we have an Dynatrace Managed Server up and running and want to use synthetic monitoring to finalize our setup.
To do so, we need to install a public security gateway.
If I understand this correctly we need a public IP as well as a domain with SSL cert to use synthetic monitoring. But at the end of the posted link is written that a public IP is enough. So my first question would be, is a public IP enough or not?
My second question is more important. Do we really need to open up the port 443 for the public security gateway? My customer has security concerns on that or will there be a 2-way-tls handshake after generating the cert in the management console? We really want to use the same host on which the Dynatrace Server is located but it looks like this won't be possible due to security.
Is it possible to find 443 inbound to some specific IP addresses?
Would be nice if you can offer some more information on this part.
Thanks a lot in advance,
Solved! Go to Solution.
We just completed this setup in our environment too.
To address our security concerns we installed the security gateway on a separate server in our internal network and setup a proxy server in the DMZ then only opened port 9999 between the internet and DMZ and port 9999 between the DMZ and the security gateway.
The security gateway then serves two purposes; handling the internet traffic and consolidating traffic in our environment to the Dynatrace Managed server.
The management console allows you to generate separate certificates for both the Server/UI and the Public Security Gateway, so you only need the public IP, Dynatrace will generate the domain name and the certificate and manage that for you.
As for your question around the certificate, port and handshake, I'm not entirely sure, but I would speculate that port 9999 would be used even if installed on the same server, and a different certificate would also be used.
Dynatrace recommends having security gateway even if it's not made public, we actually installed 3 of them on various existing servers, just to have some redundancy without making the Dyantrace server itself redundant. *NOTE: If you do this and make one of them public, Dynatrace will "complain" that all of them should have a public IP, but we are just living with the warning. This is because Dynatrace manages the domain name and certificate for the public IP.
Hope that helps,
Hi Matthew I have question on this . We want to use public gateway for mobile application .What If I installed public security gateway on server located in DMZ itself instead of having proxy server .And from Security gateway server I will open port 8443 to our manage server . Will this work for my solution .
I talked with the Dynatrace support yesterday and indeed only the port 9999 is needed for outbound traffic, not 443. 443 is only mentioned in the documentation to clarify, that this is a https connection. That was a little bit missleading.
Further I was told that it is possible to restrict incoming requests to 9999 by IP's of those data centers I would like to make the synthetic checks.
Thanks for the extensive answer Matthew! 🙂