深入了解本地数据网关On-premises data gateway in-depth

你的组织中的用户可以访问本地数据(他们已经具有该数据的访问授权),但在这些用户可以连接到你的本地数据源之前,需要安装和配置本地数据网关。It's possible for users in your organization to access on-premises data (to which they already have access authorization), but before those users can connect to your on-premises data source, an on-premises data gateway needs to be installed and configured. 该网关便于云中的用户与你的本地数据源相互进行快速安全的后台通信,然后返回到云。The gateway facilitates quick and secure behind-the-scenes communication between a user in the cloud, to your on-premises data source, and then back to the cloud.

安装和配置网关通常由管理员完成。Installing and configuring a gateway is usually done by an administrator. 它可能要求具备本地服务器的专门知识,在某些情况下可能需要服务器管理员权限。It may require special knowledge of your on-premises servers and in some cases may require Server Administrator permissions.

本文不提供有关如何安装和配置网关的分步指导。This article doesn’t provide step-by-step guidance on how to install and configure the gateway. 为此,请务必参阅本地数据网关For that, be sure to see On-premises data gateway. 本文旨在让你深入了解网关的工作原理。This article is meant to provide you with an in-depth understanding of how the gateway works. 我们还将深入了解有关 Azure Active Directory 和 Analysis Services 中的用户名和安全性的详细信息,以及该云服务如何使用用户登录时所用的电子邮件地址、网关和 Active Directory 来安全地连接到你的本地数据并进行查询。We’ll also go into some detail about usernames and security in both Azure Active Directory and Analysis Services, and how the cloud service uses the e-mail address a user sign in with, the gateway, and Active Directory to securely connect to and query your on-premises data.

网关的工作原理How the gateway works

On-prem-data-gateway-how-it-works

让我们首先看一下当用户与连接到本地数据源的元素交互时,会发生什么情况。Let’s first look at what happens when a user interacts with an element connected to an on-premises data source.

备注

对于 Power BI,需要配置网关的数据源。For Power BI, you will need to configure a data source for the gateway.

  1. 云服务将创建查询以及本地数据源的加密凭据,并将其发送到队列中以让网关进行处理。A query will be created by the cloud service, along with the encrypted credentials for the on-premises data source, and sent to the queue for the gateway to process.
  2. 网关云服务将分析该查询,并将请求推送到 Azure 服务总线The gateway cloud service will analyze the query and will push the request to the Azure Service Bus.
  3. 本地数据网关将为挂起的请求轮询 Azure 服务总线The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 网关获取查询、解密凭据并使用这些凭据连接到数据源。The gateway gets the query, decrypts the credentials and connects to the data source(s) with those credentials.
  5. 网关将查询发送到数据源执行。The gateway sends the query to the data source for execution.
  6. 执行的结果从数据源发出,返回到网关,然后到云服务上。The results are sent from the data source, back to the gateway, and then onto the cloud service. 然后,服务将使用该结果。The service then uses the results.

可用数据源类型的列表List of available data source types

数据源Data source 实时/DirectQueryLive/DirectQuery 用户配置的手动或计划的刷新User configured manual or scheduled refresh
Analysis Services 表格Analysis Services Tabular Yes Yes
Analysis Services 多维Analysis Services Multidimensional Yes Yes
文件File No Yes
文件夹Folder No Yes
IBM DB2IBM DB2 No Yes
IBM Informix 数据库IBM Informix Database No Yes
ImpalaImpala Yes Yes
MySQLMySQL No Yes
ODataOData No Yes
ODBCODBC No Yes
OledbOledb No Yes
OracleOracle Yes Yes
PostgresSQLPostgresSQL No Yes
SAP BWSAP BW Yes Yes
SAP HANASAP HANA Yes Yes
SharePoint 列表(本地)SharePoint list (on-premises) No Yes
SnowflakeSnowflake Yes Yes
SQL ServerSQL Server Yes Yes
SybaseSybase No Yes
TeradataTeradata Yes Yes
WebWeb No Yes

登录帐户Sign in account

用户将使用工作或学校帐户登录。Users will sign in with either a work or school account. 这是你的组织帐户。This is your organization account. 如果你注册了 Office 365 产品/服务,但没有提供实际的工作电子邮件,则可能类似于 nancy@contoso.onmicrosoft.com。你在云服务中的帐户存储于 Azure Active Directory (AAD) 中的租户内。If you signed up for an Office 365 offering and didn’t supply your actual work email, it may look like nancy@contoso.onmicrosoft.com. Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 在大多数情况下,你的 AAD 帐户的 UPN 将与电子邮件地址匹配。In most cases, your AAD account’s UPN will match the email address.

