers that run Tableau Server insidethe network to send traffic to the forward proxy

Note:If you know that none of your users need access to map data or online data

sources in the workbooks that they’ll be publishing to Tableau Server, and if you are

configuring Tableau Server foroffline licensing, you can skip this section Otherwise,

you'll need to configure Tableau Server to connect to the internet

Configuring Tableau Server to work with a forward proxy

The steps for configuring internet options on the Tableau Server computer depend on which ofthese scenarios describes your enterprise:

l Your organization doesn't use a forward proxy solution If your organization is notrunning a proxy solution and the computer where you are installing Tableau Server cancommunicate with the internet, you don’t need to follow the procedures here

l A proxy solution is deployed, and automatic configuration files define

connection settings If your organization uses automatic configuration files (such asPAC or.insfiles) to specify internet connection information, you can use this

information in the Local Area Network (LAN) Settings dialog box in Windows For moreinformation, see Automatic Detection and Configuration of Browser Settingson theMicrosoft support site

l A proxy solution is deployed, but automatic configuration files are not

deployed For this scenario, you must configure LAN settings so that connections toyour proxy server are run under the security context of the Run As User account Youmust also configurelocalhostand other internal Tableau Server instances as

exceptions

The following procedure describes the steps for the last scenario—a proxy solution withoutautomatic configuration files

Note: If you are using a distributed installation of Tableau Server, perform the followingprocedures on the primary server and on each worker node.

Step 1: Add the Run As User account to the Local Administrators group

To perform this procedure, you must log onto the Tableau Server computer as the Run AsUser By default, the "log on locally" policy is not applied to the Run As User account Therefore,you must temporarily add the Run As User account to the Local Administrators group

If you haven't installed Tableau Server on the computer yet, seeRun As Userfor more

information about creating the Run As User account If you already installed Tableau Serverand set the Run As User setting, you can determine the Run As User account name by loggingonto Tableau Server The Tableau Server Run As User is listed on theGeneraltab of the

Tableau Server Configurationwindow To access the configuration utility, in the WindowsStart menu, search forConfigure Tableau Server

Add the Run As User to the Local Administrators group using steps inAdd a member to a localgroupon the Microsoft website When you've finished configuring the forward proxy

information, you'll remove the Run As User account from the Local Administrators group

Step 2: Configure the proxy server in Windows LAN Settings

1 Using the Run As User account, log onto the computer where Tableau Server is installed

Leave this dialog box open and continue to the next step.

Step 3: Add exceptions to bypass the proxy server

You add exceptions to this proxy configuration to guarantee that all communications within alocal Tableau Server cluster (if you have one now or will have one later) do not route to theproxy server

1 In the LAN settings dialog box, clickAdvanced (This button is available only if you'veselected the option to use a proxy server for your LAN.)

2 In theProxy Settingsdialog box, enterlocalhostin theExceptionsfield In

addition, enter the server names and IP addresses of other Tableau Server computers inthe same cluster Use semicolons to separate items

3 Close the proxy settings dialog box and the Local Area Network (LAN) Settings dialogbox

4 In theInternet Propertiesdialog box, clickOKto apply the settings

Stay logged onto the computer and continue to the next step

Step 4: Test the proxy configuration

To test the new configurations, while still logged on as the Run As User on the Tableau Servercomputer, open a web browser and test the following Tableau mapping URL:

Miami and Havana (blue water)

This is the URL:

https://maps.tableausoftware.com/tile/d/mode=named|from=tableau1_2_base/mode=named|from=tableau1_2_admin0_

borders/mode=named|from=tableau1_2_place_

labels/ol/6/17/27.png?apikey=ttab56540ba691a909b0f7d2af0f6fe7"

If the configuration is working, you see a map of Miami and Havana This indicates that theTableau Server computer is able to access the internet through the proxy

Step 5: Remove the Run As User account from the Local Administrator group

After you have tested the proxy settings, remove the Run As User account from the LocalAdministrators group Leaving the Run As User in the administrator group unnecessarilyelevates the permissions of the Run As User group and is a security risk

