Azure Application Gateway and Tableau Server

This is a post describing how to use an Azure Application Gateway (layer 7 load balancer/reverse proxy) in front of a multi-node Tableau Server installation while allowing a web application to generate Trusted Authentication tokens. I wrote this post so that there would be some sort of documentation available to other people to help them be successful in sorting out what is wrong (when it does not initially work) and how to fix it.

Most of the time we IT folk tend to configure things until they start working. And then we move on to the next problem. This can be bad from a security perspective. Tableau Server Trusted Authentication via an Azure Application Gateway can result in an insecure configuration in Tableau Server. This insecurity would be where anyone with access to the Application Gateway can generate authentication tokens. This could be the entire Internet depending on how you have your networking configured. It comes about like this:

1. Add the web application IP address(es) to Tableau Server. (tsm authentication trusted configure -th "10.0.0.253"; tsm pending-changes apply)
2. Configure the web application to use the Application Gateway to reach the Tableau Servers. The web app was configured to get a ticket from the Tableau Server.
3. Realize that this configuration is failing to generate tokens.
4. Begin looking in the Tableau Server logs.
   • In a PowerShell window on one of the Windows Tableau Servers, navigate to C:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver (directory may vary depending on installation location)
   • Run the following command: Select-String -Pattern 'TrustedTicketServiceImpl - Invalid request host' vizqlserver_node*
5. The log output identifies the IPs of hosts that have attempted to generate tokens. You will find the IP(s) of the Application Gateway present in the output. (The Azure Portal will tell you the Frontend private IP address, and any IPs from that subnet will be the Backend IPs of that Application Gateway.)
6. Add the Application Gateway IPs to Tableau Server. (tsm authentication trusted configure -th "10.0.0.253", "10.1.0.4", "10.1.0.7"; tsm pending-changes apply)
7. Get pwned because now anyone connecting through the Application Gateway (and who can guess a user and site name) can send an HTTP POST to Tableau Server to generate a token to read the embedded web reports.

Once I realized there was a security problem, I eventually decided to dive into the HTTP headers that the Azure Application Gateway is supposed to set when proxying HTTP traffic. It turns out that the Application Gateway does set X-Forwarded-For but it presents IP:port while Tableau Server expects just IP. After I figured out how to rewrite the headers on the Application Gateway, everything worked securely.

For the benefit of others, below are the Tableau Server settings to deal with this configuration of trusted authentication and reverse proxies:

tsm authentication trusted configure -th "10.0.0.253"

tsm configuration set -k gateway.trusted -v "10.1.0.4, 10.1.0.7"
tsm configuration set -k gateway.trusted_hosts -v "tableau.example.com, tableau.example.net"
tsm configuration set -k gateway.public.host -v "tableau.example.com"
tsm configuration set -k gateway.public.port -v "443"

tsm pending-changes list
tsm pending-changes apply

Tableau has a pretty large body of documentation on its software. What is missing is an up-to-date knowledge article concerning the specifics of the Azure Application Gateway. Hopefully, this post will help keep someone else from damaging their forehead on their keyboard.