向本地数据源进行身份验证Authentication to on-premises data sources

存储的凭据将用于从网关连接到本地数据源(Analysis Services 除外)。A stored credential will be used to connect to on-premises data sources from the gateway except Analysis Services. 无论是哪个用户,该网关都使用存储的凭据进行连接。Regardless of the individual user, the gateway uses the stored credential to connect.

向实时 Analysis Services 数据源进行身份验证Authentication to a live Analysis Services data source

每次用户与 Analysis Services 交互时,有效用户名将传递到网关,然后传递到你的本地 Analysis Services 服务器。Each time a user interacts with Analysis Services, the effective username is passed to the gateway and then onto your on-premises Analysis Services server. 我们会将你用于登录云的用户主体名称 (UPN)(通常为电子邮件地址)作为有效用户传递到 Analysis Services。The user principal name (UPN), typically the email address you sign into the cloud with, is what we will pass to Analysis Services as the effective user. UPN 将在连接属性 EffectiveUserName 中传递。The UPN is passed in the connection property EffectiveUserName. 此电子邮件地址应与本地 Active Directory 域内定义的 UPN 匹配。This email address should match a defined UPN within the local Active Directory domain. UPN 是 Active Directory 帐户的属性。The UPN is a property of an Active Directory account. 该 Windows 帐户还需位于 Analysis Services 角色中,以便能够访问服务器。That Windows account then needs to be present in an Analysis Services role to have access to the server. 如果在 Active Directory 中找不到匹配项,则登录不会成功。The login will not be successful if no match is found in Active Directory.

Analysis Services 还可以基于此帐户提供筛选。Analysis Services can also provide filtering based on this account. 筛选可能伴随基于角色的安全性或行级别安全性出现。The filtering can occur with either role based security, or row-level security.

基于角色的安全性Role-based security

模型提供了基于用户角色的安全性。Models provide security based on user roles. 在 SQL Server Data Tools – Business Intelligence (SSDT-BI) 中创作期间,或在部署模型之后,通过使用 SQL Server Management Studio (SSMS) 为特定模型项目定义角色。Roles are defined for a particular model project during authoring in SQL Server Data Tools – Business Intelligence (SSDT-BI), or after a model is deployed, by using SQL Server Management Studio (SSMS). 角色包含按 Windows 用户名或按 Windows 组的成员。Roles contain members by Windows username or by Windows group. 角色定义了用户进行查询或对模型执行操作所具有的权限。Roles define permissions a user has to query or perform actions on the model. 大多数用户将属于具有读取权限的角色。Most users will belong to a role with Read permissions. 其他角色用于具有处理项目、管理数据库功能和管理其他角色的权限的管理员。Other roles are meant for administrators with permissions to process items, manage database functions, and manage other roles.

行级别安全性Row-level security

行级别安全性特指 Analysis Services 行级别安全性。Row-level security is specific to Analysis Services row-level security. 模型可以提供动态的行级别安全性。Models can provide dynamic, row-level security. 不像在用户所属的角色中至少具有一个角色,任何表格模型都不需要动态安全性。Unlike having at least one role in which users belong to, dynamic security is not required for any tabular model. 在较高级别,动态安全定义了用户对数据以至特定表中的特定行的读取访问权限。At a high-level, dynamic security defines a user’s read access to data right down to a particular row in a particular table. 类似于角色,动态行级别安全性依赖于用户的 Windows 用户名。Similar to roles, dynamic row-level security relies on a user’s Windows username.

