Contact Us 1-800-596-4880

Windows Gateway Services Guide - Mule 4

Anypoint Connector for Windows Gateway Services provides connectivity to proprietary functionality on the Windows platform.

Before You Begin

Install Java Cryptography Extensions on the server where Mule is installed. The JCE package is required to allow the Connector to use HTTPS to communicate securely.

For TLS 1.2 to be enabled and negotiated on servers that run Windows Server 2008 R2, you MUST create the DisabledByDefault entry in the appropriate subkey (Client, Server) and set it to "0". The entry does not appear in the registry and it is set to "1" by default.

Install the Windows Gateway Services

Installation requires Windows 2008 Server, Windows 2008 R2 Server, Windows 2012 Server, and .NET Framework 4.5 and newer.

Installation steps:

  1. Download the Windows Gateway Services installer listed in the See Also section of this document.

  2. Unzip the software distribution.

  3. Double-click the Anypoint-Windows-Gateway-Service.exe file.

  4. Click Options to change the installation location, or click Install to start the installation.

  5. To use the MSMQ connector with the Gateway, copy the Authentication Token that is displayed for later use when you configure the connection in Anypoint Studio, otherwise skip this step. After you copy the token, click Install.

  6. After the installation completes, the installer gives you the option to view the readme.txt file with additional instructions.

  7. Click Finish to exit.

  8. The installation creates the Anypoint Gateway Windows service, which the installer starts.

Gateway install wizard

To view the running service in Windows 7, when the Control Panel View by option is set to Small icons, click Control Panel > Administrative Tools > Services. The service appears as:

Services Tool

Configure the Anypoint Gateway

The default install location for the Windows Service is c:\Program Files(x86)\Anypoint Gateway for Windows unless you have chosen another folder when you installed it. This folder contains the Mule.SelfHost.exe executable, the Mule.SelfHost.exe.config configuration file and PowerShell scripts to automate configuration tasks.

Note: If the configuration file doesn’t appear in the folder, in Windows 7, when the Control Panel View by option is set to Small icons, click Control Panel > Folder Options > View > Show hidden files, folders, and drives.

The executable starts a new web server at port 9333 (default), which only accepts secure connections using HTTPS. You can change the port number where the Gateway listens in the following places within the Mule.SelfHost.exe.config configuration file:

    <!-- Configure the service to listen on the following address. -->
    <add key="OwinHostAddress" value="https://+:9333/"/>
      <service behaviorConfiguration="routing"
            <add baseAddress="https://*:9333/router"/>

This web server uses a self-signed SSL certificate auto-generated during installation. The certificate is in the Personal folder of the Local Computer certificate store:

Local Computer certificate store

Because the Windows service relies on http.sys for self-hosting the web server, changes in the port number or SSL certificate require reconfiguring Windows. The Register-SslCert.ps1 PowerShell script in the installation directory handles this task. If the port or certificate changes, run the following command from a PowerShell console:

Register-SslCert.ps1 <certificate-thumbprint> <windows-account> <port>
  • <certificate-thumbprint>: The thumbprint of the SSL certificate. It must be stored in the Personal Folder of the Local Store Account.

  • <windows-account>: Windows User or Group that receives permissions to register the port. The account impersonating the Windows service or console application must be part of this group.

  • <port>: HTTP port – Must be 9333 (default) - Or the port you have set in the configuration file.


Register-SslCert.ps1 a495cbf8c4af496f1ef81efb224c8097d039f922 everyone 9333

About MSMQ Connector Settings

About Security Considerations

For the MSMQ connector running in the Mule Runtime, the service first authenticates the call by inspecting the HTTP Authorization header as specified in RFC 2616.