Restart Tableau Server to ensure that all changes are implemented

Configure a reverse proxy server

A reverse proxy is a server that receives requests from external (internet) clients and forwardsthem to Tableau Server Why use a reverse proxy? The basic answer is security A reverseproxy makes Tableau Server available to the internet without having to expose the individual IPaddress of that particular Tableau Server to the internet A reverse proxy also acts as anauthentication and pass-through device, so that no data is stored where people outside thecompany can get to it This requirement can be important for organizations that are subject tovarious privacy regulations such as PCI, HIPAA, or SOX

How a reverse proxy works with Tableau Server

The following diagram illustrates the communication path when a client makes a request toTableau Server that is configured to work with a reverse proxy server

1 An external client initiates a connection to Tableau Server The client uses the publicURL that's been configured for the reverse proxy server, such as

https://tableau.example.com (The client doesn't know that it's accessing areverse proxy.)

2 The reverse proxy maps that request in turn to a request to Tableau Server The reverseproxy can be configured to authenticate the client (using SSL/TLS) as a precondition topassing the request to Tableau Server

3 Tableau Server gets the request and sends its response to the reverse proxy

4 The reverse proxy sends the content back to the client As far as the client is concerned,

it just had an interaction with Tableau Server, and has no way to know that the

communication was mediated by the reverse proxy

Proxy servers and SSL

For better security, you should configure reverse proxy servers to use SSL for any traffic that'sexternal to your network This helps to ensure privacy, content integrity, and authentication.Unless you've deployed other security measures to protect traffic between your internet

gateway and Tableau Server, we also recommend configuring SSL between the gateway proxyand Tableau Server You can use internal or self-signed certificates to encrypt traffic betweenTableau Servers and other internal computers

Reverse proxy and user authentication

Tableau Server will always authenticate users This means that even if you are authenticatinginbound connections at the gateway for your organization, Tableau Server will still authenticatethe user Therefore, we recommend a transparent scenario where Tableau Desktop, TableauMobile, or browser user requests are not prompted for authentication at the gateway Thisrecommendation doesn't prohibit using SSL for client/server system-level authentication at thegateway proxy, in fact, we strongly recommend SSL system-level authentication

You can use SAML, OpenID Connect, or Trusted Tickets with a reverse proxy

If your organization is authenticating with Active Directory:

l Active Directory with Enable automatic logon (SSPI) is not supported with a reverseproxy

l Tableau Server must be configured for reverse proxy before configuring Tableau Serverfor Kerberos For more information, seeConfigure Kerberos on page 420

Configure Tableau Server to work with a reverse proxy server

Before you configure Tableau Server, you'll need to collect the following information about theproxy server configuration To configure Tableau Server, you use thetabadminutility Theinformation you need to collect corresponds to options you'll need when you run tabadmin

Item Description Corresponding

tabad-min option

IP

address

orCNAME

You can either enter an IP address or a CNAME

for this option

The public IP address or addresses of the proxy

server The IP address must be in IPv4 format,

such as203.0.113.0, and it must be a static IP

If you are unable to provide a static IP, or if you are

using cloud proxies or external load balancers,

you can specify the CNAME (Canonical Name)

DNS value that clients will use to connect to

Tableau Server This CNAME value must be

configured on your reverse proxy solution to

communicate with Tableau Server

gateway.trusted

FQDN The fully qualified domain name that people use to

reach Tableau Server, such as

tableau-.example.com Tableau Server doesn't support

a FQDN with information beyond the domain

name, such asexample.com/tableau

gateway.public.host

Non-FQDN

Any subdomain names for the proxy server In the

example oftableau.example.com, the

sub-domain name istableau

gateway.trusted_hosts

Aliases Any public alternative names for the proxy server

In most cases, aliases are designated using

CNAME values An example would be a proxy

serverbigbox.example.comand CNAME

entries offtp.example.comand

www.ex-ample.com

gateway.trusted_hosts

Ports Port numbers for traffic from the client to the

reverse proxy server

2 Enter the following to change to the folder wheretabadmin.exeis located:

cd "C:\Program Files\Tableau\Tableau Server\10.0\bin"

2 Enter the following command to stop Tableau Server:

tabadmin stop

3 Enter the following command to set the FQDN that clients will use to reach TableauServer through the proxy server, wherenameis the FQDN:

tabadmin set gateway.public.host "name"