用户是否能够查询和查看模型数据首先取决于 Windows 用户帐户所属的角色,其次取决于动态行级别安全性(如已配置)。A user’s ability to query and view model data are determined first by the roles their Windows user account are a member of and second, by dynamic row-level security, if configured.

在模型中实现角色和动态行级别安全性已超出本文的讨论范围。Implementing role and dynamic row-level security in models are beyond the scope of this article. 你可以在 MSDN 上的角色(SSAS 表格)安全角色(Analysis Services - 多维数据)了解详细信息。You can learn more at Roles (SSAS Tabular) and Security Roles (Analysis Services - Multidimensional Data) on MSDN. 若要特别深入地了解表格模型的安全性,请下载并阅读保护表格 BI 语义模型白皮书。And, for the most in-depth understanding of tabular model security, download and read the Securing the Tabular BI Semantic Model whitepaper.

Azure Active Directory 如何?What about Azure Active Directory?

Microsoft 云服务使用 Azure Active Directory 来处理对用户的身份验证。Microsoft cloud services use Azure Active Directory to take care of authenticating users. Azure Active Directory 是包含用户名和安全组的租户。Azure Active Directory is the tenant that contains usernames and security groups. 通常情况下,用户登录时使用的电子邮件地址与帐户的 UPN 相同。Typically, the email address a user signs in with is the same as the UPN of the account.

本地 Active Directory 的角色是什么?What is my local Active Directory’s role?

为了使 Analysis Services 能够确定连接到它的用户是否属于具有数据读取权限的角色,服务器需要转换从 AAD 传递到网关,然后传递到 Analysis Services 服务器的有效用户名。For Analysis Services to determine if a user connecting to it belongs to a role with permissions to read data, the server needs to convert the effective username passed from AAD to the gateway, and onto the Analysis Services server. Analysis Services 服务器向 Windows Active Directory 域控制器 (DC) 传递有效用户名。The Analysis Services server passes the effective username to a Windows Active Directory domain controller (DC). 接着,Active Directory DC 在本地帐户上确认有效用户名是有效 UPN,并将该用户的 Windows 用户名返回到 Analysis Services 服务器。The Active Directory DC then validates the effective username is a valid UPN, on a local account, and returns that user’s Windows username back to the Analysis Services server.

不能在未加入域的 Analysis Services 服务器上使用 EffectiveUserName。EffectiveUserName cannot be used on a non-domain joined Analysis Services server. 为避免发生登录错误,Analysis Services 服务器必须加入域。The Analysis Services server must be joined to a domain to avoid any login errors.

如何辨别我的 UPN?How do I tell what my UPN is?

你可能不知道你的 UPN 是什么,而且你有可能不是域管理员。You may not know what your UPN is, and you may not be a domain administrator. 你可以从工作站使用以下命令找出你的帐户的 UPN。You can use the following command from your workstation to find out the UPN for your account.

whoami /upn

结果将类似于电子邮件地址,但是这是位于本地域帐户上的 UPN。The result will look similar to an email address, but this is the UPN that is on your local domain account. 如果你将 Analysis Services 数据源用于实时连接,它必须与从网关传递到 EffectiveUserName 的用户名匹配。If you are using an Analysis Services data source for live connections, this must match what was passed to EffectiveUserName from the gateway.

映射 Analysis Services 数据源的用户名Mapping usernames for Analysis Services data sources

Power BI 允许映射 Analysis Services 数据源的用户名。Power BI allows for mapping usernames for Analysis Services data sources. 你可以配置规则,以便将登录 Power BI 时使用的用户名映射到为 Analysis Services 连接上的 EffectiveUserName 传递的名称。You can configure rules to map a username logged in with Power BI to a name that is passed for EffectiveUserName on the Analysis Services connection. 当 AAD 中的用户名与本地 Active Directory 中的 UPN 不匹配时,映射用户名功能是解决此问题的一种好方法。The map user names feature is a great way to work around when your username in AAD doesn't match a UPN in your local Active Directory. 例如,如果你的电子邮件地址是 nancy@contoso.onmicrsoft.com,你可以将其映射到 nancy@contoso.com,并且该值将被传递到网关。For example, if your email address is nancy@contoso.onmicrsoft.com, you could map it to nancy@contoso.com, and that value would be passed to the gateway. 你可以了解有关如何映射用户名的详细信息。You can learn more about how to map user names.

