了解 Microsoft PowerApps 的本地数据网关Understand on-premises data gateways for Microsoft PowerApps

安装和配置Installation and configuration

先决条件Prerequisites

最低要求:Minimum:

  • .NET 4.5 Framework.NET 4.5 Framework
  • Windows 7 或 Windows Server 2008 R2(或更高版本)64 位版本64-bit version of Windows 7 or Windows Server 2008 R2 (or later)

建议:Recommended:

  • 8 核 CPU8 Core CPU
  • 8 GB 内存8 GB Memory
  • Windows 2012 R2(或更高版本)64 位版本64-bit version of Windows 2012 R2 (or later)

相关注意事项:Related considerations:

  • 不能在域控制器上安装网关。You can't install a gateway on a domain controller.
  • 不应在可能会关闭、休眠或未连接到 Internet 的计算机(例如笔记本电脑)上安装网关,因为网关在这种情况下无法运行。You shouldn't install a gateway on a computer, such a laptop, that may be turned off, asleep, or not connected to the Internet because the gateway can't run under any of those circumstances. 此外,在通过无线网络工作时,网关性能可能会下降。In addition, gateway performance might suffer over a wireless network.

安装网关Install a gateway

  1. 下载安装程序,然后运行该程序。Download the installer, and then run it.

    运行该安装程序

  2. 在安装向导的第一个屏幕上,单击或点击“下一步”确认有关在笔记本电脑上安装网关的提醒。On the first screen of the installation wizard, click or tap Next to acknowledge the reminder about installing a gateway on a laptop.

    提醒屏幕

  3. 指定网关的安装位置,选中接受使用条款和隐私声明的复选框,然后单击或点击“安装”。Specify the location where you want to install the gateway, select the check box to accept the terms of use and the privacy statement, and then click or tap Install.
  4. 在“用户帐户控制”对话框中,单击或点击“是”继续安装。In the User Account Control dialog boxes, click or tap Yes to continue.
  5. 在向导的下一个屏幕上,单击或点击“登录”。On the next screen of the wizard, click or tap Sign in.

    登录

  6. 单击或点击用于注册新网关或者迁移、还原或接管现有网关的选项,然后单击或点击“下一步”。Click or tap the option to register a new gateway or to migrate, restore, or take over an existing gateway, and then click or tap Next.

    选择新的或现有网关

    • 若要配置某个网关,请键入该网关的名称恢复密钥,单击或点击“配置”,然后单击或点击“关闭”。To configure a gateway, type a name for it and a recovery key, click or tap Configure, and then click or tap Close.

      配置新网关

      指定至少包含八个字符的恢复密钥并将其保存在安全位置。Specify a recovery key that contains at least eight characters, and keep it in a safe place. 如果想要迁移、还原或接管网关,需要使用此密钥。You'll need this key if you want to migrate, restore, or take over its gateway.

    • 若要迁移、还原或接管现有的网关,请提供该网关的名称和恢复密钥,单击或点击“配置”,然后遵照任何附加的提示操作。To migrate, restore, or take over an existing gateway, provide the name of the gateway and its recovery key, click or tap Configure, and then follow any additional prompts.

      恢复现有网关

重新启动网关Restart the gateway

网关以 Windows 服务的形式运行,因此可通过多种方式将它启动和停止。The gateway runs as a Windows service, so you can start and stop it in multiple ways. 例如,可以在运行网关的计算机上使用提升的权限打开命令提示符,然后,运行以下命令之一:For example, you can open a command prompt with elevated permissions on the machine where the gateway is running and then run either of these commands:

  • 若要停止该服务,请运行以下命令:To stop the service, run this command:
    net stop PBIEgwService net stop PBIEgwService
  • 若要启动该服务,请运行以下命令:To start the service, run this command:
    net start PBIEgwService net start PBIEgwService

配置防火墙或代理Configure a firewall or proxy

若要了解如何提供网关的代理信息,请参阅配置代理设置For information about how to provide proxy information for your gateway, see Configure proxy settings.