For example, if Tableau Server is reached by entering

https://tableau.example.comin the browser, enter this command:

tabadmin set gateway.public.host "tableau.example.com"

4 Enter the following command to set the address or the CNAME of the proxy server,whereserver_addressis the IPv4 address or CNAME value:

tabadmin set gateway.trusted "server_ip_address"

If your organization uses multiple proxy servers, enter multiple IPv4 addresses ,

separating them with commas IP ranges are not supported To improve start up andinitialization of Tableau Server, minimize the number of entries forgateway.trusted

5 Enter the following command to specify alternate names for the proxy server, such as itsfully qualified domain name, any not fully qualified domain names, and any aliases Ifthere's more than one name, separate the names with a comma

tabadmin set gateway.trusted_hosts "name1, name2, name3"

For example:

tabadmin set gateway.trusted_hosts "proxy1.example.com,proxy1, ftp.example.com, www.example.com"

6 If the proxy server is using SSL to communicate with the internet, run the followingcommand, which tells Tableau that the reverse proxy server is using port 443 instead ofport 80:

tabadmin set gateway.public.port "443"

Note: If the proxy server is using SSL to communicate with Tableau Server, SSLmust be configured and enabled on Tableau Server SeeConfigure External SSL on page 400

7 Enter the following command to commit the configuration change:

tabadmin config

8 Enter the following command to restart the server:

tabadmin start

Configure the reverse proxy server to work with Tableau Server

When a client accesses Tableau Server through a reverse proxy, specific message headershave to be preserved (or added) Specifically, all proxy servers in the message chain must berepresented in thegateway.trustedandgateway.trusted_hostssettings

The following graphic shows example headers for a single-hop message chain, where theproxy server is communicating directly with Tableau Server:

The following graphic shows example headers for a multiple-hop message chain, where themessage traverses two proxy servers before connecting to Tableau Server:

The following table describes what these headers are and how they relate to the configurationsettings on Tableau Server:

set-tings

REMOTE_ADDRand

X-FORWARDED-FOR(XFF)

Tableau Server needs these headers

to determine the IP address of originfor requests.X-FORWARDED-FOR

header must present IP addresschain to Tableau Server in the orderthe connections have occurred

The IP address that you set

ingateway.trustedmustmatch the IP presented in

REMOTE_ADDR if you sentmultiple addresses ingate-way.trusted, one of themmust match the IP presented

The host names that arepresented inX-FORWARDED-HOSTheader must be

included in the host namesthat you specify ingate-way.trusted.hosts

X-FORWARDED-PROTO(XFP)

This header is required if SSL isenabled for traffic from the client tothe proxy, but not for traffic from theproxy to Tableau Server

The X-FORWARDED-PROTO

headers are important for scenarioswhere HTTP or HTTPS is notmaintained along each hop of themessage route For example, if thereverse proxy requires SSL foroutside requests, but traffic betweenthe reverse proxy and TableauServer is not configured to use SSL,

Port configuration on reverseproxy (inbound connectionsfrom client and outboundconnections to TableauServer) must be specified inthe corresponding parameter:

gateway.public.port,which is the port clients use toconnect to the proxy

If the proxy server is usingSSL to communicate withTableau Server, SSL must beconfigured and enabled on

X-FORWARDED-PROTOheaders arerequired Some proxy solutions addtheX-FORWARDED-PROTOheadersautomatically, while others do not.

Finally, depending on your proxysolution, you might have to configureport forwarding to translate therequest from port 443 to port 80

Tableau Server See

Configure External SSL on

page 400

Validate reverse proxy setup

To validate your reverse proxy setup, perform the following tasks from a computer on theinternet

Log in to Tableau Server from Tableau Desktop Sign in to Tableau Server or

Online

Open workbook from Tableau Server Opening Workbooks from the

ServerLog out Server (with Desktop) Sign in to Tableau Server or

OnlineLog into Tableau Server from a web browser Sign in

Download workbook from a web browser Download Workbooks

Check to make sure tabcmd (from a non-server client)

works

How to Use tabcmd on page

738

Tableau Server Ports

The following table lists the ports that Tableau Server uses by default, and which must beavailable for binding If you install multiple instances of a process (Cache Server for example)

on a node, consecutive ports are used, starting at the base port If Windows Firewall is enabled,Tableau Server will open the ports it needs for internal communication between processes.(There are circumstances when you may need to take action in addition If you are making anexternal connection to the Tableau Server database you may need to open ports manually If

you have a distributed installation with a worker running Windows 7, see theTableau

Knowledge Base.)