将本地 Active Directory 与 Azure Active Directory 同步Synchronize an on-premises Active Directory with Azure Active Directory

如果打算使用 Analysis Services 实时连接,本地 Active Directory 帐户就要与 Azure Active Directory 匹配。You would want your local Active Directory accounts to match Azure Active Directory if you are going to be using Analysis Services live connections. 因为帐户之间的 UPN 必须匹配。As the UPN has to match between the accounts.

云服务只知道 Azure Active Directory 中的帐户。The cloud services only know about accounts within Azure Active Directory. 不管你是在本地 Active Directory 中添加了一个帐户,还是该帐户在 AAD 中不存在或者无法使用,都没有关系。It doesn’t matter if you added an account in your local Active Directory, if it doesn’t exist in AAD, it cannot be used. 你可以通过多种不同的方式将本地 Active Directory 帐户与 Azure Active Directory 匹配。There are different ways that you can match your local Active Directory accounts with Azure Active Directory.

  1. 可以将帐户手动添加到 Azure Active Directory 中。You can add accounts manually to Azure Active Directory.

    可以在 Azure 门户或 Office 365 管理门户中创建一个帐户,帐户名称与本地 Active Directory 帐户的 UPN 匹配。You can create an account on the Azure portal, or within the Office 365 Admin Portal, and the account name matches the UPN of the local Active Directory account.

  2. 你可以使用 Azure AD Connect 工具将本地帐户同步到 Azure Active Directory 租户。You can use the Azure AD Connect tool to synchronize local accounts to your Azure Active Directory tenant.

    Azure AD Connect 工具提供多个目录和密码同步选项。The Azure AD Connect tool provides options for directory and password synchronization. 如果你不是租户管理员或本地域管理员,则需要联系 IT 管理员对其进行配置。If you are not a tenant admin or a local domain administrator, you will need to contact your IT admin to get this configured.

  3. 可以配置 Active Directory 联合身份验证服务 (ADFS)。You can configure Active Directory Federation Services (ADFS).

    可以使用 Azure AD Connect 工具将 ADFS 服务器关联到 AAD 租户。You can associate your ADFS server to your AAD tenant with the Azure AD Connect tool. ADFS 会使用上述目录同步,但允许使用单一登录 (SSO) 体验。ADFS makes use of the directory synchronization discussed above but allows for a single sign-on (SSO) experience. 例如,如果你在工作网络中,则当你登录某个云服务时,系统可能不会提示你输入用户名或密码。For example, if you are within your work network, when you to a cloud service, and go to sign in, you may not be prompted to enter a username or password. 你需要与 IT 管理员讨论你的组织是否可以使用该服务。You will need to discuss with your IT Admin if this is available for your organization.

使用 Azure AD Connect 可确保 AAD 与本地 Active Directory 之间的 UPN 匹配。Using Azure AD Connect ensures that the UPN will match between AAD and your local Active Directory.

备注

使用 Azure AD Connect 工具同步帐户时,将在你的 AAD 租户内创建新帐户。Synchronizing accounts with the Azure AD Connect tool will create new accounts within your AAD tenant.

现在,这就网关起作用的地方Now, this is where the gateway comes in

网关充当云和本地服务器之间的桥梁。The gateway acts as a bridge between the cloud and your on-premises server. Azure 服务总线可保护云和网关之间的数据传输。Data transfer between the cloud and the gateway is secured through Azure Service Bus. 服务总线通过网关上的出站连接在云和本地服务器之间创建一条安全通道。The Service Bus creates a secure channel between the cloud and your on-premises server through an outbound connection on the gateway. 你不需要在本地防火墙上打开任何入站连接。There are no inbound connections that you need to open on your on-premises firewall.

如果有 Analysis Services 数据源,你需要在加入到与 Analysis Services 服务器位于同一个林/域的计算机上安装网关。If you have an Analysis Services data source, you’ll need to install the gateway on a computer joined to the same forest/domain as your Analysis Services server.