在 PowerShell 提示符下运行以下命令可以验证防火墙或代理是否可能阻止了连接。You can verify whether your firewall, or proxy, may be blocking connections by running the following command from a PowerShell prompt. 此命令将测试与 Azure 服务总线之间的连接。This command will test connectivity to the Azure Service Bus. 此命令只是测试网络连接,不会与云服务器服务或网关有任何交互。This only tests network connectivity and doesn't have anything to do with the cloud server service or the gateway. 此测试有助于确定计算机是否可以真正连接到 Internet。It helps to determine whether your machine can actually get out to the internet.

Test-NetConnection -ComputerName watchdog.servicebus.windows.net -Port 9350

结果应类似于以下示例。The results should look similar to this example. 如果 TcpTestSucceeded 不为 True,可能是防火墙阻止了连接。If TcpTestSucceeded is not True, you may be blocked by a firewall.

ComputerName           : watchdog.servicebus.windows.net
RemoteAddress          : 70.37.104.240
RemotePort             : 5672
InterfaceAlias         : vEthernet (Broadcom NetXtreme Gigabit Ethernet - Virtual Switch)
SourceAddress          : 10.120.60.105
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : True

如需详尽信息,请将 ComputerNamePort 值替换为本主题稍后配置端口部分中列出的值。If you want to be exhaustive, substitute the ComputerName and Port values with those listed under Configure ports later in this topic.

防火墙可能也会阻止 Azure 服务总线向 Azure 数据中心发起的连接。The firewall may also be blocking the connections that the Azure Service Bus makes to the Azure data centers. 如果是这样,请将所在区域中数据中心的 IP 地址加入允许列表(取消阻止)。If that's the case, you'll want to whitelist (unblock) the IP addresses for your region for those data centers. 可以在此处获取 Azure IP 地址列表。You can get a list of Azure IP addresses here.

配置端口Configure ports

网关与 Azure 服务总线建立出站连接。The gateway creates an outbound connection to Azure Service Bus. 它在出站端口上通信:TCP 443(默认值)、5671、5672、9350 到 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 thru 9354. 网关不需要入站端口。The gateway doesn't require inbound ports.

了解有关混合解决方案的详细信息。Learn more about hybrid solutions.

建议在防火墙中将数据区域的 IP 地址加入允许列表。It is recommended that you whitelist the IP addresses, for your data region, in your firewall. 可以下载每周更新的 Microsoft Azure 数据中心 IP 列表You can download the Microsoft Azure Datacenter IP list, which is updated weekly.

注意:在 Azure 数据中心 IP 列表中,地址以 CIDR 表示法列出。Note: In the Azure Datacenter IP list, addresses are listed in CIDR notation. 例如,10.0.0.0/24 并不表示 10.0.0.0 到 10.0.0.24。For example, 10.0.0.0/24 doesn't mean 10.0.0.0 through 10.0.0.24.

下面是网关使用的完全限定域名列表。Here is a listing of the fully qualified domain names used by the gateway.

域名Domain names 出站端口Outbound ports 说明Description
.analysis.windows.net.analysis.windows.net 443443 HTTPSHTTPS
.login.windows.net.login.windows.net 443443 HTTPSHTTPS
.servicebus.windows.net.servicebus.windows.net 5671-56725671-5672 高级消息队列协议 (AMQP)Advanced Message Queuing Protocol (AMQP)
.servicebus.windows.net.servicebus.windows.net 443、9350-9354443, 9350-9354 基于 TCP 的服务总线中继上的侦听器(需要使用 443 获取访问控制令牌)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
.frontend.clouddatahub.net.frontend.clouddatahub.net 443443 HTTPSHTTPS
.core.windows.net.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
.msftncsi.com.msftncsi.com 443443 在 Power BI 服务无法访问网关时用于测试 Internet 连接。Used to test internet connectivity if the gateway is unreachable by the Power BI service.

