了解 Microsoft PowerApps 的內部部署資料閘道Understand on-premises data gateways for Microsoft PowerApps

安裝和設定Installation and configuration

必要條件Prerequisites

至少︰Minimum:

  • .NET 4.5 Framework.NET 4.5 Framework
  • 64 位元版本的 Windows 7 或 Windows Server 2008 R2 (或更新版本)64-bit version of Windows 7 or Windows Server 2008 R2 (or later)

建議︰Recommended:

  • 8 核心 CPU8 Core CPU
  • 8 GB 記憶體8 GB Memory
  • 64 位元版本的 Windows 2012 R2 (或更新版本)64-bit version of Windows 2012 R2 (or later)

相關注意事項︰Related considerations:

  • 您無法在網域控制站上安裝閘道。You can't install a gateway on a domain controller.
  • 請勿在可能會關閉、睡眠或未連線到網際網路的電腦 (例如膝上型電腦) 上安裝閘道,因為閘道無法在這些情況下執行。You shouldn't install a gateway on a computer, such a laptop, that may be turned off, asleep, or not connected to the Internet because the gateway can't run under any of those circumstances. 此外,若是透過無線網路,閘道效能可能會降低。In addition, gateway performance might suffer over a wireless network.

安裝閘道Install a gateway

  1. 下載安裝程式,然後加以執行。Download the installer, and then run it.

    執行安裝程式

  2. 在安裝精靈的第一個畫面上,按一下或點選 [下一步] 以認可關於在膝上型電腦上安裝閘道的提醒。On the first screen of the installation wizard, click or tap Next to acknowledge the reminder about installing a gateway on a laptop.

    提醒畫面

  3. 指定您要安裝閘道的位置,選取核取方塊以接受使用規定和隱私權聲明,然後按一下或點選 [安裝]。Specify the location where you want to install the gateway, select the check box to accept the terms of use and the privacy statement, and then click or tap Install.
  4. 在 [使用者帳戶控制] 對話方塊中,按一下或點選 [是] 以繼續。In the User Account Control dialog boxes, click or tap Yes to continue.
  5. 在精靈的下一個畫面上,按一下或點選 [登入]。On the next screen of the wizard, click or tap Sign in.

    登入

  6. 按一下或點選相關選項來註冊新閘道或移轉、還原或接管現有閘道,然後按一下或點選 [下一步]。Click or tap the option to register a new gateway or to migrate, restore, or take over an existing gateway, and then click or tap Next.

    選擇新的或現有的

    • 若要設定閘道,請輸入其名稱修復金鑰,按一下或點選 [設定],然後按一下或點選 [關閉]。To configure a gateway, type a name for it and a recovery key, click or tap Configure, and then click or tap Close.

      設定新閘道

      指定修復金鑰,其中至少要包含 8 個字元,並將它保存在安全的地方。Specify a recovery key that contains at least eight characters, and keep it in a safe place. 如果您想要移轉、還原或接管其閘道,就需要這個金鑰。You'll need this key if you want to migrate, restore, or take over its gateway.

    • 若要移轉、還原或接管現有閘道,請提供閘道名稱和其修復金鑰,按一下或點選 [設定],然後遵循其他任何提示。To migrate, restore, or take over an existing gateway, provide the name of the gateway and its recovery key, click or tap Configure, and then follow any additional prompts.

      復原現有閘道

重新啟動閘道Restart the gateway

閘道會以 Windows 服務的形式來執行,因此您可以用多種方式加以啟動及停止。The gateway runs as a Windows service, so you can start and stop it in multiple ways. 例如,您可以在閘道執行所在的電腦上,以提高的權限開啟命令提示字元,然後執行下列任一命令︰For example, you can open a command prompt with elevated permissions on the machine where the gateway is running and then run either of these commands:

  • 若要停止服務,請執行此命令︰To stop the service, run this command:
    net stop PBIEgwService net stop PBIEgwService
  • 若要啟動服務,請執行此命令︰To start the service, run this command:
    net start PBIEgwService net start PBIEgwService

設定防火牆或 ProxyConfigure a firewall or proxy

如需如何為閘道提供 Proxy 資訊的相關資訊,請參閱設定 Proxy 設定For information about how to provide proxy information for your gateway, see Configure proxy settings.

