cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security concerns on public security gateway for Dynatrace managed

stephan_dannewi
Newcomer

Hello Dynatrace-Community,

we have an Dynatrace Managed Server up and running and want to use synthetic monitoring to finalize our setup.
To do so, we need to install a public security gateway.

https://www.dynatrace.com/support/help/shortlink/managed-communication-endpoints#communication-from-...

If I understand this correctly we need a public IP as well as a domain with SSL cert to use synthetic monitoring. But at the end of the posted link is written that a public IP is enough. So my first question would be, is a public IP enough or not?


My second question is more important. Do we really need to open up the port 443 for the public security gateway? My customer has security concerns on that or will there be a 2-way-tls handshake after generating the cert in the management console? We really want to use the same host on which the Dynatrace Server is located but it looks like this won't be possible due to security.

Is it possible to find 443 inbound to some specific IP addresses?

Would be nice if you can offer some more information on this part.

Thanks a lot in advance,

Stephan

7 REPLIES 7

matt_brend1
Inactive

Hello Stephan,

We just completed this setup in our environment too.

To address our security concerns we installed the security gateway on a separate server in our internal network and setup a proxy server in the DMZ then only opened port 9999 between the internet and DMZ and port 9999 between the DMZ and the security gateway.

The security gateway then serves two purposes; handling the internet traffic and consolidating traffic in our environment to the Dynatrace Managed server.

The management console allows you to generate separate certificates for both the Server/UI and the Public Security Gateway, so you only need the public IP, Dynatrace will generate the domain name and the certificate and manage that for you.

As for your question around the certificate, port and handshake, I'm not entirely sure, but I would speculate that port 9999 would be used even if installed on the same server, and a different certificate would also be used.

Dynatrace recommends having security gateway even if it's not made public, we actually installed 3 of them on various existing servers, just to have some redundancy without making the Dyantrace server itself redundant. *NOTE: If you do this and make one of them public, Dynatrace will "complain" that all of them should have a public IP, but we are just living with the warning. This is because Dynatrace manages the domain name and certificate for the public IP.

Hope that helps,

Matthew

pshinde
Inactive

Hi Matthew I have question on this . We want to use public gateway for mobile application .What If I installed public security gateway on server located in DMZ itself instead of having proxy server .And from Security gateway server I will open port 8443 to our manage server . Will this work for my solution .

That is correct. Internet-9999-DMZ-8443-DynatraceServer.

Hi Matthew one more question on this . User want to use new dynatrace alert feature which we can see on dynatrace mobile application . Do we need Public gateway in that case.How should it be setup ideally.

I believe you're asking about using the mobile app with managed? See this blog post:

https://www.dynatrace.com/news/blog/dynatrace-managed-customers-can-now-receive-notifications-via-the-dynatrace-mobile-app/

The steps do say you need a publicly accessible security gateway set up.

James

stephan_dannewi
Newcomer

I talked with the Dynatrace support yesterday and indeed only the port 9999 is needed for outbound traffic, not 443. 443 is only mentioned in the documentation to clarify, that this is a https connection. That was a little bit missleading.

Further I was told that it is possible to restrict incoming requests to 9999 by IP's of those data centers I would like to make the synthetic checks.

Thanks for the extensive answer Matthew! 🙂

One additional IP you can add is from Davis (52.0.97.215 from our logs). Giving you external Chat-Bot capabilities that are at least fun to play with. Interesting both from the Davis web client and the Alexa skill.