登录帐户Sign-in account

用户将使用工作或学校帐户登录。Users will sign in with either a work or school account. 这种帐户属于组织帐户。This is your organization account. 如果注册了 Office 365 产品但未提供实际工作电子邮件,登录地址可能类似于 nancy@contoso.onmicrosoft.com。云服务中的帐户存储在 Azure Active Directory (AAD) 中的租户内。If you signed up for an Office 365 offering and didn’t supply your actual work email, it may look like nancy@contoso.onmicrosoft.com. Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 大多数情况下,AAD 帐户的 UPN 与电子邮件地址匹配。In most cases, your AAD account’s UPN will match the email address.

Windows 服务帐户Windows Service account

本地数据网关配置为将 NT SERVICE\PBIEgwService 用作 Windows 服务登录凭据。The on-premises data gateway is configured to use NT SERVICE\PBIEgwService for the Windows service logon credential. 默认情况下,网关拥有“作为服务登录”的权限。By default, it has the right of Log on as a service. 这种权限在安装网关的计算机上下文中有效。This is in the context of the machine on which you're installing the gateway.

此帐户不是用于连接到本地数据源的帐户,也不是用于登录到云服务的工作或学校帐户。This isn't the account used to connect to on-premises data sources or the work or school account with which you sign in to cloud services.

如果代理服务器由于身份验证而发生问题,可以根据代理配置中所述,将 Windows 服务帐户更改为域用户帐户或托管服务帐户。If you encounter issues with your proxy server due to authentication, you may want to change the Windows service account to a domain-user or managed-service account as proxy configuration describes.

常见问题Frequently asked questions

常规General

问题:网关支持哪些数据源?Question: What data sources does the gateway support?
回答:在撰写本文时支持:Answer: As of this writing:

  • SQL ServerSQL Server
  • SharePointSharePoint
  • OracleOracle
  • InformixInformix
  • FilesystemFilesystem
  • DB2DB2

问题:云中的数据源(如 SQL Azure)是否需要网关?Question: Do I need a gateway for data sources in the cloud, such as SQL Azure?
回答:否。Answer: No. 网关只连接到本地数据源。A gateway connects to on-premises data sources only.

问题:Windows 服务的实际名称是什么?Question: What is the actual Windows service called?
回答:在“服务”中,网关名为“Power BI Enterprise Gateway Service”。Answer: In Services, the gateway is called Power BI Enterprise Gateway Service.

问题:是否存在从云到网关的入站连接?Question: Are there any inbound connections to the gateway from the cloud?
回答:否。Answer: No. 网关使用与 Azure 服务总线之间的出站连接。The gateway uses outbound connections to Azure Service Bus.

问题:如果阻止出站连接,会发生什么情况?Question: What if I block outbound connections? 需要打开什么?What do I need to open?
回答:请查看网关使用的端口和主机。Answer: See the ports and hosts that the gateway uses.

问题:网关是否必须安装在与数据源相同的计算机上?Question: Does the gateway have to be installed on the same machine as the data source?
回答:否。Answer: No. 网关使用提供的连接信息连接到数据源。The gateway will connect to the data source using the connection information that was provided. 从这种意义上讲,可将网关视为客户端应用程序。Think of the gateway as a client application in this sense. 网关只需能够连接到提供的服务器名称即可。It will just need to be able to connect to the server name that was provided.