您可以從 PowerShell 提示字元執行下列命令,來確認您的防火牆或 Proxy 是否可能會封鎖連線。You can verify whether your firewall, or proxy, may be blocking connections by running the following command from a PowerShell prompt. 此命令會測試對 Azure 服務匯流排的連線能力。This command will test connectivity to the Azure Service Bus. 這只會測試網路連線能力,並不會和雲端伺服器服務或閘道有任何關係。This only tests network connectivity and doesn't have anything to do with the cloud server service or the gateway. 這項測試有助於判斷您的電腦是否可以真的往外連線到網際網路。It helps to determine whether your machine can actually get out to the internet.

Test-NetConnection -ComputerName watchdog.servicebus.windows.net -Port 9350

測試結果應該會類似下列範例。The results should look similar to this example. 如果 TcpTestSucceeded 不是 True,您可能會遭到防火牆封鎖。If TcpTestSucceeded is not True, you may be blocked by a firewall.

ComputerName           : watchdog.servicebus.windows.net
RemoteAddress          : 70.37.104.240
RemotePort             : 5672
InterfaceAlias         : vEthernet (Broadcom NetXtreme Gigabit Ethernet - Virtual Switch)
SourceAddress          : 10.120.60.105
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : True

如果您想要詳盡的結果,請將 ComputerNamePort 的值替換為本主題稍後的<設定連接埠>底下所列的值。If you want to be exhaustive, substitute the ComputerName and Port values with those listed under Configure ports later in this topic.

防火牆可能也會封鎖 Azure 服務匯流排對 Azure 資料中心所建立的連線。The firewall may also be blocking the connections that the Azure Service Bus makes to the Azure data centers. 如果是這樣,您可以將您區域內這些資料中心的 IP 位址加入允許清單 (解除封鎖)。If that's the case, you'll want to whitelist (unblock) the IP addresses for your region for those data centers. 您可以在這裡取得 Azure IP 位址清單。You can get a list of Azure IP addresses here.

設定連接埠Configure ports

閘道會對 Azure 服務匯流排建立輸出連線。The gateway creates an outbound connection to Azure Service Bus. 它會在下列輸出連接埠上進行通訊︰TCP 443 (預設)、5671、5672、9350 到 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 thru 9354. 閘道不需要輸入連接埠。The gateway doesn't require inbound ports.

深入了解混合式解決方案Learn more about hybrid solutions.

建議您在防火牆中將您資料區域的 IP 位址加入允許清單。It is recommended that you whitelist the IP addresses, for your data region, in your firewall. 您可以下載 Microsoft Azure 資料中心 IP 清單,此清單會每週更新。You can download the Microsoft Azure Datacenter IP list, which is updated weekly.

注意︰在 Azure 資料中心 IP 清單中,位址會以 CIDR 標記法列出。Note: In the Azure Datacenter IP list, addresses are listed in CIDR notation. 例如,10.0.0.0/24 並非代表 10.0.0.0 到 10.0.0.24。For example, 10.0.0.0/24 doesn't mean 10.0.0.0 through 10.0.0.24.

以下是閘道所使用的完整網域名稱清單。Here is a listing of the fully qualified domain names used by the gateway.

網域名稱Domain names 輸出連接埠Outbound ports 說明Description
.analysis.windows.net.analysis.windows.net 443443 HTTPSHTTPS
.login.windows.net.login.windows.net 443443 HTTPSHTTPS
.servicebus.windows.net.servicebus.windows.net 5671-56725671-5672 進階訊息佇列通訊協定 (AMQP)Advanced Message Queuing Protocol (AMQP)
.servicebus.windows.net.servicebus.windows.net 443、9350-9354443, 9350-9354 針對透過 TCP 之服務匯流排轉送的接聽程式 (需要 443 以便取得存取控制權杖)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
.frontend.clouddatahub.net.frontend.clouddatahub.net 443443 HTTPSHTTPS
.core.windows.net.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
.msftncsi.com.msftncsi.com 443443 當使用 Power BI 服務無法連線到閘道時,用來測試網際網路連線能力。Used to test internet connectivity if the gateway is unreachable by the Power BI service.

