了解适用于 Microsoft Flow 的本地数据网关Understand on-premises data gateways for Microsoft Flow

将本地数据网关与 Microsoft Flow 配合使用,以便安全地连接到本地数据源,例如 Microsoft SQL Server。Use the on-premises data gateway with Microsoft Flow to establish secure connections to your on-premises data sources such as Microsoft SQL Server.

安装和配置Installation and configuration

先决条件Prerequisites

最低:Minimum:

建议:Recommended:

  • 8 核 CPU8 Core CPU
  • 8 GB 内存8 GB Memory
  • 64 位版本的 Windows Server 2012 R2(或更高版本)64-bit version of Windows Server 2012 R2 (or later)

相关注意事项:Related considerations:

  • 不能在域控制器上安装网关。You can't install a gateway on a domain controller.
  • 不应将网关安装在可能会关闭、休眠或无法连接到 Internet 的计算机(例如笔记本电脑)上。You shouldn't install a gateway on a computer, such a laptop, that may be turned off, asleep, or not connected to the Internet.
  • 使用无线网络时,网关性能可能会受影响。Gateway performance might suffer over a wireless network.

安装网关Install a gateway

重要

Microsoft SharePoint 数据网关现在支持 HTTP 和 HTTPS 流量。Microsoft SharePoint data gateways now support both HTTP and HTTPS traffic.

  1. 下载安装程序并运行。Download the installer, and then run it.

    运行安装程序

  2. 在安装向导的第一个屏幕上选择“下一步”,确认关于在笔记本电脑上安装网关的提醒。On the first screen of the installation wizard, select Next to acknowledge the reminder about installing a gateway on a laptop.

    提醒屏幕

  3. 选择安装位置。Select the installation location.

  4. 接受使用条款和隐私声明。Accept the terms of use and the privacy statement.

  5. 选择“安装”。Select Install.

    位置屏幕

  6. 在“用户帐户控制”对话框中,选择“是”继续操作。In the User Account Control dialog boxes, select Yes to continue.

  7. 在“本地数据网关”屏幕上,输入用于登录到网关的帐户的电子邮件地址,选择“登录”,然后完成登录过程。On the On-premises data gateway screen, enter the email address for the account you will use to sign into the gateway, select Sign in, and then complete the sign in process.

    登录

注册新网关或接管现有网关Register new gateway or take over existing gateway

  1. 选择“在此计算机上注册新网关”或“迁移、还原或接管现有网关”,然后选择“下一步”。Select either Register a new gateway on this computer or Migrate, restore, or takeover an existing gateway, and then select Next.

    选择新网关或现有网关

  2. 若要配置新网关,请在“新建本地数据网关名称”框中输入名称,在“恢复密钥”框中输入恢复密钥,在“确认恢复密钥”框中输入同一恢复密钥。To configure a new gateway, enter a name in the New on-premises data gateway name box, enter a recovery key in the Recovery key box, enter the same recovery key into the Confirm recovery key box. 选择“配置”,然后选择“关闭”。Select Configure, and then select Close.

    配置新网关

  3. 指定一个至少包含八个字符的恢复密钥,将其保存在安全的地方。Specify a recovery key that contains at least eight characters, and keep it in a safe place. 需要此密钥才能迁移、还原或接管相应的网关。You'll need this key if you want to migrate, restore, or take over its gateway.

  4. 若要迁移、还原或接管现有网关,请提供网关的名称及其恢复密钥,然后选择“配置”,再按其他提示进行操作。To migrate, restore, or take over an existing gateway, provide the name of the gateway and its recovery key, select Configure, and then follow any additional prompts.

    恢复现有网关

重新启动网关Restart the gateway

网关以 Windows 服务的形式运行,与任何其他 Windows 服务一样,可以通过多种方式启动和停止。The gateway runs as a Windows service and, as with any other Windows service, you can start and stop it in multiple ways. 例如,可以使用提升的权限,在运行网关的计算机上打开命令提示符,然后运行下述任一命令:For example, you can open a command prompt with elevated permissions on the machine where the gateway is running, and then run either of these commands:

  • 若要停止该服务,请运行以下命令:To stop the service, run this command:
    net stop PBIEgwService
  • 若要启动该服务,请运行以下命令:To start the service, run this command:
    net start PBIEgwService

配置防火墙或代理Configure a firewall or proxy

若要了解如何为网关提供代理信息,请参阅 Configure proxy settings(配置代理服务器设置)。For information about how to provide proxy information for your gateway, see Configure proxy settings.