问题:从网关运行对数据源的查询时的延迟是多少?Question: What is the latency for running queries to a data source from the gateway? 最佳体系结构是什么?What is the best architecture?
回答:若要减少网络延迟,请在网关安装在尽可能接近数据源的位置处。Answer: To reduce network latency, install the gateway as close to the data source as possible. 如果可以在实际数据源上安装网关,这种距离可最大程度降低造成的延迟。If you can install the gateway on the actual data source, it will minimize the latency introduced. 还需考虑数据中心。Consider the data centers as well. 例如,如果服务使用美国西部的数据中心,而你在 Azure VM 中托管了 SQL Server,则 Azure VM 也应该位于美国西部。For example, if your service is using the West US data center and you have SQL Server hosted in an Azure VM, you'll want to have the Azure VM in West US as well. 这种距离可最大程度降低延迟并避免 Azure VM 产生传出费用。This will minimize latency and avoid egress charges on the Azure VM.

问题:在网络带宽方面是否有要求?Question: Are there any requirements for network bandwidth?
回答:建议为网络连接配置较高的吞吐量。Answer: It is recommended to have good throughput for your network connection. 每个环境是不同的,所发送的数据量会影响效果。Every environment is different, and the amount of data being sent will affect the results. 使用 ExpressRoute 可以帮助保证本地与 Azure 数据中心之间的吞吐量级别。Using ExpressRoute could help to guarantee a level of throughput between on-premises and the Azure data centers.

可以借助第三方工具 Azure Speed Test 应用来测量吞吐量。You can use the third-party tool Azure Speed Test app to help gauge what your throughput is.

问题:是否可以使用 Azure Active Directory 帐户运行网关 Windows 服务?Question: Can the gateway Windows service run with an Azure Active Directory account?
回答:否。Answer: No. 该 Windows 服务必须具有有效的 Windows 帐户。The Windows service must have a valid Windows account. 默认情况下,服务使用服务 SID NT SERVICE\PBIEgwService 来运行。By default, it will run with the Service SID, NT SERVICE\PBIEgwService.

问题:如何将结果发回到云中?Question: How are results sent back to the cloud?
回答:可通过 Azure 服务总线发送结果。Answer: This is done by way of the Azure Service Bus. 有关详细信息,请参阅工作原理For more information, see how it works.

问题:我的凭据存储在何处?Question: Where are my credentials stored?
回答:为数据源输入的凭据将会加密,并存储在网关云服务中。Answer: The credentials that you enter for a data source are stored encrypted in the gateway cloud service. 凭据在本地网关中解密。The credentials are decrypted at the gateway on-premises.

问题:是否可将网关放置在外围网络(也称为 DMZ、外围安全区域和外围子网)中?Question: Can I place the gateway in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet)?
回答:网关需要与数据源建立连接。Answer: The gateway requires connectivity to the data source. 如果数据源不在外围网络中,网关可能无法与它建立连接。If the data source isn't in your perimeter network, the gateway may not be able to connect to it. 例如,运行 SQL Server 的计算机可能不在外围网络中,因此你无法从外围网络连接到该计算机。For example, the computer that's running SQL Server may not be in your perimeter network, and you can't connect to that computer from the perimeter network. 如果将网关放置在外围网络中,网关将无法访问运行 SQL Server 的计算机。If you placed the gateway in your perimeter network, the gateway wouldn't be able to reach the computer that's running SQL Server.

高可用性/灾难恢复High availability/disaster recovery

问题:是否有使用网关实现高可用性方案的计划?Question: Are there any plans for enabling high availability scenarios with the gateway?
回答:我们正在规划这些方案,但目前没有时间表。Answer: This is on the roadmap, but we don’t have a timeline yet.

问题:有哪些选项可用于灾难恢复?Question: What options are available for disaster recovery?
回答:可以使用恢复密钥还原或移动网关。Answer: You can use the recovery key to restore or move a gateway. 安装网关时,请指定恢复密钥。When you install the gateway, specify the recovery key.

问题:恢复密钥的优点是什么?Question: What is the benefit of the recovery key?
回答:使用恢复密钥可在发生灾难后迁移或恢复网关设置。Answer: It provides a way to migrate or recover your gateway settings after a disaster.

故障排除Troubleshooting

问题:网关日志在何处?Question: Where are the gateway logs?
回答:请参阅本主题稍后的工具Answer: See Tools later in this topic.

