cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can Public Security GateWay be install on the same machine DT Managed is running on?

Hi guys,

Is it possible to install Public Security GatWay on the same Linux machine that runs the DT Managed? didn't find this issue in the documentation.

Thanks in advance

Yos

8 REPLIES 8

kristof_renders
Dynatrace Pro
Dynatrace Pro

Hi Yos,

Every Managed node already comes with a SGW embedded on the box, so there is no need for that.

KR,
Kristof

Hi kristof

This Security Gateway can be used for agent less web application sending their UEM beacon and web checks?

Yos

Hi Yos,

For this you will need an additional SGW that has to be separated from the cluster node.

KR,
Kristof

krzysztof_szynt
Advisor

Hi,

actually it is possible to use the node gateway as beacon forwarder. In such a case though, we would rather recommend not exposing the node directly but setup a Load Balancer in front - for security and SSL traffic offloading.

Here are some implications of having the node gateway as beacon forwarder:

- without LB, it means exposing Dynatrace Managed node to the internet - cluster security may be a concern.
- you may encounter scalability issues - for high volume of beacons (aspecially for agentless RUM), the SSL handshake handling can be costly. To handle that, you'd need to add entire managed node as opposed to just scale the PMSG independently. Here is another reason why LB in front is good idea.
- update of gateways on the nodes is coupled with cluster updates, usually it happens more often. You have greater flexibility with separate PMSG - even if cluster is down during maintenace, for some time PMSG can cache incoming beacons.

The more you learn! Thanks Krzys

Hi Krzysztof,

Thanks for the information!

Since this is a POC and prospect ask for it .... we will go for it 🙂

What do we need to do ,if at all ,in order to set the node gateway to be beacon forwarder?

Yos

Hi,
You don't need to do anything special about the gateways, but the nodes need to have public IPs and you need to have a domain for the cluster with valid SSL certificate. You could use the auto-generated cluster domain for this (again, it has consequences - coupling the cluster webui access domain with domain used for the beacons - for PMSG you could easily have a separate domain).

In any case, if the prerequsites are met, you only need to configure "Security Gateway URL" under Settings/public endpoints. The node SG is listening on port 8443 and you have to specify this as part of the URL.

Let me reiterate - without a Load Balancer layer, such setup is not very flexible and not something I would recommend to a customer.

regards,
Krzysztof

Thanks Krzysztof

I was trying to convince the prospect to prepare another machine but with no success.

Prospect and customer are always right 🙂

Yos