Dynamic port remapping

When dynamic port remapping is enabled (the default), Tableau Server first attempts to bind tothe default ports, or to user-configured ports if they are defined If the ports are not available,Tableau Server attempts to remap most processes to other ports, starting at port 8000 Whennext restarted, Tableau Server will revert to using the default or configured ports

The gateway port and SSL port are not dynamically remapped If port 80 is not available whenTableau Server is first installed, the installation program will choose a different gateway port(usually 8000) This value will display on the General tab of the Configuration utility TableauServer will always use the port shown in the Configuration utility for the gateway process.When dynamic port remapping is disabled, Tableau Server does not attempt to remap

processes and if a conflict is detected, Tableau Server will not start

Note: Port conflicts can affect how JMX ports are determined For more information, see

Enable the JMX Ports on page 31

You can disable dynamic port remapping using thetabadmin set service.port_remapping.enabledcommand For more information, seetabadmin set options on

Parameter All

tributed

Dis-High Avail- ability

Resource

TCP/U-DP Used by 

TYPE OF INSTALLATION

Parameter All

tributed

Dis-High Avail- ability

ager UDP portused for com-municationbetweenTableau Serverprocesses TheServer

Resource ager monitorsmemory andCPU usage ofTableau Serverprocesses(back-grounder.exe,dataserver.exe,tab-

Man-protosrv.exe,tdeserver.exe,vizportal.exe,vizqlserv-er.exe)

dis-on these ports)

TCP/U-DP Used by 

TYPE OF INSTALLATION

Parameter All

tributed

Dis-High Avail- ability

Manager cess (tabad-mwrk.exe) that

pro-is used for discovery ofworker servers

auto-in a distributedenvironment

6379 TCP Cache Server

process server.exe)

(redis-Base port 6379

Consecutiveports after 6379are used, up tothe number ofprocesses

repository.portThese parameters must beset to the same value

TCP/U-DP Used by 

TYPE OF INSTALLATION

Parameter All

tributed

Dis-High Avail- ability

Base port 8600

Consecutiveports after 8600are used, up tothe number ofprocesses

8700 TCP Application

Server process(vizportal.exe)

9100 and9101)

TCP/U-DP Used by 

TYPE OF INSTALLATION

Parameter All

tributed

Dis-High Avail- ability

TCP Data Server

pro-cess (base port9700) Con-secutive portsafter 9700, up tothe number ofprocesses, arealso used Bydefault, TableauServer installswith two DataServer pro-cesses (ports

9700 and9701)

0

TCP Coordination

controller(ZooKeeper) cli-ent port

TCP/U-DP Used by 

TYPE OF INSTALLATION

Parameter All

tributed

Dis-High Avail- ability

1300-0

TCP Coordination

controller(ZooKeeper)leader port

zoo-er.config.leaderElectPort

TCP One additional

port is ically chosen forworkers and theprimary server

dynam-to communicatelicensing inform-ation indis-tributedandhighly availableenvironments

Instead, youcan specify afixed port(27010 is recom-mended) SeetheTableauKnowledge

TCP/U-DP Used by 

TYPE OF INSTALLATION

Parameter All

tributed

Dis-High Avail- ability

Basefor details

2704-2

TCP Data Engine

pro-cess TableauServer installswith one DataEngine process

There can be up

to two DataEngine pro-cesses pernode

Edit the Default Ports

Tableau Server processes are configured to use certain ports on the computer where theserver is installed For more information, seeTableau Server Ports on page 670

In general, you do not need to make changes to the port assignments for the server processes.However, if the computer that's running Tableau Server is also running other software that usesports (this is not recommended), it's possible that the port assignments for Tableau Serverprocesses conflict with ports used by the other software. In that case, you can assign differentports to Tableau Server processes

