深入了解內部部署資料閘道On-premises data gateway in-depth

您組織中的使用者可以看到您的內部部署資料 (他們已經具有存取授權),但在那些使用者能夠連接至內部部署資料來源之前,內部部署資料閘道必須先行安裝和設定。It's possible for users in your organization to access on-premises data (to which they already have access authorization), but before those users can connect to your on-premises data source, an on-premises data gateway needs to be installed and configured. 此閘道有助於讓雲端的使用者快速安全地以幕後通訊方式,在內部部署資料來源和雲端之間往返。The gateway facilitates quick and secure behind-the-scenes communication between a user in the cloud, to your on-premises data source, and then back to the cloud.

安裝和設定閘道器通常是由系統管理員完成。Installing and configuring a gateway is usually done by an administrator. 此作業也許需要對內部部署伺服器的專業知識,而且在某些情況下可能需要伺服器管理員權限。It may require special knowledge of your on-premises servers and in some cases may require Server Administrator permissions.

本文不會提供如何安裝和設定閘道器的逐步指引。This article doesn’t provide step-by-step guidance on how to install and configure the gateway. 如需該資訊,請務必查看內部部署資料閘道For that, be sure to see On-premises data gateway. 本文旨在讓您深入了解閘道器的運作方式。This article is meant to provide you with an in-depth understanding of how the gateway works. 我們也將深入探討 Azure Active Directory 和 Analysis Services 中使用者名稱和安全性的相關詳細資料,以及雲端服務如何運用使用者用以登入的電子郵件地址、閘道和 Active Directory,進而安全地連接及查詢內部部署資料。We’ll also go into some detail about usernames and security in both Azure Active Directory and Analysis Services, and how the cloud service uses the e-mail address a user sign in with, the gateway, and Active Directory to securely connect to and query your on-premises data.

閘道運作方式How the gateway works

On-prem-data-gateway-how-it-works

我們先來看看使用者與連接至內部部署資料來源的項目互動時的情形。Let’s first look at what happens when a user interacts with an element connected to an on-premises data source.

注意

Power BI 必須設定閘道的資料來源。For Power BI, you will need to configure a data source for the gateway.

  1. 雲端服務會建立查詢,和內部部署資料來源的加密認證一起傳送到佇列,以供閘道處理。A query will be created by the cloud service, along with the encrypted credentials for the on-premises data source, and sent to the queue for the gateway to process.
  2. 閘道雲端服務會分析此查詢,並將要求推送到 Azure 服務匯流排The gateway cloud service will analyze the query and will push the request to the Azure Service Bus.
  3. 內部部署資料閘道會輪詢 Azure 服務匯流排,得知是否有擱置的要求。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 閘道收到查詢、將認證解密,然後使用該認證連接至資料來源。The gateway gets the query, decrypts the credentials and connects to the data source(s) with those credentials.
  5. 閘道將查詢傳送到資料來源以用於執行。The gateway sends the query to the data source for execution.
  6. 結果會從資料來源傳回閘道,然後傳送到雲端服務。The results are sent from the data source, back to the gateway, and then onto the cloud service. 服務接著使用該結果。The service then uses the results.

可用的資料來源類型清單List of available data source types

資料來源Data source 即時/DirectQueryLive/DirectQuery 使用者設定的手動或排程重新整理User configured manual or scheduled refresh
Analysis Services 表格式Analysis Services Tabular Yes Yes
Analysis Services 多維度Analysis Services Multidimensional Yes Yes
檔案File No Yes
資料夾Folder No Yes
IBM DB2IBM DB2 No Yes
IBM Informix 資料庫IBM Informix Database No Yes
ImpalaImpala Yes Yes
MySQLMySQL No Yes
ODataOData No Yes
ODBCODBC No Yes
OledbOledb No Yes
OracleOracle Yes Yes
PostgresSQLPostgresSQL No Yes
SAP BWSAP BW Yes Yes
SAP HANASAP HANA Yes Yes
SharePoint 清單 (內部部署)SharePoint list (on-premises) No Yes
雪花式Snowflake Yes Yes
SQL ServerSQL Server Yes Yes
SybaseSybase No Yes
TeradataTeradata Yes Yes
WebWeb No Yes

登入帳戶Sign in account

使用者將會使用公司或學校帳戶登入。Users will sign in with either a work or school account. 這是您的組織帳戶。This is your organization account. 如果您註冊 Office 365 供應項目,而且未提供實際的公司電子郵件,其看起來可能會類似 nancy@contoso.onmicrosoft.com。您在雲端服務中的帳戶會儲存在 Azure Active Directory (AAD) 租用戶中。If you signed up for an Office 365 offering and didn’t supply your actual work email, it may look like nancy@contoso.onmicrosoft.com. Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 在大部分情況下,您的 AAD 帳戶 UPN 會比對電子郵件地址。In most cases, your AAD account’s UPN will match the email address.