The authentication is done through this unique security token used by the MSMQ connector. This token is included on every HTTP request to the Gateway using the Mule scheme. The following example shows how MSMQ leverages the Gateway to connect to a specific queue sending the security token as specified in this section:

GET: https://localhost:9333/msmq?count=50
Authorization: mule 3nGdw7W+G1fSO2YBEHDmpo4N1Tg=
Mule-Msmq-Queue-Name: .\private$\out
Mule-Api-Version: 1.0

The authorization token should match on the connector and the Gateway configuration file. The following configuration setting shows how the token is set within the Gateway configuration file Mule.SelfHost.exe.config :

    <!-- Token that must be sent by the Mule connector's client in the Authorization header when accessing the Rest Api. -->
    <add key="mule-auth-token" value="3nGdw7W+G1fSO2YBEHDmpo4N1Tg="/>

When you configure the connector running in the Mule Runtime, set the authorization token value using the Gateway Access Token configuration setting (accessToken attribute at the connector’s XML configuration).

Note: The installer for the Windows Gateway service automatically generates a cryptographically secure token for use by callers upon first install. This token is displayed and placed upon the clipboard during installation for easy copying into a Mule application.

About Impersonating a Windows User Through Custom HTTP Headers

Users executing the call on behalf of a Gateway-served connector authenticate through two custom HTTP headers, mule-impersonate-username and mule-impersonate-password.

These two headers represent the Windows credentials of an existing user in the Active Directory forest where the Windows Gateway service is running, or a local account on the machine hosting the service. When these HTTP headers are included in an HTTP Request, the Windows Gateway service authenticates and impersonates this user before executing the operation required by the connector. This provides the ability to configure the correct access control list permissions using Windows credentials.

About Interaction of MSMQ Connector and Gateway

The following diagram shows the interaction of the MSMQ connector with the Gateway, along with the main components used:

Windows Gateway

About Configuration Settings

In the following table you can find the configuration settings that are only related to the MSMQ connector:

Property Usage


The queue name where unreadable messages are moved to.


The timeout for processing messages since they got retrieved by the connector. When the cleanup task finds a message which timeout expired it moves the message to the main queue to be available back again (for details check two phase commit section at the connector’s guide).


The timeout for invalid messages for when a payload of a message is parsed with an incorrect formatter.


The delay of the cleanup task to start looking for expired messages after they got retrieved for processing (for details check two phase commit section at the connector’s guide).


(Optional) The user to impersonate when running the cleanup task. If you choose to leave this setting empty then the user account running the service will be used.


(Optional) The password for the user to impersonate when running the cleanup task.

About Impersonating a Windows User From a Remote Queue

When your queue is marked to require authentication then you can impersonate the caller user as specified above (in the same general section). In addition to this, if you work with a remote queue the connector has a particular header to override this behavior.

About a Load Balanced Configuration

Windows Gateway Services supports running in a load-balanced configuration to allow for fault tolerance. When running multiple gateway services instances, each member should be configured to perform MSMQ background jobs at a non-overlapping interval.

MSMQ background job processing is by default performed every 10 minutes starting at zero minutes past the hour. To prevent multiple gateway instances simultaneously attempting to perform cleanup on the queues when running in load-balanced configuration, a setting called cleanup-delay should be specified on each gateway instance. The recommended value to use for this on each machine is (10 / instanceCount) * (instanceNumber - 1) where instanceNumber is an integer value 1..n.

For example, a cluster of 2 machines would use cleanup-delay of 0 on machine 1, 5 on machine 2. A cluster of 3 machines would use cleanup-delay of 0 on machine 1, 3 on machine 2, and 6 on machine 3. Machine clocks should be synchronized by NTP or equivalent mechanism to ensure this offset is applied correctly.

The cleanup-delay setting is found in the Mule.SelfHost.config file:

    <!-- MSMQ: Delay in minutes to launch the cleanup process for sub-queues -->
    <add key="cleanup-delay" value="0"/>

Note: When running in LB configuration the gateway services should be configured to run as 'Administrator' when the nodes involved (MSMQ, gateways) are under a WORKGROUP but not joined to a DOMAIN. When joined to the same DOMAIN the permissions for each of the nodes and objects involved (queues) should be correctly set by the domain’s administrator.

