PowerBI Gateway and Proxies

The PowerBI Gateway can be used to connect on-premises database sources into PowerBI, Microsoft Flow, Logic Apps and PowerApps. The advantages are many, and if installed correctly it will work flawlessly. However, the default install of the connector is based on the gateway being able to connect directly to the internet. While it’s the fastest method many organizations do not like the fact that the gateway bypasses their proxy server. And so we come to this next blogpost.. how to make the connector work in combination with a proxy.

The thing to remember for the gateway is that there are two parts of the installation and execution of the gateway connector. Initially the installation, during the install the executable will download additional/newer bits from the internet prior to installing. If the account that you are logged in with does not have internet access, you won’t be able to install the connector at all.

  • The account used to install the gateway connector needs to have internet access

For this, you can configure the proxy settings in Internet Explorer just as you would for a normal user.

Secondly, the account used to register the gateway needs to have internet access AND administrative privileges in PowerBI to perform the registration.

  • The account used to register the gateway connector needs to have internet access and PowerBI administrative access

 

And then comes the harder part. After/during the registration of the connector, the service account (or computer account) will initiate a new connection. Despite what the configuration is for the logged on user, the computer/service account will require internet access and thus a configured proxy setting. If no proxy setting is configured in Internet Explorer for the service account, or no proxy has been configured on system level for the computer account, the registration will show a failure and the connector will not connect. So when the page asking you for the email address pops-up, go into services and change the logon account for the on-premises data gateway service through services.msc and restart the service..

[in fact, the registration of the connector will succeed, as that is done by the logged on user; but the initialisation / finalisation of the configuration will fail]

and because the service account now needs access to the proxy server, make sure the Service Account is configured to use the proxy server.

 

I’ve found its easier to log-on to the server with the service account, configure internet access for the service account and install the connector.

Next is the option to also enforce the gateway to use HTTPS only (by default it will try other protocols which are faster, but aren’t well perceived by many proxy servers) in the latest version of the connector, it will actually have Autodetect as the ServiceBusSystemConnectivityModeString; which in many cases will work too.

This should do the trick..

 

In short:

Login with an account that has the proxy configured to install; Have the proxy configured for the service account, and half way during the install (but before the registration) change the service account.

In case you want to exclude the URL’s from the proxy server inspection (to speed things up), please now that the following URL’s are being used

–          Login.windows.net

–          *.analysis.windows.net

–          *.app.powerbi.com

–          *.cloudapp.net

–          *.core.windows.net

–          *.frontend.clouddatahub.net

–          *.login.windows.net

–          *.login.microsoftonline.com

–          *.microsoftonline-p.com

–          *.msecnd.net

–          *.msfncsi.com

–          *.powerbi.com

–          *.servicebus.windows.net

–          *.symcb.com

–          *.visualstudio.com

–          *.wpc.v0cdn.net

–          Analysis.localytics.com

–          Cdp1.public-trust.com

–          Gpla1.wac.v2cdn.net

–          Hostedocsp.globalsign.com

–          Login.microsoftonline.com

–          Msft.sts.microsoft.com

–          Ocsp.msocsp.com

–          Servicebus.windows.net

–          Symantec.com.edgekey.net

–          Wac.bfdd.psicdn.net

–          http://go.microsoft.com/fwlink/?LinkID=820931 (to download the installer package)

–          http://download.microsoft.com/download/D/A/1/DA1FDDB8-6DA8-4F50-B4D0-18019591E182/GatewayInstall.exe (the actual installer)

These include the OSCP and CRL URL’s for the certificates used..

Tagged , , ,