內部部署資料來源的驗證Authentication to on-premises data sources

預存的認證將用來從 Analysis Services 以外的閘道連接至內部部署資料來源。A stored credential will be used to connect to on-premises data sources from the gateway except Analysis Services. 不論是哪位個別使用者,閘道都會使用預存的認證進行連接。Regardless of the individual user, the gateway uses the stored credential to connect.

即時 Analysis Services 資料來源的驗證Authentication to a live Analysis Services data source

每次使用者和 Analysis Services 互動時,有效使用者名稱皆會傳遞至閘道,然後傳到內部部署 Analysis Services 伺服器。Each time a user interacts with Analysis Services, the effective username is passed to the gateway and then onto your on-premises Analysis Services server. 使用者主體名稱 (UPN),通常是您用以登入雲端的電子郵件地址,即為當作有效使用者傳遞給 Analysis Services 的內容。The user principal name (UPN), typically the email address you sign into the cloud with, is what we will pass to Analysis Services as the effective user. 傳遞此 UPN 時是使用連接屬性 EffectiveUserName。The UPN is passed in the connection property EffectiveUserName. 此電子郵件地址應符合本機 Active Directory 網域內定義的 UPN。This email address should match a defined UPN within the local Active Directory domain. UPN 是 Active Directory 帳戶的屬性。The UPN is a property of an Active Directory account. 接著,該 Windows 帳戶就必須出現於 Analysis Services 角色中,以取得伺服器的存取權。That Windows account then needs to be present in an Analysis Services role to have access to the server. 如果沒有在 Active Directory 中找到符合的項目,登入不會成功。The login will not be successful if no match is found in Active Directory.

Analysis Services 也可以提供根據此帳戶進行篩選。Analysis Services can also provide filtering based on this account. 可以根據角色型安全性或資料列層級安全性來篩選。The filtering can occur with either role based security, or row-level security.

角色型安全性Role-based security

模型會依據使用者角色來提供安全性。Models provide security based on user roles. 針對特定模型專案來定義角色的方式為使用 SQL Server Management Studio (SSMS),時間點可能在使用 SQL Server Data Tools – 商業智慧 (SSDT-BI) 撰寫期間,或者在部署模型之後。Roles are defined for a particular model project during authoring in SQL Server Data Tools – Business Intelligence (SSDT-BI), or after a model is deployed, by using SQL Server Management Studio (SSMS). 角色所包含的成員依 Windows 使用者名稱或 Windows 群組而定。Roles contain members by Windows username or by Windows group. 角色定義了使用者在模型上查詢或執行動作的權限。Roles define permissions a user has to query or perform actions on the model. 大部分的使用者將屬於擁有讀取權限的角色。Most users will belong to a role with Read permissions. 其他角色適用於具有處理項目、管理資料庫函數及管理其他角色等權限的系統管理員。Other roles are meant for administrators with permissions to process items, manage database functions, and manage other roles.

資料列層級安全性Row-level security

資料列層級安全性為 Analysis Services 資料列層級安全性所特有。Row-level security is specific to Analysis Services row-level security. 模型會提供動態的資料列層級安全性。Models can provide dynamic, row-level security. 不同於具有至少一個使用者隸屬的角色,動態安全性並非任何表格式模型所需。Unlike having at least one role in which users belong to, dynamic security is not required for any tabular model. 在較高的層級,動態安全性定義使用者讀取資料的權限,用於讀取特定資料表中特定資料列的資料。At a high-level, dynamic security defines a user’s read access to data right down to a particular row in a particular table. 動態資料列層級安全性與角色類似,也仰賴使用者的 Windows 使用者名稱。Similar to roles, dynamic row-level security relies on a user’s Windows username.

