Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
reinholz
Frequent Visitor

Enterprise Gateway setup - alternative to IP whitelist / wildcard domains?

‎06-17-2016 06:55 AM

Hi,

 

at my company we recently started to use Power BI. We use an on-premise MySQL database, we'd like to get the data from.

I read that to get past our firewall and access the database from Power BI online, we would need to either whitelist the domain names or the Microsoft Azure IP ranges list. https://powerbi.microsoft.com/en-us/documentation/powerbi-gateway-enterprise/ 

 

Both ways aren't working for us. Whitelisting the domain names (mentioned in the link above) isn't possible since wildcards are not supported. Our IT admin told me that whitelisting the list of IP ranges also isn't possible, since we don't want to open up our database to such a big (and varying) list of IP ranges.

 

Is anyone aware of a way to allow Power BI online to get past the firewall of an on-premise database without having to whitelist such a big list of IP ranges?

 

(I'm neither a developer nor a database specialist. Please keep that in mind when phrasing an answer 😛 )

 

I appreciate every hint and help I can get, since I really want to make this work!

 

Thanks for your time!

 

Sebastian

 

 

Labels:
Message 1 of 2
2,720 Views
0
1 ACCEPTED SOLUTION
Seth_C_Bauer
MVP

‎06-17-2016 07:09 AM

@reinholz The complete security whitepaper that your IT dept can look at is here. You don't need to open all the ports, you can just open 443, as stated at the end of the whitepaper.

Which ports are used by Enterprise Gateway and Personal Gateway? Are there any domain names that need to be allowed for connectivity purposes?

For Power BI, the Enterprise Gateway and Personal Gateway use the same ports. All service connections are outbound (from the on-premises listening server), initiated by Service Bus, so there’s no need to open incoming ports on the on-premises server. 

The following steps outline the connection process, where the listener is the on-premises server on which the Enterprise Gateway or Personal Gateway is running:

  1. Upon receiving a connection request from Service Bus, the listener attempts to connect to Service Bus on port 5672.
  2. If connection on port 5672 is not successful, the listener attempts to connect on port 443.
  3. Once the connection is established, the listener will attempt to rendezvous using ports 9350 through 9354.
  4. If rendezvous fails on the 9350 – 9354 port range, then a rendezvous on port 443 is attempted.

As such, the only port requirement for the Enterprise Gateway and Personal Gateway is port 443, however the other ports listed in the above process will be attempted first, before falling back to port 443.

During the process, the listener will attempt to communicate with domains necessary to establish a secure connection with the Power BI service. In cases where domain connections are blocked unless explicitly allowed, the domains which may need to be added to the approved connection list can be found in the Power BI Gateway documentation.


Looking for more Power BI tips, tricks & tools? Check out PowerBI.tips the site I co-own with Mike Carlo. Also, if you are near SE WI? Join our PUG Milwaukee Brew City PUG

View solution in original post

Message 2 of 2
3,939 Views
1 REPLY 1
Seth_C_Bauer
MVP

‎06-17-2016 07:09 AM

@reinholz The complete security whitepaper that your IT dept can look at is here. You don't need to open all the ports, you can just open 443, as stated at the end of the whitepaper.

Which ports are used by Enterprise Gateway and Personal Gateway? Are there any domain names that need to be allowed for connectivity purposes?

For Power BI, the Enterprise Gateway and Personal Gateway use the same ports. All service connections are outbound (from the on-premises listening server), initiated by Service Bus, so there’s no need to open incoming ports on the on-premises server. 

The following steps outline the connection process, where the listener is the on-premises server on which the Enterprise Gateway or Personal Gateway is running:

  1. Upon receiving a connection request from Service Bus, the listener attempts to connect to Service Bus on port 5672.
  2. If connection on port 5672 is not successful, the listener attempts to connect on port 443.
  3. Once the connection is established, the listener will attempt to rendezvous using ports 9350 through 9354.
  4. If rendezvous fails on the 9350 – 9354 port range, then a rendezvous on port 443 is attempted.

As such, the only port requirement for the Enterprise Gateway and Personal Gateway is port 443, however the other ports listed in the above process will be attempted first, before falling back to port 443.

During the process, the listener will attempt to communicate with domains necessary to establish a secure connection with the Power BI service. In cases where domain connections are blocked unless explicitly allowed, the domains which may need to be added to the approved connection list can be found in the Power BI Gateway documentation.


Looking for more Power BI tips, tricks & tools? Check out PowerBI.tips the site I co-own with Mike Carlo. Also, if you are near SE WI? Join our PUG Milwaukee Brew City PUG
Message 2 of 2
3,940 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All