可以在 PowerShell 提示符下运行以下命令,验证防火墙或代理是否会阻止连接。You can verify whether your firewall, or proxy, may be blocking connections by running the following command from a PowerShell prompt. 此命令测试与 Azure 服务总线的连接。This command tests connectivity to the Azure Service Bus. 此命令只测试网络连接,不影响云服务器服务或网关。This command only tests network connectivity and doesn't impact the cloud server service or the gateway. 它用于确定计算机是否已连接到 Internet。It helps to determine whether your machine has connectivity to the Internet.

Test-NetConnection -ComputerName watchdog.servicebus.windows.net -Port 9350

结果应类似于下面的输出。The results should look like the output below. 如果 TcpTestSucceeded 不为 true ,则可能已被防火墙阻止。If TcpTestSucceeded is not true, you may be blocked by a firewall.

ComputerName           : watchdog.servicebus.windows.net
RemoteAddress          : 70.37.104.240
RemotePort             : 5672
InterfaceAlias         : vEthernet (Broadcom NetXtreme Gigabit Ethernet - Virtual Switch)
SourceAddress          : 10.120.60.105
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : True

如果需要详细了解所有情况,可将 ComputerName 值和 Port 值替换为本主题后面“配置端口”下列出的那些值。If you want to be exhaustive, substitute the ComputerName and Port values with those listed under Configure ports later in this topic.

防火墙可能还会阻止 Azure 服务总线发出的到 Azure 数据中心的连接。The firewall may also be blocking the connections that the Azure Service Bus makes to the Azure data centers. 如果是这种情况,则需将所在区域的这些数据中心的所有 IP 地址列入白名单(即取消阻止)。If that's the case, you'll want to whitelist (unblock) all of the IP addresses for your region for those data centers.

配置端口Configure ports

网关可创建到 Azure 服务总线的出站连接。The gateway creates an outbound connection to Azure Service Bus. 网关使用以下出站端口进行通信:TCP 443(默认)、5671、5672、9350 至 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 thru 9354. 网关不需要入站端口。The gateway doesn't require inbound ports.

详细了解混合解决方案Learn more about hybrid solutions.

域名Domain names 出站端口Outbound ports 说明Description
*.analysis.windows.net*.analysis.windows.net 443443 HTTPSHTTPS
*.login.windows.net*.login.windows.net 443443 HTTPSHTTPS
*.servicebus.windows.net*.servicebus.windows.net 5671-56725671-5672 高级消息队列协议 (AMQP)Advanced Message Queuing Protocol (AMQP)
*.servicebus.windows.net*.servicebus.windows.net 443, 9350-9354443, 9350-9354 基于 TCP 的服务总线中继侦听程序(要求使用端口 443 来获取访问控制令牌)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
*.frontend.clouddatahub.net*.frontend.clouddatahub.net 443443 HTTPSHTTPS
*.core.windows.net*.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
*.msftncsi.com*.msftncsi.com 443443 无法访问网关时,用于测试 Internet 连接。Used to test internet connectivity if the gateway is unreachable.

如果需要将 IP 地址而不是域列入允许列表,可下载并使用 Microsoft Azure 数据中心 IP 范围列表If you need to white list IP addresses instead of the domains, you can download and use the Microsoft Azure Datacenter IP ranges list. 在某些情况下,Azure 服务总线连接将使用 IP 地址而不是完全限定域名来进行。In some cases, the Azure Service Bus connections will be made with IP address instead of the fully qualified domain names.

登录帐户Sign-in account

用户将使用工作或学校帐户登录。Users will sign in with either a work or school account. 这是组织帐户。This is your organization account. 如果已注册 Office 365 产品/服务,但未提供工作电子邮件,帐户可能会如下所示:nancy@contoso.onmicrosoft.com。If you signed up for an Office 365 offering and didn’t supply your work email, it may look like nancy@contoso.onmicrosoft.com. 用户在云服务中的帐户存储于 Azure Active Directory (AAD) 中的租户内。Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 在大多数情况下,AAD 帐户的 UPN 将与电子邮件地址匹配。In most cases, your AAD account’s UPN will match the email address.

Windows 服务帐户Windows Service account

本地数据网关配置为使用 NT SERVICE\PBIEgwService 作为 Windows 服务登录凭据。The on-premises data gateway is configured to use NT SERVICE\PBIEgwService for the Windows service logon credentials. 默认情况下,它有权作为服务登录。By default, it has the right of Log on as a service. 这位于正在安装网关的计算机的上下文中。This is in the context of the machine on which you're installing the gateway.

这不是用于连接到本地数据源的帐户,也不是登录到云服务的工作或学校帐户。This isn't the account used to connect to on-premises data sources or the work or school account with which you sign into cloud services.