查詢和檢視模型資料的使用者功能,首先由 Windows 使用者帳戶所隸屬的角色而定,其次由動態資料列層級安全性而定 (如果已設定的話)。A user’s ability to query and view model data are determined first by the roles their Windows user account are a member of and second, by dynamic row-level security, if configured.

在模型中實作角色和動態資料列層級安全性已超出本文的範圍。Implementing role and dynamic row-level security in models are beyond the scope of this article. 若要深入了解,您可以前往 MSDN 上的角色 (SSAS 表格式)安全性角色 (Analysis Services - 多維度資料)You can learn more at Roles (SSAS Tabular) and Security Roles (Analysis Services - Multidimensional Data) on MSDN. 此外,為了徹底了解表格式模型安全性,請下載並閱讀保護表格式 BI 語意模型技術白皮書And, for the most in-depth understanding of tabular model security, download and read the Securing the Tabular BI Semantic Model whitepaper.

Azure Active Directory 的情況為何?What about Azure Active Directory?

Microsoft 雲端服務會使用 Azure Active Directory 來負責驗證使用者。Microsoft cloud services use Azure Active Directory to take care of authenticating users. Azure Active Directory 是包含使用者名稱和安全性群組的租用戶。Azure Active Directory is the tenant that contains usernames and security groups. 一般而言,使用者登入時使用的電子郵件地址與帳戶的 UPN 相同。Typically, the email address a user signs in with is the same as the UPN of the account.

我的本機 Active Directory 角色是什麼?What is my local Active Directory’s role?

為了讓 Analysis Services 可判斷予以連接的使用者所屬角色是否具有讀取資料的權限,該伺服器需要轉換從 AAD 傳遞到閘道再傳遞到 Analysis Services 伺服器的有效使用者名稱。For Analysis Services to determine if a user connecting to it belongs to a role with permissions to read data, the server needs to convert the effective username passed from AAD to the gateway, and onto the Analysis Services server. Analysis Services 伺服器會將有效使用者名稱傳遞至 Windows Active Directory 網域控制站 (DC)。The Analysis Services server passes the effective username to a Windows Active Directory domain controller (DC). Active Directory DC 接著會驗證此有效使用者名稱是否為有效 UPN (於本機帳戶上),然後將該使用者的 Windows 使用者名稱傳回給 Analysis Services 伺服器。The Active Directory DC then validates the effective username is a valid UPN, on a local account, and returns that user’s Windows username back to the Analysis Services server.

EffectiveUserName 不能用在未加入網域的 Analysis Services 伺服器上。EffectiveUserName cannot be used on a non-domain joined Analysis Services server. Analysis Services 伺服器必須已加入網域中,以避免任何登入錯誤。The Analysis Services server must be joined to a domain to avoid any login errors.

如何判斷我的 UPN 為何?How do I tell what my UPN is?

您可能不知道您的 UPN 為何,且您可能不是網域系統管理員。You may not know what your UPN is, and you may not be a domain administrator. 您可以從工作站使用下列命令來查明您帳戶的 UPN。You can use the following command from your workstation to find out the UPN for your account.

whoami /upn

結果看起來類似電子郵件地址,但這是您本機網域帳戶上的 UPN。The result will look similar to an email address, but this is the UPN that is on your local domain account. 如果您使用 Analysis Services 資料來源進行即時連線,則必須符合從閘道傳遞給 EffectiveUserName 的資料來源。If you are using an Analysis Services data source for live connections, this must match what was passed to EffectiveUserName from the gateway.

對應 Analysis Services 資料來源的使用者名稱Mapping usernames for Analysis Services data sources

Power BI 可讓您對應 Analysis Services 資料來源的使用者名稱。Power BI allows for mapping usernames for Analysis Services data sources. 您可以設定規則,將登入 Power BI 的使用者名稱對應至 Analysis Services 連線上傳遞給 EffectiveUserName 的名稱。You can configure rules to map a username logged in with Power BI to a name that is passed for EffectiveUserName on the Analysis Services connection. 當您在 AAD 中的使用者名稱不符合本機 Active Directory 中的 UPN 時,使用者名稱對應功能是解決問題的好方法。The map user names feature is a great way to work around when your username in AAD doesn't match a UPN in your local Active Directory. 比方說,如果您的電子郵件地址為 nancy@contoso.onmicrsoft.com,您可以將其對應至 nancy@contoso.com,然後該值就會傳遞至閘道。For example, if your email address is nancy@contoso.onmicrsoft.com, you could map it to nancy@contoso.com, and that value would be passed to the gateway. 您可以深入了解如何對應使用者名稱You can learn more about how to map user names.