To modify the ports used by Tableau Server processes, you use the command line

administrative tool (tabadmin on page 680) For example, the default port for the applicationserver process (vizportal.exe) is 8000 You can use the tabadmin parameter

workerX.vizportal.portto change it to a different port

Note: Changing ports requires a restart of Tableau Server While the server is restarting

it will be unavailable to all users Be sure to warn your users of the outage prior to this

operation or schedule this maintenance during non-business hours

Follow the steps below to change the Tableau Server port configuration If you are enabling theserver's JMX ports, seeEnable the JMX Ports on page 31

1 Open a command prompt as an administrator and type the following:

cd "C:\Program Files\Tableau\Tableau Server\10.0\bin"

2 Modify a port value by typing one of the following commands:

tabadmin set <workerX>.<parameter> <new port value>

tabadmin set <parameter> <new port value>

where:

l <workerX>indicates which machine in a cluster you want to change the processport for The placeholderXrefers to the worker number—worker0is the primaryserver (or the only server if you are not running a distributed server),worker1isthe first worker server,worker2is the second worker server, and so on If youare running a distributed server and you want to change the default port for aprocess on all machines in the cluster, you need to run the command (from acommand prompt on the primary) once for each machine in the cluster

l <parameter>is the server process that you are setting the port for, such as

tabadmin set worker0.vizportal.port 8020

The following example sets the port for a 3-machine cluster (one primary and two

workers) to 9200 for the VizQL server process

tabadmin set worker0.vizqlserver.port 9200

tabadmin set worker1.vizqlserver.port 9200

tabadmin set worker2.vizqlserver.port 9200

You can use the following parameters to modify the corresponding ports—seeTableau Server Ports on page 670for a complete list oftabadminparameters that can be set

Enable the JMX Ports

To help you work through a problem with Tableau Server, Tableau Support may ask you toenable the server's JMX ports These ports can be useful for monitoring and troubleshooting,usually with a tool like JConsole

To enable the JMX ports on Tableau Server:

1 Stop the server

2 Enter the following command:

tabadmin set service.jmx_enabled true

3 Enter the configure command:

tabadmin configure

4 Start the server

ImportantEnabling JMX ports can introduce some security risk To mitigate this risk, it isimportant to limit access to the JMX ports to the fewest number of clients that's practical

for your scenario You typically limit access using the host's firewall rules, an external

security device, or routing rules

JMX Port List

Here's the list of JMX ports, all of which are disabled by default When these ports are enabled,they are used for all types of installations: single-server, distributed, and highly available:

Port Used by this server process  Parameter

8300 - 8359 Application server JMX Determined by the

applic-ation server port(s) + 300

8550 Background monitor JMX Determined by the

background port of 8250 + 300

9400 - 9499 VizQL server JMX Determined by the VizQL

How the JMX Ports Are Determined

By default, the JMX ports for the application server (8300 - 8359), backgrounder (8550), VizQLserver (9400 - 9599), and the data server (10000 - 10299) are assigned using the formula

“base port + 300” (SeeTableau Server Ports on page 670for a list of the default base ports.)

In addition, if there are multiple instances of a process, each will have a JMX port For example,

if you configure Tableau Server to run four instances of the application server process, ports

8000 (default base port), 8001, 8002, and 8003 are used Application server JMX ports 8300(base port + 300), 8301, 8302, and 8303 are then bound to their respective process instances

If dynamic port remapping is enabled (which is the default) and if a port conflict is detected,JMX ports are not determined using the "base port + 300" formula Instead, both base portsand JMX ports are assigned to available ports starting at port 8000 No offset is used for JMXports; they are assigned the next available port, just like base ports are If it's important that youhave a fixed JMX port, you can disable port remapping or change the base ports so that thereare no port conflicts

Even though they’re not directly used by Tableau Server, if a JMX port is being used by anotherapplication, Tableau Server processes won’t run In addition, JMX ports cannot be editeddirectly using tabadmin You change a JMX port by changing the base port for its process Inother words, if port 10000 isn’t available for the data server JMX process, you use tabadmin (asdescribed inEdit the Default Ports on page 29) to change the data server base port from

9700 to 9800 This will move the data server JMX port to 10100

Restore the Default Value for a Port

You can restore the default value for a port by following the procedure below:

1 Open a command prompt as an administrator and type the following:

cd "C:\Program Files\Tableau\Tableau Server\10.0\bin"