问题:如何查看正在发送到本地数据源的查询?Question: How can I see what queries are being sent to the on-premises data source?
回答:可以启用查询跟踪,包括要发送的查询。Answer: You can enable query tracing, which will include the queries being sent. 请记得在完成故障排除后将查询跟踪改回原始值。Remember to change it back to the original value when done troubleshooting. 一直保持启用查询跟踪会创建大量的日志。Leaving query tracing enabled will cause the logs to be larger.

你也可以查看数据源用来跟踪查询的工具。You can also look at tools that your data source has for tracing queries. 例如,可以使用 SQL Server 的扩展事件或 SQL 事件探查器以及 Analysis Services。For example, you can use Extended Events or SQL Profiler for SQL Server and Analysis Services.

网关工作原理How the gateway works

工作原理

当用户与连接到本地数据源的元素交互时:When a user interacts with an element that's connected to an on-premises data source:

  1. 云服务创建一个查询以及用于数据源的加密凭据,然后将该查询发送到队列供网关处理。The cloud service creates a query, along with the encrypted credentials for the data source, and sends the query to the queue for the gateway to process.
  2. 网关云服务将分析该查询,并将请求推送到 Azure 服务总线The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus.
  3. 本地数据网关在 Azure 服务总线中轮询挂起的请求。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 网关获取该查询,解密凭据,然后使用这些凭据连接到数据源。The gateway gets the query, decrypts the credentials, and connects to the data source(s) with those credentials.
  5. 网关将查询发送到数据源以便执行。The gateway sends the query to the data source for execution.
  6. 结果将从数据源发回到网关,然后发送到云服务。The results are sent from the data source back to the gateway and then onto the cloud service. 服务随后使用结果。The service then uses the results.

故障排除Troubleshooting

更新到最新版本Update to the latest version

如果网关版本过时,可能会出现很多问题。A lot of issues can surface when the gateway version is out of date. 良好的常规做法是确保使用最新版本。It is a good general practice to make sure you are on the latest version. 如果有一个月或更长时间未更新网关,可能要考虑安装最新版本的网关,并确定是否可以重现问题。If you haven't updated the gateway for a month, or longer, you may want to consider installing the latest version of the gateway and see if you can reproduce the issue.

错误: 无法将用户添加到组。Error: Failed to add user to group. (-2147463168 PBIEgwService Performance Log Users )(-2147463168 PBIEgwService Performance Log Users )

如果尝试在不受支持的域控制器上安装网关,可能会收到此错误。You may receive this error if you are trying to install the gateway on a domain controller, which isn't supported. 需将网关部署在不是域控制器的计算机上。You'll need to deploy the gateway on a machine that isn't a domain controller.

工具Tools

从网关配置器收集日志Collecting logs from the gateway configurator

可以收集网关的多个日志。You can collect several logs for the gateway. 请始终从日志开始!Always start with the logs!

安装程序日志Installer logs

%localappdata%\Temp\On-premises_data_gateway_*.log

配置日志Configuration logs

%localappdata%\Microsoft\on-premises data gateway\GatewayConfigurator*.log

企业网关服务日志Enterprise gateway service logs

C:\Users\PBIEgwService\AppData\Local\Microsoft\on-premises data gateway\Gateway*.log

事件日志Event logs

可在“应用程序和服务日志”下找到“本地数据网关服务”事件日志。The On-premises data gateway service event logs are present under Applications and Services Logs.

事件日志

Fiddler 跟踪Fiddler Trace

Fiddler 是 Telerik 提供的一个免费工具,可以监视 HTTP 流量。Fiddler is a free tool from Telerik that monitors HTTP traffic. 可在客户端计算机中查看 Power BI 服务前前后后的活动。You can see the back and forth with the Power BI service from the client machine. 此工具可显示错误和其他相关信息。This may show errors and other related information.