同步處理內部部署 Active Directory 和 Azure Active Directory Synchronize an on-premises Active Directory with Azure Active Directory

如果您打算使用 Analysis Services 即時連線,建議您讓本機 Active Directory 帳戶符合 Azure Active Directory。You would want your local Active Directory accounts to match Azure Active Directory if you are going to be using Analysis Services live connections. 因為帳戶之間的 UPN 必須相符合。As the UPN has to match between the accounts.

雲端服務只了解 Azure Active Directory 內的帳戶。The cloud services only know about accounts within Azure Active Directory. 是否將帳戶加入您的本機 Active Directory 並不重要,如果其在 AAD 中不存在,就無法使用。It doesn’t matter if you added an account in your local Active Directory, if it doesn’t exist in AAD, it cannot be used. 有不同的方式可以將本機 Active Directory 帳戶和 Azure Active Directory 比對。There are different ways that you can match your local Active Directory accounts with Azure Active Directory.

  1. 您可以手動將帳戶加入 Azure Active Directory。You can add accounts manually to Azure Active Directory.

    您可以在 Azure 網站或 Office 365 管理入口網站上建立帳戶,帳戶名稱必須符合本機 Active Directory 帳戶的 UPN。You can create an account on the Azure portal, or within the Office 365 Admin Portal, and the account name matches the UPN of the local Active Directory account.

  2. 您可以使用 Azure AD Connect 工具,將本機帳戶同步處理至您的 Azure Active Directory 租用戶。You can use the Azure AD Connect tool to synchronize local accounts to your Azure Active Directory tenant.

    Azure AD Connect 工具提供目錄和密碼同步處理使用的選項。The Azure AD Connect tool provides options for directory and password synchronization. 如果您不是租用戶管理員或本機網域系統管理員,您必須連絡您的 IT 管理員來進行這項設定。If you are not a tenant admin or a local domain administrator, you will need to contact your IT admin to get this configured.

  3. 您可以設定 Active Directory 同盟服務 (ADFS)。You can configure Active Directory Federation Services (ADFS).

    您可以使用 Azure AD Connect 工具將 ADFS 伺服器與 AAD 租用戶建立關聯。You can associate your ADFS server to your AAD tenant with the Azure AD Connect tool. ADFS 使用以上所討論的目錄同步作業,但允許單一登入 (SSO) 體驗。ADFS makes use of the directory synchronization discussed above but allows for a single sign-on (SSO) experience. 例如,如果您位於您的公司網路中,當您前往雲端服務並移至登入後,系統可能不會提示您輸入使用者名稱或密碼。For example, if you are within your work network, when you to a cloud service, and go to sign in, you may not be prompted to enter a username or password. 您必須與您的 IT 管理員討論這是否可供您的組織使用。You will need to discuss with your IT Admin if this is available for your organization.

使用 Azure AD Connect 可確保 UPN 會在 AAD 與本機 Active Directory 之間相符。Using Azure AD Connect ensures that the UPN will match between AAD and your local Active Directory.

注意

使用 Azure AD Connect 工具同步處理帳戶會在 AAD 租用戶內建立新的帳戶。Synchronizing accounts with the Azure AD Connect tool will create new accounts within your AAD tenant.

這就是閘道器現在的運作方式Now, this is where the gateway comes in

閘道可作為雲端和內部部署伺服器之間的橋接器。The gateway acts as a bridge between the cloud and your on-premises server. 雲端和閘道之間的資料傳輸會透過 Azure 服務匯流排加以保護。Data transfer between the cloud and the gateway is secured through Azure Service Bus. 此服務匯流排會透過閘道上的輸出連線,建立雲端與內部部署伺服器之間的安全通道。The Service Bus creates a secure channel between the cloud and your on-premises server through an outbound connection on the gateway. 您不需要在內部部署防火牆上開啟任何輸入的連線。There are no inbound connections that you need to open on your on-premises firewall.

如果您有 Analysis Services 資料來源,則需要在與 Analysis Services 伺服器加入同一個樹系/網域的電腦上安裝閘道器。If you have an Analysis Services data source, you’ll need to install the gateway on a computer joined to the same forest/domain as your Analysis Services server.