网关离服务器越近,连接速度就越快。The closer the gateway is to the server, the faster the connection will be. 如果可以在数据源所在的同一服务器上获取网关,最好避免网关和服务器之间的网络延迟。If you can get the gateway on the same server as the data source, that is best to avoid network latency between the gateway and the server.

接下来该怎么做?What to do next?

安装网关后,需要为该网关创建数据源。After you get the gateway installed, you will want to create data sources for that gateway. 可以在“管理网关”屏幕中添加数据源。You can add data sources within the Manage gateways screen. 有关详细信息,请参阅与管理数据源相关的文章。For more information, see the manage data sources articles.

管理数据源 - Analysis ServicesManage your data source - Analysis Services
管理数据源 - SAP HANAManage your data source - SAP HANA
管理数据源 - SQL ServerManage your data source - SQL Server
管理数据源 - OracleManage your data source - Oracle
管理数据源 - 导入/计划刷新Manage your data source - Import/Scheduled refresh

这时事情可能会出错Where things can go wrong

有时,安装网关会失败。Sometimes installing the gateway fails. 或者,也许网关似乎已正常安装,但该服务仍无法使用它。Or, maybe the gateway seems to install ok, but the service is still unable to work with it. 在许多情况下,是很简单的原因,如网关用于登录到数据源的凭据的密码。In many cases, it’s something simple, like the password for the credentials the gateway uses to sign into the data source.

在其他情况下,用户登录所使用的电子邮件地址的类型可能有问题或者 Analysis Services 不能解析有效用户名。In other cases, there might be issues with the type of e-mail address users sign in with, or Analysis Services’ inability to resolve an effective username. 如果你的多个域彼此之间存在信任关系,并且网关在一个域,而 Analysis Services 在另一个域,这有时就会导致一些问题。If you have multiple domains with trusts between them, and your gateway is in one and Analysis Services in another, this sometimes can cause some problems.

我们没有在这里详细讨论如何解决网关问题,而是将一系列的疑难解答步骤放到另一篇文章中,即本地数据网关疑难解答Rather than go into troubleshooting gateway issues here, we’ve put a series of troubleshooting steps into another article; Troubleshooting the on-premises data gateway. 但愿不会有任何问题。Hopefully, you won’t have any problems. 但如果出现问题,了解所有这些的工作原理和学习故障排除文章都应有所帮助。But if you do, understanding how all of this works and the troubleshooting article should help.

登录帐户Sign in account

用户将使用工作或学校帐户登录。Users will sign in with either a work or school account. 这是你的组织帐户。This is your organization account. 如果你注册了 Office 365 产品/服务,但没有提供实际的工作电子邮件,则可能类似于 nancy@contoso.onmicrosoft.com。你在云服务中的帐户存储于 Azure Active Directory (AAD) 中的租户内。If you signed up for an Office 365 offering and didn’t supply your actual work email, it may look like nancy@contoso.onmicrosoft.com. Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 在大多数情况下,你的 AAD 帐户的 UPN 将与电子邮件地址匹配。In most cases, your AAD account’s UPN will match the email address.

Windows 服务帐户Windows Service account

本地数据网关配置为使用 NT SERVICE\PBIEgwService 作为 Windows 服务登录凭据。The on-premises data gateway is configured to use NT SERVICE\PBIEgwService for the Windows service logon credential. 默认情况下,它有权作为服务登录。By default, it has the right of Log on as a service. 这位于正在安装网关的计算机的上下文中。This is in the context of the machine that you are installing the gateway on.

备注

如果选择了个人模式,则需单独配置 Windows 服务帐户。If you selected personal mode, you configure the Windows service account separately.

这不是用于连接到本地数据源的帐户。This is not the account used to connect to on-premises data sources. 也不是登录到云服务的工作或学校帐户。This is also not your work or school account that you sign into cloud services with.

如果你由于身份验证遇到有关代理服务器的问题,你可能需要将 Windows 服务帐户更改为域用户或托管服务帐户。If you encounter issues with your proxy server, due to authentication, you may want to change the Windows service account to a domain user or managed service account. 可以在代理配置 中了解如何更改帐户。You can learn how to change the account in proxy configuration.