登入帳戶Sign-in account

使用者會使用公司或學校帳戶來登入。Users will sign in with either a work or school account. 這就是您的組織帳戶。This is your organization account. 如果您已註冊 Office 365 供應項目,但未提供實際的公司電子郵件,該帳戶看起來可能會像 nancy@contoso.onmicrosoft.com。您在雲端服務中的帳戶會儲存在 Azure Active Directory (AAD) 的租用戶中。If you signed up for an Office 365 offering and didn’t supply your actual work email, it may look like nancy@contoso.onmicrosoft.com. Your account, within a cloud service, is stored within a tenant in Azure Active Directory (AAD). 在大部分情況下,AAD 帳戶的 UPN 會符合電子郵件地址。In most cases, your AAD account’s UPN will match the email address.

Windows 服務帳戶Windows Service account

內部部署資料閘道會設定為對 Windows 服務的登入認證使用 NT SERVICE\PBIEgwServiceThe on-premises data gateway is configured to use NT SERVICE\PBIEgwService for the Windows service logon credential. 根據預設,它擁有登入為服務的權限。By default, it has the right of Log on as a service. 這是您閘道要安裝所在之電腦的情況。This is in the context of the machine on which you're installing the gateway.

這不是用來連線到內部部署資料來源的帳戶,或您用來登入雲端服務的公司或學校帳戶。This isn't the account used to connect to on-premises data sources or the work or school account with which you sign in to cloud services.

如果您的 Proxy 伺服器因為驗證而遇到問題,您可能會想要如 Proxy 設定所述,將 Windows 服務帳戶變更為網域使用者帳戶或受管理的服務帳戶。If you encounter issues with your proxy server due to authentication, you may want to change the Windows service account to a domain-user or managed-service account as proxy configuration describes.

常見問題集Frequently asked questions

一般General

問︰閘道支援何種資料來源?Question: What data sources does the gateway support?
答案︰自撰寫本文起︰Answer: As of this writing:

  • SQL ServerSQL Server
  • SharePointSharePoint
  • OracleOracle
  • InformixInformix
  • FilesystemFilesystem
  • DB2DB2

問︰雲端資料來源 (例如 SQL Azure) 是否需要閘道?Question: Do I need a gateway for data sources in the cloud, such as SQL Azure?
答︰不需要。Answer: No. 閘道只會連線到內部部署資料來源。A gateway connects to on-premises data sources only.

問︰實際的 Windows 服務稱為什麼?Question: What is the actual Windows service called?
答︰在服務中,閘道稱為 Power BI 企業閘道服務Answer: In Services, the gateway is called Power BI Enterprise Gateway Service.

問︰雲端是否有任何連往閘道的輸入連線?Question: Are there any inbound connections to the gateway from the cloud?
答︰沒有。Answer: No. 閘道會使用連往 Azure 服務匯流排的輸出連線。The gateway uses outbound connections to Azure Service Bus.

問︰如果我封鎖輸出連線會發生什麼情況?Question: What if I block outbound connections? 我該開啟什麼?What do I need to open?
答︰請看閘道使用的連接埠和主機。Answer: See the ports and hosts that the gateway uses.

問︰閘道是否必須安裝在和資料來源相同的電腦上?Question: Does the gateway have to be installed on the same machine as the data source?
答︰不需要。Answer: No. 閘道會使用所提供的連線資訊來連線至資料來源。The gateway will connect to the data source using the connection information that was provided. 就此而言,您可以將閘道視為用戶端應用程式。Think of the gateway as a client application in this sense. 它只需要能夠連線到所提供的伺服器名稱即可。It will just need to be able to connect to the server name that was provided.