租户级别管理Tenant level administration

目前还没有一个单独位置可供租户管理员管理其他用户已安装和配置的所有网关。There is currently no single place where tenant administrators can manage all the gateways that other users have installed and configured. 如果你是租户管理员,我们建议你让组织中的用户将你添加为他们所安装的每个网关的管理员。If you’re a tenant administrator, we recommend that you ask the users in your organization to add you as an administrator to every gateway they install. 这将允许你通过网关设置页或通过 PowerShell 命令管理组织中的所有网关。This allows you to manage all the gateways in your organization through the Gateway Settings page or through PowerShell commands.

常见问题Frequently asked questions

常规问题General questions

问: 网关支持哪些数据源?Question: What data sources does the gateway support? 答:Answer:

  • SQL ServerSQL Server
  • SharePointSharePoint
  • OracleOracle
  • InformixInformix
  • FilesystemFilesystem
  • DB2DB2

问: 是否需要在云(例如 SQL Azure)中为数据源设置网关?Question: Do I need a gateway for data sources in the cloud, such as SQL Azure? 答: 否。Answer: No. 网关仅连接到本地数据源。A gateway connects to on-premises data sources only.

问: 实际的 Windows 服务称为什么?Question: What is the actual Windows service called? 答: 在服务中,网关称为 Power BI 企业网关服务Answer: In Services, the gateway is called Power BI Enterprise Gateway Service.

问: 是否可以从云中通过入站连接连接到网关?Question: Are there any inbound connections to the gateway from the cloud? 答: 否。Answer: No. 网关使用出站连接连接到 Azure 服务总线。The gateway uses outbound connections to Azure Service Bus.

问: 如果阻止出站连接,该怎么办?Question: What if I block outbound connections? 需要如何才能打开?What do I need to open? 答: 查看网关使用的端口和主机。Answer: See the ports and hosts that the gateway uses.

问: 网关是否必须与数据源安装在同一计算机上?Question: Does the gateway have to be installed on the same machine as the data source? 答: 否。Answer: No. 网关将使用提供的连接信息连接到数据源。The gateway will connect to the data source using the connection information that was provided. 在这个意义上,可将网关视为客户端应用程序。Think of the gateway as a client application in this sense. 它只需能够连接到提供的服务器名称。It will just need to be able to connect to the server name that was provided.

问: 从网关运行针对数据源的查询时,延迟情况如何?Question: What is the latency for running queries to a data source from the gateway? 最佳体系结构是什么?What is the best architecture? 答: 为了减少网络延迟,请在安装网关时使之尽可能靠近数据源。Answer: To reduce network latency, install the gateway as close to the data source as possible. 如果将网关安装在实际的数据源上,则可最大程度减少造成的延迟。If you can install the gateway on the actual data source, it will minimize the latency introduced. 另外还需考虑数据中心。Consider the data centers as well. 例如,如果服务使用“美国西部”数据中心,而 SQL Server 托管在 Azure VM 中,则需将 Azure VM 也设置在“美国西部”。For example, if your service is using the West US data center and you have SQL Server hosted in an Azure VM, you'll want to have the Azure VM in West US as well. 这样可最大程度地减少延迟,避免在 Azure VM 上造成传出费用。This will minimize latency and avoid egress charges on the Azure VM.

问: 对网络带宽是否有要求?Question: Are there any requirements for network bandwidth? 答: 建议确保网络连接有较高的吞吐量。Answer: It is recommended to have good throughput for your network connection. 每种环境都是不同的,发送的数据量会影响结果。Every environment is different, and the amount of data being sent will affect the results. 使用 ExpressRoute 可确保在本地和 Azure 数据中心之间维持一定的吞吐量水平。Using ExpressRoute could help guarantee a level of throughput between on-premises and the Azure data centers.

可以使用 Azure 速度测试应用这个第三方工具来确定吞吐量。You can use the third-party tool Azure Speed Test app to determine your throughput.

问: 网关 Windows 服务能否通过 Azure Active Directory 帐户运行?Question: Can the gateway Windows service run with an Azure Active Directory account? 答: 否。Answer: No. Windows 服务必须使用有效的 Windows 帐户。The Windows service must have a valid Windows account. 默认情况下,它将通过服务 SID NT SERVICE\PBIEgwService 运行。By default, it will run with the Service SID, NT SERVICE\PBIEgwService.

问:如何将结果发送到云?Question: How are results sent to the cloud? 答:结果使用 Azure 服务总线发送。Answer: Results are sent using Azure Service Bus. 有关详细信息,请参阅工作原理For more information, see how it works.

问: 凭据存储在哪里?Question: Where are my credentials stored? 答:为数据源输入的凭据加密存储在网关云服务中。Answer: The credentials that you enter for a data source are encrypted and stored in the gateway cloud service. 凭据在本地网关中解密。The credentials are decrypted at the gateway on-premises.

高可用性/灾难恢复High availability/disaster recovery

问: 是否有任何通过网关启用高可用性方案的计划?Question: Are there any plans for enabling high availability scenarios with the gateway? 答: 有,现已推出高可用性。Answer: Yes, high availability is now available.