端口Ports

网关将创建与 Azure 服务总线的出站连接。The gateway creates an outbound connection to Azure Service Bus. 它可在以下出站端口上进行通信:TCP 443(默认)、5671、5672、9350 至 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 thru 9354. 网关不需要入站端口。The gateway does not require inbound ports. 了解详细信息Learn more

建议你将防火墙中数据区域的 IP 地址列入白名单。It is recommended that you whitelist the IP addresses, for your data region, in your firewall. 可以下载 Microsoft Azure 数据中心 IP 列表You can download the Microsoft Azure Datacenter IP list. 此列表每周更新。This list is updated weekly. 网关使用 IP 地址以及完全限定的域名 (FQDN) 与 Azure 服务总线进行通信。The gateway will communicate with Azure Service Bus using the IP address along with the fully qualified domain name (FQDN). 如果使用 HTTPS 强制网关进行通信,则网关将仅使用 FQDN,如果使用 IP 地址则不会进行通信。If you are forcing the gateway to communicate using HTTPS it will strictly use FQDN only, and no communication will happen using IP addresses.

备注

Azure 数据中心 IP 列表中的 IP 地址以 CIDR 表示法列出。The IP Addresses listed in the Azure Datacenter IP list are in CIDR notation. 例如,10.0.0.0/24 并不意味着 10.0.0.0 至 10.0.0.24。For example, 10.0.0.0/24 does not mean 10.0.0.0 thru 10.0.0.24. 了解有关 CIDR 表示法的详细信息。Learn more about the CIDR notation.

下面是网关使用的完全限定的域名的列表。Here is a listing of the fully qualified domain names used by the gateway.

域名Domain names 出站端口Outbound ports 说明Description
*.download.microsoft.com*.download.microsoft.com 8080 用于下载安装程序的 HTTP。HTTP used to download the installer.
*.powerbi.com*.powerbi.com 443443 HTTPSHTTPS
*.analysis.windows.net*.analysis.windows.net 443443 HTTPSHTTPS
*.login.windows.net*.login.windows.net 443443 HTTPSHTTPS
*.servicebus.windows.net*.servicebus.windows.net 5671-56725671-5672 高级消息队列协议 (AMQP)Advanced Message Queuing Protocol (AMQP)
*.servicebus.windows.net*.servicebus.windows.net 443, 9350-9354443, 9350-9354 基于 TCP 的服务总线中继侦听程序(要求使用端口 443 来获取访问控制令牌)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
*.frontend.clouddatahub.net*.frontend.clouddatahub.net 443443 HTTPSHTTPS
*.core.windows.net*.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
*.msftncsi.com*.msftncsi.com 443443 当 Power BI 服务无法访问网关时,用于测试 Internet 连接。Used to test internet connectivity if the gateway is unreachable by the Power BI service.
*.microsoftonline-p.com*.microsoftonline-p.com 443443 用于根据配置进行身份验证。Used for authentication depending on configuration.

备注

访问 visualstudio.com 或 visualstudioonline.com 的流量用于应用见解,而非网关作业所需。Traffic going to visualstudio.com or visualstudioonline.com are for app insights and are not required for the gateway to function.

强制 HTTPS 与 Azure 服务总线通信Forcing HTTPS communication with Azure Service Bus

可以使用 HTTPS 替代直接 TCP,以强制网关与 Azure 服务总线通信。You can force the gateway to communicate with Azure Service Bus using HTTPS instead of direct TCP. 这可能会对性能产生影响。This may have an impact on performance. 若要执行此操作,请通过将值从 AutoDetect 更改为 Https 来修改 Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config 文件,如紧接本段后面的代码片段中所示。To do so, modify the Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config file by changing the value from AutoDetect to Https, as shown in the code snippet directly following this paragraph. 默认情况下,此文件位于 C:\Program Files\On-premises data gatewayThat file is located (by default) at C:\Program Files\On-premises data gateway.

