Before you install

Dash Enterprise is a powerful data visualization platform designed to run on its own server or virtual machine. To support your needs, we offer different methods of installing the software, but the below requirements apply to all methods.

Open ports

The following open ports are required:

  • Port 443 (HTTPS): Required for creating, viewing, or administering Dash Apps.

  • Port 8800 (Server Manager UI, via HTTPS): Required for administrators to install, upgrade, and configure Dash Enterprise. You may restrict access to this port to administrators only.

The following ports are optional but recommended:

  • Port 80 (HTTP): All Dash Enterprise requests are made over HTTPS, so this port is not strictly required for full functionality. However, opening this port will allow Dash Enterprise to automatically redirect HTTP requests to use HTTPS; without this port, HTTP requests will simply fail.

  • Port 3022 (Dash app deployment via SSH): To support app deployment over SSH, Dash Deployment Server requires a port for SSH connections (default port 3022, configurable in Server Manager Settings). If you do not open a port for Dash app deployment via SSH, you will still be able to deploy Dash apps using HTTPS.

    • We do not recommend changing this to port 22, since you would need to disable SSH on the server.

Domain name requirements

Dash Enterprise needs one domain name and a corresponding DNS entry:

  • Dash Enterprise Domain Name: Required to use Dash Enterprise; users will visit this address to use Dash Enterprise (example: dash.your-domain.com)

The DNS entries can be either CNAME or A records, but all must be fully qualified domain names. If using Dash Enterprise Single Server, the DNS entries for these domains should point to the single server’s IP address. If using a load balancer (see Load balancer configuration) or installing Dash Enterprise Kubernetes, the DNS entries should point to the load balancer IP.

Note - Domain names cannot contain "v2" in their name. This is a bug that will be resolved in a future release. For example, dash-dev2.acme.com would not be allowed.

To use Dash Enterprise while waiting for domain names to be assigned or DNS entries to be added, the following work-arounds are available:

1 - Use Plotly-hosted DNS service: We can add DNS entries for you as a subdomain of our DNS zone (plotly.host)

1.1 - First, ensure your server can reach plotly.host by testing as follows:

1.1.1 - In a web browser on the server, visit https://yes.plotly.host/ (you should see a page with the Plotly logo and the message: Yes, plotly.host works); or

1.1.2 - In a terminal, run the following command on the server you plan on using for Dash Enterprise (Again, you should see: Yes, plotly.host works):

curl https://yes.plotly.host

1.2 - Then, contact our On-Premise Support Team with your server’s IP address (either public or private) and the domain name you would like

1.2.1 - Please allow up to 24 hours for DNS changes to become effective

2 - Use local hostname: You can enter the server’s existing hostname as the Base Domain Name in the Server Manager Settings (if it is a fully qualified domain name)

  • To find out the server’s hostname, open a console and run hostname -f

3 - Use your network’s hosts file: For testing purposes, you can create the DNS mappings yourself and add them to your server’s hosts file (see Testing without adding entries to your DNS server)

TLS/SSL certificates

All access to Dash Enterprise is over HTTPS web connections secured using TLS/SSL, and Dash Enterprise will redirect all HTTP requests to HTTPS if the appropriate ports are opened. If necessary, Dash Enterprise will also generate its own self-signed certificates; however, using self-signed certificates will require your users to suppress security warnings in their web browsers and other software. To avoid this, we recommend obtaining TLS/SSL certificates issued by a certificate authority (CA).

If you are using a load balancer, it can be used to perform TLS/SSL termination. In this case, adding certificates is not required (see Load balancer configuration for more information).

Each domain name you configure requires its own certificate. There are two ways to achieve this:

1 - Multiple certificates: you can provide a certificate for each of these domain names (up to 3, depending on the features you enable); or

2 - Wildcard certificate: a single certificate for *.your-domain.com can cover all these domains, as long as they are only one level deep:

  • Any domain name of the form subdomain.your-domain.com will be covered (for example, plotly.your-domain.com, dash.your-domain.com)

  • Additional levels of subdomains will not be covered (for example, dash.yourdepartment.your-domain.com, plotly.test.your-domain.com)

A note on self-signed certificates

Both self-signed and certificates issued by certificate authorities (CAs) allow for secure encryption of the information sent to your Dash Enterprise server. The difference is that, when establishing an HTTPS connection, your web browser will check whether the connection is signed by a recognized CA and will raise a warning if the connection is untrusted (as when secured by a self-signed certificate).

In general, it is not a good idea to become accustomed to suppressing security warnings, since this increases the risk of falling prey to an unauthorized website’s impersonation attempt. However, if you are certain the certificate being offered belongs to your Dash Enterprise instance, you can ignore the warning. The safest way of ensuring that the self-signed certificate belongs to your Dash Enterprise instance is to distribute the certificate (.crt file) via a trusted connection to all intended users of the site.

Docker requirements for running Dash Enterprise

Dash Enterprise requires a sufficiently recent version of Docker for smooth operation. Please see Docker storage driver requirements and considerations for more information.

External service information

LDAP and SAML authentication

Dash Enterprise supports authentication using your company’s existing LDAP or SAML authentication system, as well as self-service or administrator-managed account creation modes. You can switch between authentication modes at will. Detailed instructions for authentication configuration are available in Configure basic settings.

When using LDAP, Dash Enterprise supports restricting login to a specified set of groups and sharing files with specified groups.

To use SAML, your SAML identity provider must add Dash Enterprise as a trusted service provider or relying party. Dash Enterprise supports restricting licensed user status to members of groups specified on the SAMP IdP, and any individual SAML user can be added as a Dash app collaborator after logging into Dash Enterprise once, which initializes their user account.