閘道器越接近伺服器,連接速度就越快。The closer the gateway is to the server, the faster the connection will be. 如果您可以取得與資料來源位於相同伺服器上的閘道器,就最能夠避免閘道器和伺服器之間的網路延遲。If you can get the gateway on the same server as the data source, that is best to avoid network latency between the gateway and the server.

下一個步驟是什麼?What to do next?

安裝閘道之後,您將需要建立該閘道的資料來源。After you get the gateway installed, you will want to create data sources for that gateway. 您可以在 [管理閘道] 畫面內加入資料來源。You can add data sources within the Manage gateways screen. 如需詳細資訊,請參閱管理資料來源文章。For more information, see the manage data sources articles.

管理您的資料來源─Analysis ServicesManage your data source - Analysis Services
管理您的資料來源 - SAP HANAManage your data source - SAP HANA
管理您的資料來源 - SQL ServerManage your data source - SQL Server
管理您的資料來源 - OracleManage your data source - Oracle
管理您的資料來源 - 匯入/已排程的重新整理Manage your data source - Import/Scheduled refresh

可能發生錯誤之處Where things can go wrong

有時候,閘道器會安裝失敗;Sometimes installing the gateway fails. 或者閘道看似安裝成功,但服務仍然無法搭配運作。Or, maybe the gateway seems to install ok, but the service is still unable to work with it. 在許多情況下,錯誤的起因很簡單,例如閘道器用以登入資料來源的認證密碼。In many cases, it’s something simple, like the password for the credentials the gateway uses to sign into the data source.

在其他情況下,問題則可能出在使用者登入的電子郵件地址類型,或 Analysis Services 無法解析有效使用者名稱。In other cases, there might be issues with the type of e-mail address users sign in with, or Analysis Services’ inability to resolve an effective username. 如果您有多個互相信任的網域,且閘道位於其中一個,而 Analysis Services 位於另一個,則這種情況有時會造成一些問題。If you have multiple domains with trusts between them, and your gateway is in one and Analysis Services in another, this sometimes can cause some problems.

我們不會在這裡進行閘道問題的疑難排解,而是在另一篇文章為內部部署資料閘道進行疑難排解中,提供一系列的疑難排解步驟。Rather than go into troubleshooting gateway issues here, we’ve put a series of troubleshooting steps into another article; Troubleshooting the on-premises data gateway. 希望您不會遇到任何問題。Hopefully, you won’t have any problems. 但如果您遇到了問題,則了解這裡所有步驟和疑難排解文章將有所幫助。But if you do, understanding how all of this works and the troubleshooting article should help.

登入帳戶Sign in account

使用者將會使用公司或學校帳戶登入。Users will sign in with either a work or school account. 這是您的組織帳戶。This is your organization account. 如果您註冊 Office 365 供應項目,而且未提供實際的公司電子郵件,其看起來可能會類似 nancy@contoso.onmicrosoft.com。您在雲端服務中的帳戶會儲存在 Azure Active Directory (AAD) 租用戶中。If you signed up for an Office 365 offering and didn’t supply your actual work email, it may look like nancy@contoso.onmicrosoft.com. Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 在大部分情況下,您的 AAD 帳戶 UPN 會與電子郵件地址相符。In most cases, your AAD account’s UPN will match the email address.

Windows 服務帳戶Windows Service account

內部部署資料閘道已設定為使用 NT SERVICE\PBIEgwService 來表示 Windows 服務的登入認證。The on-premises data gateway is configured to use NT SERVICE\PBIEgwService for the Windows service logon credential. 根據預設,其具有「以服務方式登入」的權限。By default, it has the right of Log on as a service. 這在您要安裝閘道的電腦內容中。This is in the context of the machine that you are installing the gateway on.

注意

如果您選取個人模式,請另外設定 Windows 服務帳戶。If you selected personal mode, you configure the Windows service account separately.

這不是用來連接至內部部署資料來源的帳戶。This is not the account used to connect to on-premises data sources. 這也不是您登入雲端服務所用的工作或學校帳戶。This is also not your work or school account that you sign into cloud services with.

若您的 Proxy 伺服器發生驗證問題,可以將 Windows 服務帳戶變更為網域使用者或受管理的服務帳戶。If you encounter issues with your proxy server, due to authentication, you may want to change the Windows service account to a domain user or managed service account. 您可以學習如何從 Proxy 設定變更此帳戶。You can learn how to change the account in proxy configuration.