<setting name="ServiceBusSystemConnectivityModeString" serializeAs="String">
    <value>Https</value>
</setting>

ServiceBusSystemConnectivityModeString 参数的值区分大小写。The value for the ServiceBusSystemConnectivityModeString parameter is case sensitive. 有效值为 AutoDetect 和 Https。Valid values are AutoDetect and Https.

或者,从 2017 年 3 月版本开始,用户可以使用网关用户界面来强制网关采用此行为。Alternatively, you can force the gateway to adopt this behavior using the gateway user interface, beginning with the March 2017 release. 在网关用户界面中,选择“网络”,然后将“Azure 服务总线连接模式”切换至“启用”。In the gateway user interface select Network, then toggle the Azure Service Bus connectivity mode to On.

更改后,在选择“应用”(该按钮仅在做出更改时出现)后,网关 Windows 服务 将自动重启,从而使更改生效。Once changed, when you select Apply (a button that only appears when you make a change), the gateway Windows service restarts automatically, so the change can take effect.

可以通过选择“服务设置”,然后选择“立即重启”从用户界面对话框中重启网关 Windows 服务 以供将来参考之用。For future reference, you can restart the gateway Windows service from the user interface dialog by selecting Service Settings then select Restart Now.

对 TLS 1.1/1.2 的支持Support for TLS 1.1/1.2

自 2017 年 8 月更新起,本地数据网关默认使用传输层安全 (TLS) 1.1 或 1.2 与 Power BI 服务进行通信。With the August 2017 update and beyond, the on-premises data gateway uses Transport Layer Security (TLS) 1.1 or 1.2 to communicate with the Power BI service by default. 以前版本的本地数据网关默认使用 TLS 1.0。Previous versions of the on-premises data gateway use TLS 1.0 by default. 2018 年 3 月 15 日,将不再支持 TLS 1.0,包括使用 TLS 1.0 与 Power BI 服务进行交互的网关功能。因此,届时必须将本地数据网关安装升级到 2017 年 8 月版或更高版本,才能确保网关可以继续正常运行。On March 15th 2018, support for TLS 1.0 will end, including the gateway's ability to interact with the Power BI service using TLS 1.0, so by then you must upgrade your on-premises data gateway installations to the August 2017 release or newer to ensure your gateways continue to operate.

值得注意的是,TLS 1.0 在 11 月 1 日之前仍受本地数据网关支持,并由网关用作回退机制。It's important to note that TLS 1.0 is still supported by the on-premises data gateway prior to November 1st, and is used by the gateway as a fallback mechanism. 要确保所有网关流量使用 TLS 1.1 或 1.2(并防止在网关上使用 TLS 1.0),必须在运行网关服务的计算机上添加或修改以下注册表项:To ensure all gateway traffic uses TLS 1.1 or 1.2 (and to prevent the use of TLS 1.0 on your gateway), you must add or modify the following registry keys on the machine running the gateway service:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001

备注

添加或修改这些注册表项会将更改应用于所有 .NET 应用程序。Adding or modifying these registry keys applies the change to all .NET applications. 有关影响其他应用程序的 TLS 的注册表更改的信息,请参阅传输层安全性 (TLS) 注册表设置For information about registry changes that affect TLS for other applications, see Transport Layer Security (TLS) registry settings.

如何重启网关How to restart the gateway

网关作为一项 Windows 服务运行。The gateway runs as a windows service. 像任何 Windows 服务一样,你可以启动和停止它。You can start and stop it like any windows service. 有多种方法可以执行此操作。There are multiple ways to do this. 下面是你可以如何从命令提示符执行此操作。Here is how you can do it from the command prompt.

  1. 在运行网关的计算机上,启动管理员命令提示符。On the machine where the gateway is running, launch an admin command prompt.
  2. 使用以下命令停止服务。Use the following command to stop the service.

    net stop PBIEgwServicenet stop PBIEgwService

  3. 使用以下命令启动服务。Use the following command to start the service.

    net start PBIEgwServicenet start PBIEgwService

后续步骤Next steps

本地数据网关疑难解答Troubleshooting the on-premises data gateway
Azure 服务总线Azure Service Bus
Azure AD ConnectAzure AD Connect
更多问题?More questions? 尝试参与 Power BI 社区Try the Power BI Community