2 Restore the default port value by typing the following:

tabadmin set <workerX>.<parameter> default

If Tableau Server is running on one machine,<workerX>isworker0 If you’re running

a cluster,worker0is the primary,worker1is your first worker server,worker2isyour second, and so on

Here’s an example:

tabadmin set worker0.vizqlserver.port default

3 Update the server's configuration by typing the following:

tabadmin config

4 Restart Tableau Server by typing the following:

tabadmin restart

Install and Configure

Here are the main steps you need to take to install and configure Tableau Server:

Everybody's Install Guide

Installing Tableau Server is about as easy as it gets with server software Still, if you're new to it,you can use someone to help you figure out what to prepare and how to go through it And nowwe've got you covered

Take a look at the brand-new Tableau Server:Everybody’s Install Guide

Everybody’s Install Guide explains how to plan for, install, and manage a single-machineinstance of Tableau Server

Run Server Setup

After you download the Tableau Server installation file, follow the instructions below to installthe server

1 Double-click the installation file.

2 Follow the on-screen instructions to complete Setup and install the application

The default installation path isC:\Program Files\Tableau\Tableau Server.You can choose a different location, including a different drive, either by browsing to ortyping in a new path

Note: When you upgrade a Tableau Server that's been installed to a non-defaultlocation, you need to navigate to that non-default path during the upgrade Fordetails, seeUpgrade Tableau Server to a Non-Default Location on page

119

3 After the installation completes, clickNextto open the Product Key Manager window

If you need to support characters that are not the Latin-1 set, install the Windows

Language Packs viaControl Panel > Regional and Language Options The

language packs will need to be installed on the primary server as well as any workermachines

Activate Tableau

Tableau Server requires at least one product key that both activates the server and specifies

theTableau Customer Account Center After installing and configuring the server, the productkey manager automatically opens so you can enter your product key and register the product.

If you need to activate the product on a computer that is offline, seeActivate Tableau Offline

on the next page If you need to activate additional product keys to add capacity to an existingTableau Server installation, seeAdd Capacity to Tableau Server on page 596

If you are activating Tableau Server as part of the install process, the Product Key Manageropens automatically If you need to open it, in Windows, clickStart>All Programs>Tableau Server <version> > Manage Product Keys

Note: You can also find instructions for activating and registering Tableau Server on thedownload help page

1 SelectActivate the product:

2 Enter or paste your license key and clickActivate

3 ClickContinue

4 Enter the fields to register Tableau and clickRegister

5 Restart Tableau Server after registration is complete

Activate Tableau Offline

If you are working offline you can follow the steps below to complete offline activation

1 When the product key manager opens clickActivate the product

Paste your server product key into the corresponding text box and click Activate You canget your product key from theTableau Customer Portal

2 When you are offline, activation will fail and you are given the option to save a file that youcan use for offline activation ClickSave

3 Select a location for the file and clickSave The file is saved asoffline.tlq

4 Back in Tableau clickExitto close the Activation dialog box

5 From a computer that has Internet access, open a web browser and visit theProductActivationspage on the Tableau website Complete the instructions to submit youroffline.tlq file

After you submit your offline.tlq file online, while your browser is still displaying the

Product Activations page, a file calledactivation.tlfis created, and Tableau promptsyou to save the file to your computer

6 Save the activation.tlf file and move it to the computer where you are installing TableauServer

7 On the computer where you are installing Tableau Server, open a command prompt as

an administrator and run the following command:

cd "C:\Program Files\Tableau\Tableau Server\10.0\bin"

8 Next, typetabadmin activate tlf <path>\activation.tlf, where

<path>is the location of the response file you saved from the Product Activations page.For example:

tabadmin activate tlf \Desktop\activation.tlf

Keep the command prompt window open

9 After the license is initialized, you are prompted to activate the product again On

Tableau Server, clickStart>All Programs>Tableau Server 10.0

10 Right-clickManage Product Keysand selectRun as Administrator

Even if you are logged into the Tableau Server computer as an administrator, you need

to do this to avoid a potential registration error

11 ClickActivate the product

12 Enter your product key again (the same one you entered in step 1)

13 Save the tlq file

Activationspage again on the Tableau website Complete the instructions.