連接埠Ports

閘道會建立 Azure 服務匯流排的輸出連線。The gateway creates an outbound connection to Azure Service Bus. 它會在輸出連接埠上進行通訊:TCP 443 (預設)、5671、5672、9350 到 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 thru 9354. 閘道不需要輸入連接埠。The gateway does not require inbound ports. 深入了解Learn more

建議您將您資料區域的 IP 位址加入防火牆的允許清單中。It is recommended that you whitelist the IP addresses, for your data region, in your firewall. 您可以下載 Microsoft Azure 資料中心的 IP 清單You can download the Microsoft Azure Datacenter IP list. 此清單會每週更新。This list is updated weekly. 閘道會使用 IP 位址及完整網域名稱 (FQDN) 來與 Azure 服務匯流排通訊。The gateway will communicate with Azure Service Bus using the IP address along with the fully qualified domain name (FQDN). 如果您強制閘道器使用 HTTPS 進行通訊,閘道器會嚴格限於使用 FQDN,使用 IP 位址則不會發生通訊。If you are forcing the gateway to communicate using HTTPS it will strictly use FQDN only, and no communication will happen using IP addresses.

注意

Azure Datacenter IP 清單中所列的 IP 位址採用 CIDR 標記法。The IP Addresses listed in the Azure Datacenter IP list are in CIDR notation. 例如 10.0.0.0/24 並不等於 10.0.0.0 到 10.0.0.24。For example, 10.0.0.0/24 does not mean 10.0.0.0 thru 10.0.0.24. 深入了解 CIDR 標記法Learn more about the CIDR notation.

下列清單包含閘道所使用的完整網域名稱。Here is a listing of the fully qualified domain names used by the gateway.

網域名稱Domain names 輸出連接埠Outbound ports 描述Description
*.download.microsoft.com*.download.microsoft.com 8080 下載安裝程式所使用的 HTTP。HTTP used to download the installer.
*.powerbi.com*.powerbi.com 443443 HTTPSHTTPS
*.analysis.windows.net*.analysis.windows.net 443443 HTTPSHTTPS
*.login.windows.net*.login.windows.net 443443 HTTPSHTTPS
*.servicebus.windows.net*.servicebus.windows.net 5671-56725671-5672 進階訊息佇列通訊協定 (AMQP)Advanced Message Queuing Protocol (AMQP)
*.servicebus.windows.net*.servicebus.windows.net 443, 9350-9354443, 9350-9354 透過 TCP 之服務匯流排轉送上的接聽程式 (需要 443 以取得存取控制 Token)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
*.frontend.clouddatahub.net*.frontend.clouddatahub.net 443443 HTTPSHTTPS
*.core.windows.net*.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
*.msftncsi.com*.msftncsi.com 443443 在 Power BI 服務無法與閘道連線時,用於測試網際網路連線。Used to test internet connectivity if the gateway is unreachable by the Power BI service.
*.microsoftonline-p.com*.microsoftonline-p.com 443443 用於依據組態進行驗證。Used for authentication depending on configuration.

注意

前往 visualstudio.com 或 visualstudioonline.com 的流量是供 App Insights 使用,對閘道的運作並非必要。Traffic going to visualstudio.com or visualstudioonline.com are for app insights and are not required for the gateway to function.

強制與 Azure 服務匯流排進行 HTTPS 通訊Forcing HTTPS communication with Azure Service Bus

您可以強制閘道使用 HTTPS 與 Azure 服務匯流排進行通訊,而不使用 TCP。You can force the gateway to communicate with Azure Service Bus using HTTPS instead of direct TCP. 這可能會對效能產生影響。This may have an impact on performance. 若要這樣做,請修改 Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config 檔案,方法是將值從 AutoDetect 變更為 Https,如本段後面接著的程式碼片段所示。To do so, modify the Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config file by changing the value from AutoDetect to Https, as shown in the code snippet directly following this paragraph. 該檔案 (依預設) 位於 C:\Program Files\On-premises data gateway。That file is located (by default) at C:\Program Files\On-premises data gateway.

<setting name="ServiceBusSystemConnectivityModeString" serializeAs="String">
    <value>Https</value>
</setting>

ServiceBusSystemConnectivityModeString 參數的值有區分大小寫。The value for the ServiceBusSystemConnectivityModeString parameter is case sensitive. 有效值為「自動偵測」和「Https」。Valid values are AutoDetect and Https.