問︰從閘道向資料來源執行查詢時,會有什麼延遲?Question: What is the latency for running queries to a data source from the gateway? 最佳架構為何?What is the best architecture?
答︰為了減少網路延遲,請將閘道安裝在資料來源附近,越近越好。Answer: To reduce network latency, install the gateway as close to the data source as possible. 如果您可以將閘道安裝在實際的資料來源上,所產生的延遲會最少。If you can install the gateway on the actual data source, it will minimize the latency introduced. 請一併考慮資料中心。Consider the data centers as well. 例如,如果您的服務使用美國西部的資料中心,而您的 SQL Server 裝載在 Azure VM 中,您也會想要讓 Azure VM 位於美國西部。For example, if your service is using the West US data center and you have SQL Server hosted in an Azure VM, you'll want to have the Azure VM in West US as well. 這種配置可讓延遲降至最低,並免去 Azure VM 的輸出費用。This will minimize latency and avoid egress charges on the Azure VM.

問︰網路頻寬是否有任何需求?Question: Are there any requirements for network bandwidth?
答︰建議您的網路連線要有良好的輸送量。Answer: It is recommended to have good throughput for your network connection. 每個環境各不相同,而且所傳送的資料量會影響結果。Every environment is different, and the amount of data being sent will affect the results. 使用 ExpressRoute 有助於保證內部部署環境與 Azure 資料中心之間擁有一定水準的輸送量。Using ExpressRoute could help to guarantee a level of throughput between on-premises and the Azure data centers.

您可以使用協力廠商工具 Azure 速度測試應用程式,來協助評估您的輸送量水準。You can use the third-party tool Azure Speed Test app to help gauge what your throughput is.

問︰閘道 Windows 服務是否能使用 Azure Active Directory 帳戶來執行?Question: Can the gateway Windows service run with an Azure Active Directory account?
答︰不行。Answer: No. Windows 服務必須有有效的 Windows 帳戶。The Windows service must have a valid Windows account. 根據預設,它會使用服務 SID「NT SERVICE\PBIEgwService」來執行。By default, it will run with the Service SID, NT SERVICE\PBIEgwService.

問︰結果會以什麼方式傳回雲端?Question: How are results sent back to the cloud?
答︰會藉由 Azure 服務匯流排來傳回。Answer: This is done by way of the Azure Service Bus. 如需詳細資訊,請參閱運作方式For more information, see how it works.

問︰我的認證儲存在哪裡?Question: Where are my credentials stored?
答︰您為資料來源輸入的認證會以加密方式儲存在閘道的雲端服務中。Answer: The credentials that you enter for a data source are stored encrypted in the gateway cloud service. 認證會在閘道的內部部署環境中解密。The credentials are decrypted at the gateway on-premises.

問︰能否將閘道放在周邊網路 (也稱為 DMZ及遮蔽式子網路)?Question: Can I place the gateway in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet)?
答︰閘道需要能夠連線到資料來源。Answer: The gateway requires connectivity to the data source. 如果資料來源不在周邊網路中,閘道可能無法與它連線。If the data source isn't in your perimeter network, the gateway may not be able to connect to it. 例如,執行 SQL Server 的電腦可能不會位於周邊網路,因此您無法從周邊網路連線到該電腦。For example, the computer that's running SQL Server may not be in your perimeter network, and you can't connect to that computer from the perimeter network. 如果您將閘道放在周邊網路,閘道會無法連線到執行 SQL Server 的電腦。If you placed the gateway in your perimeter network, the gateway wouldn't be able to reach the computer that's running SQL Server.

高可用性/災害復原High availability/disaster recovery

問︰你們是否有利用閘道來實現高可用性案例的計劃?Question: Are there any plans for enabling high availability scenarios with the gateway?
答︰我們已預計這麼做,但尚無確切時間表。Answer: This is on the roadmap, but we don’t have a timeline yet.

問︰災害復原有哪些選項?Question: What options are available for disaster recovery?
答︰您可以使用修復金鑰來還原或移動閘道。Answer: You can use the recovery key to restore or move a gateway. 當您安裝閘道時,請指定修復金鑰。When you install the gateway, specify the recovery key.

問︰修復金鑰有什麼好處?Question: What is the benefit of the recovery key?
答︰它可讓您在災害發生後移轉或復原閘道設定。Answer: It provides a way to migrate or recover your gateway settings after a disaster.

疑難排解Troubleshooting

問︰閘道的記錄在哪?Question: Where are the gateway logs?
答︰請參閱本主題稍後的<工具>。Answer: See Tools later in this topic.

