I have 5 different physical networks where a Security Gateway would need to be installed. These networks are not connected for security reasons.
How does the OneAgent connect to the corresponding gateway within the network?
Does it wait for the first response from the list of security gateways in its configuration? If so, is there a way to configure the client to connect to a specific gateway?
(Also note: We'd like to have a pair of security gateways in each network for redundancy.)
Solved! Go to Solution.
The agents know all security gateways (and all possible connection points like host-name, ip addresses) and uses those which it can connect to. In case multiple security gateways are reachable from an agent is uses them round robin. So in your case just install two security gateways in every physical network to get fail-over as well
Well, basically you start with Dynatrace Managed with a one cluster node = one security gateway. You can have multiple environments on that - so yes, environments can share the same SG.
In Managed you can install either an additional cluster node with all components - sever, cassandra, elasticsearch, security gateway.. or install an additional security gateway on a separate host. And then story goes as Helmut wrote ealier.
So will this setup be possible?
As far as I can see there is nowhere in the documentation where this is clearly stated.
Security gateway 1 has multiple agents going to multiple tenants connected to it.
Sort of a full mesh Tenant - Security Gateway.
In Dynatrace Managed you can install two different kinds of Security Gateways. A Private Security Gateway, which serves just one environment (tenant) or a Public Security Gateway, which serves all existing environments. The Security Gateways which are pre-installed on cluster nodes are public ones. So I guess what you are looking for is the Managed Public Security Gateway.
One stupid question. What is the difference between a public and a private Security Gateway? I learned myself, that the install script downloaded from the admin pane, pgw*.sh, is not shown in the deployment status from the normal view. The Security Gateway install script from the deployment status ist not shown in the clusteradmin view.
Which SGW is for what purpose?
Actually a public SGW can never be installed by the user (maybe I should not have mentioned it here). It is part of our Saas infrastructure and also present an all cluster nodes of dynatrace managed. For Saas you can only install private SGWs which are just for exactly one tenant/environment. For managed you can choose between a private SGW (does exactly the same as the Saas version) and a public managed one. The latter supports all the environments of the cluster.
if one has two security gateways and one security gate is deinstalled, how long do the information for the ruxit persist?
I noticed, that after uninstalling one of both security gateways the IP addresses persist in the ruxitagent.conf. In my case lead this to errors while httpd parse his configuration files. ,-(
Good Morning, @Helmut S..
We notice one wired thing:
We hat installed a Security Gateway accidentally on a wrong server, but it connected well with the Dynatrace Server. I uninstalled it afterwards I installed a Security Gateway on the right server (the right server is in a DMZ, the wrong server not).
Anyway, if the Security Gateway is offline, the OneAgent on a Server inside the DMZ may not connect to the Dynatrace server (for sure) and after starting the OneAgent, a monitoried Apache 2.2 runs well.
If the Security Gateway inside the DMZ is online AND the OneAgent is restarted, it finds the Security Gateway and get a new ruxitagent.conf with additionally wrong information for the Server directive. If this happens, the OneAgent breaks the httpd.conf of the Apache 2.2 and it will not reload/restart anymore.
We do not notice it with Apache 2.4 and we have in this case an appliance using the older version; we cannot update without breaking the support for the appliance.
Is there a way to flush the Security Gateway information inside the Dynatrace Server?