Tableau will again create a file calledactivation.tlfand prompt you to save it

15 Save the file and move it to the computer where you are installing Tableau Server

16 Back in the command prompt window on Tableau Server, typetabadmin activate tlf <path>\activation.tlf, where<path> is the location of the secondresponse file you saved from the Product Activations page For example:

tabadmin activate tlf \Desktop\activation.tlf

Tableau Server is now activated If you need additional assistance,contact TableauCustomer Service

Add Capacity to Tableau Server

You may need to add capacity to your Tableau Server installation to allow you to increase thenumber of users (if you have a user-based license) or the number of cores (if you have a core-based license)

Tableau Software will provide you with a new product key that adds capacity to your existingTableau Server installation You need to activate this key and use it together with your existingproduct key(s) to get the combined capacity you are licensed for

Follow the steps below to add a product key to Tableau Server

Note:This process requires a restart of Tableau Server

1 Start the Product Key Manager:

In Windows, selectStart>All Programs>Tableau Server <version> > Manage Product Keys

2 ClickActivatein the Manage Product Key dialog box:

3 Enter or paste your new product key and clickActivate:

4 Restart Tableau Server after registration is complete.

Configure Tableau Server

The Tableau Server Configuration utility opens during a Tableau Server installation You canset configuration options at this time, as part of the installation, before the server starts Theserver is started at the end of the installation process

You can also run the utility after installing Tableau Server by selectingAll Programs >

Tableau Server 10.0 > Configure Tableau Serveron the Windows Start menu You need tostop the server before making any configuration changes SeeReconfigure the Server on

page 71for steps

There are two things to keep in mind about the settings you specify in the Configuration dialogbox:

l Settings are system-wide: The settings you enter apply to the entire server If theserver is running multiple sites, these settings affect every site

l User Authentication is "permanent": TheUser Authenticationsetting (on the

Generaltab) can only be set when you are installing Tableau Server for the first time.You can change all of the other settings after installation by stopping the server andrerunning the Configuration utility

See the topics below for details on the different Configuration tabs:

Configure General Server Options

Use the following sections to help you configure options on the General tab:

l Server Run As User

l User Authentication

l Gateway

l Firewall

l Sample data

Server Run As User

By default, Tableau Server runs under the Network Service account To use an account that willaccommodate NT authentication with data sources, specify a user name and password Theuser name should include the domain name SeeRun As User on page 9to learn more aboutusing a specific user account

User Authentication

Select whether to useActive Directoryto authenticate users on the server SelectUse Local Authenticationto create users and assign passwords using Tableau Server's built-in usermanagement system You cannot switch between Active Directory and Local Authenticationlater

Tableau Server supports several types of SSO solutions: OpenID, SAML, and Kerberos It'simportant to understand how the decision about whether to use Active Directory or local

authentication affects SSO:

l OpenID requires local authentication

l Kerberos requires Active Directory authentication

l SAML works with either Active Directory or local authentication However, if you plan toconfigure Tableau Server for site-specific SAML authentication, you must select localauthentication

If you use Active Directory:

You can optionallyEnable automatic logon, which uses Microsoft SSPI to automatically sign

in your users based on their Windows username and password This creates an experiencesimilar to single sign-on (SSO) Do not selectEnable automatic logonif you plan to configureTableau Server forSAML,trusted authentication, or for aproxy server

Be sure to type the fully qualified domain name (FQDN) and nickname (NetBIOS name)

To determine the FQDN:SelectStart > Runthen typesysdm.cplin the Run textbox Inthe System Properties dialog box, select theComputer Nametab The FQDN is shown nearthe middle of the dialog box The first time your users sign in, they will need to use the fullyqualified domain name (for example,myco.lan\jsmith) On subsequent sign-ins, they canuse the nickname (NetBIOS name), for example,myco\jsmith

The default port for web access to Tableau Server (via HTTP) is port 80 If the installationprogram determines that port 80 is in use when you first install Tableau Server, an alternateport (for example 8000) is used and shown in the Port number box

You may need to change the port for other networking needs, for example, if you have ahardware firewall or proxy in front of the Tableau Server host, this might make running a back-end system on port 80 undesirable

Gateway

Firewall

Select whether to open a port in Windows firewall If you do not open this port, users on othermachines may not be able to access the server