問︰要如何查看有哪些查詢會傳送到內部部署資料來源?Question: How can I see what queries are being sent to the on-premises data source?
答︰您可以啟用查詢追蹤,其中會包含所傳送的查詢。Answer: You can enable query tracing, which will include the queries being sent. 疑難排解完畢時,請記得將它變更回原始值。Remember to change it back to the original value when done troubleshooting. 讓查詢追蹤保持啟用會導致記錄變大。Leaving query tracing enabled will cause the logs to be larger.

您也可以看看您的資料來源所擁有的查詢追蹤工具。You can also look at tools that your data source has for tracing queries. 例如,您可以對 SQL Server 和 Analysis Services 使用擴充事件或 SQL Profiler。For example, you can use Extended Events or SQL Profiler for SQL Server and Analysis Services.

閘道的運作方式How the gateway works

運作方式

當使用者與連線至內部部署資料來源的項目互動時︰When a user interacts with an element that's connected to an on-premises data source:

  1. 雲端服務會建立查詢以及適用於資料來源的加密認證,並將查詢傳送至佇列以供閘道處理。The cloud service creates a query, along with the encrypted credentials for the data source, and sends the query to the queue for the gateway to process.
  2. 閘道的雲端服務會分析該查詢,並將要求推送至 Azure 服務匯流排The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus.
  3. 內部部署資料閘道會針對擱置要求來輪詢 Azure 服務匯流排。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 閘道會取得查詢、將認證解密,並使用這些認證連線至資料來源。The gateway gets the query, decrypts the credentials, and connects to the data source(s) with those credentials.
  5. 閘道會將查詢傳送至資料來源以便執行。The gateway sends the query to the data source for execution.
  6. 資料來源會將結果傳回給閘道,閘道再傳給雲端服務。The results are sent from the data source back to the gateway and then onto the cloud service. 服務接著會使用結果。The service then uses the results.

疑難排解Troubleshooting

更新為最新版本Update to the latest version

閘道版本若過時,便會出現一堆問題。A lot of issues can surface when the gateway version is out of date. 因此,您最好確定您是使用最新版本。It is a good general practice to make sure you are on the latest version. 如果閘道長達一個月以上未更新,您可能要考慮安裝最新版的閘道,然後看看是否能重現問題。If you haven't updated the gateway for a month, or longer, you may want to consider installing the latest version of the gateway and see if you can reproduce the issue.

錯誤︰無法將使用者新增到群組。Error: Failed to add user to group. (-2147463168 PBIEgwService 效能記錄使用者 )(-2147463168 PBIEgwService Performance Log Users )

如果您嘗試在不受支援的網域控制站上安裝閘道,就可能會收到這個錯誤。You may receive this error if you are trying to install the gateway on a domain controller, which isn't supported. 您必須將閘道部署在不是網域控制站的電腦上。You'll need to deploy the gateway on a machine that isn't a domain controller.

工具Tools

從閘道設定程式收集記錄Collecting logs from the gateway configurator

您可以針對閘道收集幾項記錄。You can collect several logs for the gateway. 請一律從記錄查起!Always start with the logs!

安裝程式記錄Installer logs

%localappdata%\Temp\On-premises_data_gateway_*.log

設定記錄Configuration logs

%localappdata%\Microsoft\on-premises data gateway\GatewayConfigurator*.log

企業閘道服務記錄Enterprise gateway service logs

C:\Users\PBIEgwService\AppData\Local\Microsoft\on-premises data gateway\Gateway*.log

事件記錄Event logs

應用程式及服務記錄底下有內部部署資料閘道服務的事件記錄。The On-premises data gateway service event logs are present under Applications and Services Logs.

事件記錄

Fiddler 追蹤Fiddler Trace

Fiddler 是 Telerik 所提供的免費工具,可監視 HTTP 流量。Fiddler is a free tool from Telerik that monitors HTTP traffic. 您可以從用戶端電腦使用 Power BI 服務來反覆查看。You can see the back and forth with the Power BI service from the client machine. 這可能會顯示錯誤和其他相關資訊。This may show errors and other related information.