Windows Gateway Service Troubleshooting

The Windows Gateway service leverages the built-in .NET tracing system. The basic premise is simple, tracing messages are sent through switches to listeners, which are tied to a specific storage medium. The listeners for the trace source used by the connector are available in the configuration file:

   <add name="console" type="System.Diagnostics.ConsoleTraceListener" />
   <add name="file" type="System.Diagnostics.TextWriterTraceListener" initializeData="mule.gateway.log" />
   <add name="etw" type="System.Diagnostics.Eventing.EventProviderTraceListener, System.Core, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" initializeData="{47EA5BF3-802B-4351-9EED-7A96485323AC}" />

    <source name="mule.gateway">
            <clear />
            <add name="console" />
            <add name="etw"/>

The previous example configures three listeners for the output console, for files, and for Event Tracing for Windows (ETW). The trace source for the connector mule.gateway is configured to output the traces to the console and ETW only.

To Change the Tracing Level

The Windows Gateway Services is configured to log Information events. This is configured under the <switches> element. If you want to log everything, you should use the Verbose level, by changing it in the configuration element shown below.

Configure the levels at switch level in the configuration file:

    <add name="mule.gateway" value="Information" />

Other possible levels are:

  • Error: Output error handling messages

  • Warning: Output warnings and error handling messages

  • Information: Output informational messages, warnings, and error handling messages

  • Off: Disable tracing

If you want to trace or debug the routing service within the Windows Gateway Services, there is a setting that you can enable to get more details about the error that was generated while hitting the routing service. If you want to get this information at the tracing listeners, enable it using the includeExceptionDetailInFaults attribute from the serviceDebug element. To achieve this, you need to set its value to true as shown below:

  <behavior name="routing">
    <serviceDebug includeExceptionDetailInFaults="true" />

This setting extends the error message returned by the service and adds an internal stack trace of the cause, which in some scenarios may help you understand what the issue or problem is.

To Enable Console Tracing From the Command Line

A useful way to troubleshoot issues is to enable the console listener (by default it is, but if not then you should add it to the listeners section shown above), and run the Windows Gateway Services from the command line.

Within the console you can see real time information that is being traced, like requests, responses, and some warnings or errors. These are useful to see if the connector is reaching the Gateway properly, or other possibles causes that could be generating a fault.

  1. To enable the console listener, in case it is not, add it to the listeners collection:

        <source name="mule.gateway">
                <clear />
                <add name="console" />
  2. To run from the command line, stop the Anypoint Gateway service.

  3. Go to the folder where Anypoint Gateway service is installed, which by default is c:\Program Files(x86)\Anypoint Gateway for Windows.

  4. Run the Mule.SelfHost.exe application. This starts running a console and displays tracing events within it in real time.

  5. When you are done troubleshooting, close this console and restart the windows service.

To Enable Event Tracing for Windows

Event Tracing for Windows (ETW) is a very efficient built-in publish and subscribe mechanism for doing event tracing at the kernel level. There is little overhead in using this feature compared to other traditional tracing solutions that rely on I/O for storing the traces in persistence storage such as files or databases. As a built-in mechanism in Windows, many of the operating systems services and components use this feature as well. For that reason, not only can you troubleshoot the application but also many of the OS components involved in the same execution.

In ETW, there are applications publishing events in queues (or providers) and other applications consuming events from those queues in real-time through ETW sessions. When an event is published in a provider, it goes nowhere unless there is a session collecting events on that queue. (The events are not persisted).

The tracing system in .NET includes a trace listener for ETW, EventProviderTraceListener, which you can configure with a session identifier, which ETW uses to collect traces:

   <add name="etw"type="System.Diagnostics.Eventing.EventProviderTraceListener, System.Core, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" initializeData="{47EA5BF3-802B-4351-9EED-7A96485323AC}"/>

In the example, the session is associated with this identifier:

To Collect Session Traces

  1. Open a Windows console and run this command to start a new session:

    logman start mysession -p {47EA5BF3-802B-4351-9EED-7A96485323AC} -o etwtrace.etl -ets
  2. Run this command to stop the session:

    logman stop mysession -ets

    This generates the etwtrace.etl file with the tracing session data.

  3. Run this command to generate a human readable file:

    tracerpt etwtrace.etl

This command transfers useful information into the dumpfile.xml text file. For more information, see Tracerpt.

See Also

View on GitHub