您也可以使用 2017 年 3 月版本開始提供的閘道使用者介面,強制閘道器採用此行為。Alternatively, you can force the gateway to adopt this behavior using the gateway user interface, beginning with the March 2017 release. 在閘道器使用者介面中選取 [網路],然後將 [Azure 服務匯流排連線模式] 切換為 [開啟]。In the gateway user interface select Network, then toggle the Azure Service Bus connectivity mode to On.

變更後,當您選取 [套用] (進行變更才出現的按鈕) 時,「閘道 Windows 服務」會自動重新啟動,讓變更生效。Once changed, when you select Apply (a button that only appears when you make a change), the gateway Windows service restarts automatically, so the change can take effect.

為供日後參考,您可以選取 [服務設定],然後選取 [立即重新啟動],從使用者介面對話方塊重新啟動「閘道 Windows 服務」。For future reference, you can restart the gateway Windows service from the user interface dialog by selecting Service Settings then select Restart Now.

TLS 1.1/1.2 支援Support for TLS 1.1/1.2

有了 2017 年 8 月更新和以上版本之後,內部部署資料閘道會根據預設,使用傳輸層安全性 (TLS) 1.1 或 1.2 與 Power BI 服務通訊。With the August 2017 update and beyond, the on-premises data gateway uses Transport Layer Security (TLS) 1.1 or 1.2 to communicate with the Power BI service by default. 根據預設,舊版內部部署資料閘道會使用 TLS 1.0。Previous versions of the on-premises data gateway use TLS 1.0 by default. 2018 年 3 月 15 日將結束 TLS 1.0 支援 (包括閘道使用 TLS 1.0 與 Power BI 服務互動的功能),因此您必須在屆期前將內部部署資料閘道安裝升級為 2017 年 8 月版本或更新版本,以確保閘道持續運作。On March 15th 2018, support for TLS 1.0 will end, including the gateway's ability to interact with the Power BI service using TLS 1.0, so by then you must upgrade your on-premises data gateway installations to the August 2017 release or newer to ensure your gateways continue to operate.

請務必注意,在 11 月 1 日之前,內部部署資料閘道仍然支援 TLS 1.0,並用以當成後援機制。It's important to note that TLS 1.0 is still supported by the on-premises data gateway prior to November 1st, and is used by the gateway as a fallback mechanism. 若要確保所有閘道流量使用 TLS 1.1 或 1.2 (以及避免在閘道上使用 TLS 1.0),您必須新增或修改執行閘道服務之電腦上的下列登錄機碼:To ensure all gateway traffic uses TLS 1.1 or 1.2 (and to prevent the use of TLS 1.0 on your gateway), you must add or modify the following registry keys on the machine running the gateway service:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001

注意

新增或修改這些登錄機碼會將變更套用至所有 .NET 應用程式。Adding or modifying these registry keys applies the change to all .NET applications. 如需影響其他應用程式之 TLS 之登錄變更的資訊,請參閱 Transport Layer Security (TLS) registry settings (傳輸層安全性 (TLS) 登錄設定)。For information about registry changes that affect TLS for other applications, see Transport Layer Security (TLS) registry settings.

如何重新啟動閘道How to restart the gateway

閘道會當作 Windows 服務來執行。The gateway runs as a windows service. 您可以像是任何 Windows 服務啟動及停止這項服務。You can start and stop it like any windows service. 有多種方式可以執行這項操作。There are multiple ways to do this. 以下示範如何從命令提示字元執行這項操作。Here is how you can do it from the command prompt.

  1. 在執行閘道的電腦上,啟動系統管理員命令提示字元。On the machine where the gateway is running, launch an admin command prompt.
  2. 使用下列命令停止服務。Use the following command to stop the service.

    net stop PBIEgwServicenet stop PBIEgwService

  3. 使用下列命令啟動服務。Use the following command to start the service.

    net start PBIEgwServicenet start PBIEgwService

後續步驟Next steps

為內部部署資料閘道進行疑難排解Troubleshooting the on-premises data gateway
Azure 服務匯流排Azure Service Bus
Azure AD ConnectAzure AD Connect
有其他問題嗎?More questions? 試試 Power BI 社群Try the Power BI Community