cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multi-IP security Gateway communication

gautier_begin
Advisor

Hello,

I have installed a Private Security Gateway having 2 different IP addresses mapped to 2 different hostname in a DMZ. By network design, the OneAgents behind this Gateway can only communicate with a single hostname/IP of this Gateway. The Gateway can only communicates with the Managed Cluster with one of its IP/hostname.

The issues I met:

- Very long time for OneAgents to be reconized by the Dynatrace Cluster because they test all the possible addresses of the infrastructure till one is working. I'm afraid the agents could renew this operation at a regular schedule.

- The Security Gateway is known in the Tenant with its "wrong" hostname.

- The Security Gateway tries to use the wrong IP or hostname to communicate with the Cluster.

What I tried without result:

- Installing the agent with the SERVER option containing only the good IP address of the

Private Security Gateway: At the first connection, the agent gets all the GWs and Cluster servers of the infra and try to use them.

- During the

Private Security Gateway installation, using the DNSENTRYPOINT argument with the good hostname or IP of the GW. The Gateway refuses to connect to the Cluster and then stops.

So my questions:

- How to oblige a Private Gateway to use an IP address and a hostname when 2 exists on the machine.

- How to oblige a OneAgent to use an IP address and a hostname when 2 exists on the machine.

- How to oblige a Private Gateway to communicate with a fixed set of GWs/Cluster Servers.

- How to oblige a OneAgent to communicate with a fixed set of GWs/Cluster Servers.

- What the argument DNSENTRYPOINT is done for.

Regards,

7 REPLIES 7

Zbigniew_Wroble
Dynatrace Participant
Dynatrace Participant

Hi,

Using DNSENTRYPOINT is a good idea. You can specify the parameter during installation or after that directly in file config.properies ( or custom.properties since SG 1.135) as dnsEntryPoint e.g.

[connectivity]
dnsEntryPoint= https://192.168.100.100:9999

, restart of SG is required.

You should do it on your private SG and on Managed Node.

About :"Private Security Gateway installation, using the DNSENTRYPOINT argument with the good hostname or IP of the GW. The Gateway refuses to connect to the Cluster and then stops."

This should not happen, please attach logs, we would like to look closer.

Regards,

gautier_begin
Advisor

Hello,

Excuse me, that's a bit confusing, which address to put in whose config file ?

In the case I have one of these architectures

Cluster Node (Address A) <= Public Gateway (Address B) <= Private Gateway (Address C) <= Agent (Address D)

Cluster Node (Address A) <= Private Gateway (Address C) <= Agent (Address D)

Regards,

Zbigniew_Wroble
Dynatrace Participant
Dynatrace Participant

When Private Gateway has 2 Addresses C1 and C2 and dnsEntryPoint=Address C1 then it will be known to other component only with Address C1

In your cases:

Cluster Node (dnsEntryPoint=Address A - in SG on Node) <= Public Gateway (dnsEntryPoint=Address B) <= Private Gateway (dnsEntryPoint=Address C) <= Agent (Address D)

Cluster Node (dnsEntryPoint=Address A - in SG on Node ) <= Private Gateway (dnsEntryPoint=Address C) <= Agent (Address D)

Regards

We have all the required communication from Security gateway server to managed 3 node cluster . But when we try to install the security gateway it is not able to connect to cluster . Both manage cluster server and Seucirty gateway server have multiple NIC. Kindly help how to solve this issue

hmor3
Inactive

Hi Guys,

Is this dnsEntryPoint option available in oneagent config file as well?

Can I restrict my Oneagent to communicate via a fixed ip(out of multiple IPs on the Oneagent machine) ?

Thanks

Himanshu Mor

himanshumor
Inactive

Hi Guys,

i can see below entry in ruxitagentnetwork.conf file in conf foldre of oneagetn installation directory

# The list of interfaces to sniff on, special value 'any' means all Ethernet interfaces.
# Default: any
#interfaces eth0

So by specifying specific interface , can i restrict my oneagent to send monitoring traffic over a specific inteface only like eth6 or etc??

Thanks

HM

We have all the required communication from Security gateway server to managed 3 node cluster . But when we try to install the security gateway it is not able to connect to cluster . Both manage cluster server and Seucirty gateway server have multiple NIC. Kindly help how to solve this issue