cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How does the OneAgent communicate if there are multiple security gateways involved?

amoreno
Newcomer

I have 5 different physical networks where a Security Gateway would need to be installed. These networks are not connected for security reasons.

How does the OneAgent connect to the corresponding gateway within the network?

Does it wait for the first response from the list of security gateways in its configuration? If so, is there a way to configure the client to connect to a specific gateway?

(Also note: We'd like to have a pair of security gateways in each network for redundancy.)

20 REPLIES 20

helmut_spiegl
Helper

The agents know all security gateways (and all possible connection points like host-name, ip addresses) and uses those which it can connect to. In case multiple security gateways are reachable from an agent is uses them round robin. So in your case just install two security gateways in every physical network to get fail-over as well

tarjei_utnes
Organizer

For Dynatrace Managed, can multiple environments share the same security gateway. OR can you run multiple security gateways on the same server?

Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

Well, basically you start with Dynatrace Managed with a one cluster node = one security gateway. You can have multiple environments on that - so yes, environments can share the same SG.

Senior Product Manager,
Dynatrace Managed expert

So how do you go about installing the second Security Gateway on the server?

I do not see an "instance" command line option as it is on the AppMon Collector.

Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

In Managed you can install either an additional cluster node with all components - sever, cassandra, elasticsearch, security gateway.. or install an additional security gateway on a separate host. And then story goes as Helmut wrote ealier.

Senior Product Manager,
Dynatrace Managed expert

tarjei_utnes
Organizer

So will this setup be possible?

As far as I can see there is nowhere in the documentation where this is clearly stated.

Security gateway 1 has multiple agents going to multiple tenants connected to it.

Sort of a full mesh Tenant - Security Gateway.

helmut_spiegl
Helper

In Dynatrace Managed you can install two different kinds of Security Gateways. A Private Security Gateway, which serves just one environment (tenant) or a Public Security Gateway, which serves all existing environments. The Security Gateways which are pre-installed on cluster nodes are public ones. So I guess what you are looking for is the Managed Public Security Gateway.

Anywhere where this is documented?

A bit late, but here is documentation on Security Gateways

tarjei_utnes
Organizer

Is there any way of "forcing" usage of the private security gateway? (This for security and compliance criterias)

private SGWs do have priority over managed and public ones. As long as at least one private SGW can be connected the agents would not use managed or public ones

Good Morning.

One stupid question. What is the difference between a public and a private Security Gateway? I learned myself, that the install script downloaded from the admin pane, pgw*.sh, is not shown in the deployment status from the normal view. The Security Gateway install script from the deployment status ist not shown in the clusteradmin view.

Which SGW is for what purpose?

Best,
Jan

Actually a public SGW can never be installed by the user (maybe I should not have mentioned it here). It is part of our Saas infrastructure and also present an all cluster nodes of dynatrace managed. For Saas you can only install private SGWs which are just for exactly one tenant/environment. For managed you can choose between a private SGW (does exactly the same as the Saas version) and a public managed one. The latter supports all the environments of the cluster.

jan_palic
Guide

Hi all,

if one has two security gateways and one security gate is deinstalled, how long do the information for the ruxit persist?

I noticed, that after uninstalling one of both security gateways the IP addresses persist in the ruxitagent.conf. In my case lead this to errors while httpd parse his configuration files. ,-(

Best,
Jan

helmut_spiegl
Helper

Offline SGWs are memorized 7 days. Besides sending a unsuccessful connection requests from time to time, agents should not be affected.

Good Morning, @Helmut S..

We notice one wired thing:
We hat installed a Security Gateway accidentally on a wrong server, but it connected well with the Dynatrace Server. I uninstalled it afterwards I installed a Security Gateway on the right server (the right server is in a DMZ, the wrong server not).
Anyway, if the Security Gateway is offline, the OneAgent on a Server inside the DMZ may not connect to the Dynatrace server (for sure) and after starting the OneAgent, a monitoried Apache 2.2 runs well.
If the Security Gateway inside the DMZ is online AND the OneAgent is restarted, it finds the Security Gateway and get a new ruxitagent.conf with additionally wrong information for the Server directive. If this happens, the OneAgent breaks the httpd.conf of the Apache 2.2 and it will not reload/restart anymore.
We do not notice it with Apache 2.4 and we have in this case an appliance using the older version; we cannot update without breaking the support for the appliance.

Is there a way to flush the Security Gateway information inside the Dynatrace Server?

Best regards,
Jan

helmut_spiegl
Helper

Do you use Dynatrace SaaS or Managed?
Anyhow - It should never happen that the httpd.conf gets broken somehow. Could please additionally open a support ticket.

Hi @Helmut S.,

I did. The status is to wait at least 48h, because the SGW are memoried for two day (as they said in the ticket) and try it again afterwards and look for errors we noticed yesterday.
We will see and I will let you know the news.

Best regards,
jan

Hi @Helmut S.,

just only to keep you informed.
We lost the old and wrong information and the ruxitagent.conf seems to be ok. As the result does the Apache 2.2 have a working configuration and everything seems to be ok.

The time is 48h until the wrong information disappear.

Best,
Jan

Thank you - (Luckily) it had been 2 days in the version you are currently using. Newer versions will use 7 days.