Solved: Re: Restricting OneAgent to a specific security gateway server

barryla · ‎30 May 2018

Hi, we have multiple application sites in our environment and we have private security gateway servers installed in each of the sites. I would like to know if I can restrict servers in site A to point o the private security gateway in site A only and similarly, restrict servers in site B to connect to security gateway server in site B only. If security gateway server in site A goes down, we will not want the OneAgents to connect to site B, we are willing to risk losing data (or we will create 2 security gateway servers per site for failover). We do not want multiple tenants. Please advise if this is possible and if you can point me to any articles, it would be appreciated.

max_kohler1 · ‎30 May 2018

Hey @Barry L.,

As of today, as soon as the OneAgent connects to the cluster it will get a list of all SGWs and it will cycle through the list until it finds a SGW to connect to. (Internal priority: Private > Public Managed > Public)

Our R&D department is working on a solution to route agent traffic to specific SGWs. I heard that this feature should arrive around Q3 of 2018.

The current workaround is to put firewall rules in place that prevent the agent from connecting to SGWs that you don't want it to connect to.

I hope that helps.

Best,

Max

Alpa_Patel · ‎06 Nov 2019

Hi @Max K., do you know if this feature is now available. I can't find documentation on it.

xiejj3 · ‎14 Nov 2019

using the firewall will slowdown the progblem boot.

hayden_miedema · ‎31 May 2018

Hi Barry,

As Max mentioned, this has to currently be done using firewall rules. I just wanted to add here to confirm that we do this pretty extensively currently at my deployment and it works nicely. You can put rules on the hosts with agents to only allow sending over the SGW port (9999) to the IP address of your gateway.

HTH,

Hayden

barryla · ‎03 Jun 2018

Thanks, this is a logistical nightmare...

CharlesWu · ‎27 Nov 2018

Hi Hayden - Just curious on how you put rules on the hosts with agents to only allow .... without setting the network firewall rules? Were you talking about the OS firewall rules to block outbound to other SGWs ?

Alpa_Patel · ‎27 Nov 2018

@Max K. how can I find out when the feature to route OneAgent traffic to a specific ActiveGate is available?

CharlesWu · ‎27 Nov 2018

I ran into same issue. Can you share in which release version this feature is put in?

ArunThilak_Rama · ‎27 Nov 2018

+1

Can you please share the ETA of this feature?

joshua_pavlica · ‎06 Nov 2019

Hello, Alpa P.!

This feature is currently in a closed Private Preview program. There isn't a specific ETA to share right now, but please be sure that the team is working on getting this feature to GA!

Kind regards,
Joshua P.

Alpa_Patel · ‎06 Nov 2019

Thank you Joshua 🙂

barryla · ‎04 Feb 2020

Hi Joshua, can you please advise on the progress of the Private Preview, is this is EAP as yet? How can I get access to this?

joshua_pavlica · ‎04 Feb 2020

Hello, Barry L.!

The last thing I heard was that GA of this feature is planned for Calendar Year Quarter 2 or 3 of 2020. As specific versions get narrowed down and I'm able to share more, I will! @Karl A. is someone who may know more.

Kind regards,
Joshua P.

Enrico_F · ‎18 Nov 2019

There's currently a workaround:

in file /opt/dynatrace/oneagent/agent/conf/ruxitagentproc.conf locate the line starting with

serverAddress

and append the AG URL's in the priority you want them to be used e.g.

serverAddress https://cag01.mydomain.com:9999/communication;https://cag02.mydomain.com:9999/communication

We use this in order to speed-up container deployments with K8s app-only monitoring as otherwise the oneagent would try several unreachable AG's (waiting for connection timeouts to occur with each attempt) which will delay the whole container startup for no good reason.