问: 进行灾难恢复时,可以使用哪些选项?Question: What options are available for disaster recovery? 答: 可以使用恢复密钥还原或移动网关。Answer: You can use the recovery key to restore or move a gateway.

问: 恢复密钥的好处是什么?Question: What is the benefit of the recovery key? 答:可以使用恢复密钥迁移或恢复网关设置。Answer: It provides a way to migrate or recover your gateway settings.

故障排除问题Troubleshooting questions

问: 网关日志在哪儿?Question: Where are the gateway logs? 答: 请参阅本主题后面的部“工具”分。Answer: See Tools later in this topic.

问: 如何查看要发送到本地数据源的查询?Question: How can I see what queries are being sent to the on-premises data source? 答: 可以启用查询跟踪,其中会包括要发送的查询。Answer: You can enable query tracing, which will include the queries being sent. 请记住,在完成故障排除后,需要将其更改回原始值。Remember to change it back to the original value when done troubleshooting. 启用查询跟踪可能会使日志变大。Leaving query tracing enabled will cause the logs to be larger.

还可以查看用于跟踪查询的数据源工具。You can also look at tools that your data source has for tracing queries. 例如,对于 SQL Server 和 Analysis Services,可以使用扩展事件或 SQL 事件探查器。For example, you can use Extended Events or SQL Profiler for SQL Server and Analysis Services.

网关工作原理How the gateway works

工作原理

当用户与某个连接到本地数据源的元素交互时:When a user interacts with an element that's connected to an on-premises data source:

  1. 云服务会创建一个查询,并将查询连同数据源的加密凭据发送到队列供网关处理。The cloud service creates a query, along with the encrypted credentials for the data source, and sends the query to the queue for the gateway to process.
  2. 网关云服务会对查询进行分析,将请求推送到 Azure 服务总线The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus.
  3. 本地数据网关会轮询 Azure 服务总线以获取挂起的请求。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 网关会获取查询,解密凭据,然后使用这些凭据连接到数据源。The gateway gets the query, decrypts the credentials, and connects to the data source(s) with those credentials.
  5. 网关会将查询发送到数据源执行。The gateway sends the query to the data source for execution.
  6. 结果从数据源发送回网关,然后再发送到云服务。The results are sent from the data source back to the gateway and then onto the cloud service. 然后,云服务会使用这些结果。The service then uses the results.

故障排除Troubleshooting

更新到最新版本Update to the latest version

如果网关版本过期,则会浮现出许多问题。Many issues can surface when the gateway version is out of date. 确保使用最新版本。Ensure you're on the latest version. 如果最近未更新网关,请考虑安装最新版本,看能否重现问题。If you haven't updated the gateway recently, consider installing the latest version and see if you can reproduce the issue.

错误:无法将用户添加到组。Error: Failed to add user to group. (-2147463168 PBIEgwService 性能日志用户 )(-2147463168 PBIEgwService Performance Log Users )

如果尝试将网关安装在不受支持的域控制器上,则可能会收到此错误。You may receive this error if you're trying to install the gateway on a domain controller, which isn't supported. 需将网关安装在不是域控制器的计算机上。You'll need to install the gateway on a machine that isn't a domain controller.

工具Tools

从网关配置器收集日志Collecting logs from the gateway configurator

可以收集网关的多个日志。You can collect several logs for the gateway. 始终从日志开始!Always start with the logs!

  1. 安装程序日志Installer logs

    %localappdata%\Temp\On-premises_data_gateway_*.log%localappdata%\Temp\On-premises_data_gateway_*.log

  2. 配置日志Configuration logs

    %localappdata%\Microsoft\on-premises data gateway\GatewayConfigurator*.log%localappdata%\Microsoft\on-premises data gateway\GatewayConfigurator*.log

  3. 企业网关服务日志Enterprise gateway service logs

    C:\Users\PBIEgwService\AppData\Local\Microsoft\on-premises data gateway\Gateway*.logC:\Users\PBIEgwService\AppData\Local\Microsoft\on-premises data gateway\Gateway*.log

  4. 事件日志Event logs

“本地数据网关服务”事件日志存在于“应用程序和服务日志”下。The On-premises data gateway service event logs are present under Applications and Services Logs.

事件日志

Fiddler 跟踪Fiddler Trace

Fiddler 是 Telerik 提供的一款免费工具,用于监视 HTTP 流量。Fiddler is a free tool from Telerik that monitors HTTP traffic. 可以从客户端计算机通过 Power BI 服务查看来回的流量。You can see the back and forth with the Power BI service from the client machine. 此过程中可能会显示错误以及其他相关信息。This may show errors and other related information.