This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Recommendations for configuring a load balancer for a Cluster ActiveGate

Go to solution
MAkimov
Mentor

‎20 Jul 2020 08:47 AM

The documentation provides information about adding a load balancer in front of a Сluster ActiveGate.

What are the guidelines for setting it up?


Also a question about the security of such a scheme, can an attacker get into the internal network with such a scheme?

0 Kudos
Reply
18 REPLIES 18

Go to solution
RazTN7
Dynatrace Champion
Dynatrace Champion

‎20 Jul 2020 09:43 AM

Hello Mikhail A ,

Even we are in progress to set Cluster AG.

Steps which we are following up are which may help you as well.

  • Our cluster AG is DMZ server. Private zone.
  • Get External IP for DMZ server
  • Get Public IP for DMZ server
  • Any IP to Public IP port opening
  • Obtain LB virtual IP from you network/LB team.
  • Do natting between Public Ip and LB
  • Map between LB to DMZ external IP (service port - 9999)
  • Get DNS for your server internal and external IP.
    • Generate csr, jks file
    • Get SSL certificate
  • Public IP to DMZ server DNS whitelisting.
  • Implement SSL certificate in LB

As certificate will be SSL not no major security impact.


Cheers!

R

Have a nice day!
Reply

Go to solution
MAkimov
Mentor
In response to RazTN7

‎20 Jul 2020 09:59 AM

What parameters are checked by the AG from the js agent? What headers from exactly understands the data from the agent ?

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive

‎20 Jul 2020 10:09 AM

What are the guidelines for setting it up?

The only requirement from Dynatrace side is to open required incoming/outgoing network ports and preserve incoming headers - as cluster node will verify them to make sure they come from a valid source. Load balancing might be implemented as round-robin or based on health checks that execute /rest/health on port :9999.

I'll try to add something to our documentation pages. Thanks!


Can an attacker get into the internal network with such a scheme?

Dynatrace recommends closing all ports that are not required for all components - incl. customer-provided Load Balancer (LB). For example, LB can accept only 443 and redirect that only to 9999. All other is closed.

Senior Product Manager,
Dynatrace Managed expert
Reply

Go to solution
MAkimov
Mentor
In response to Radoslaw_Szulgo

‎20 Jul 2020 10:24 AM

Thank Radoslaw

what headers AG checks to verify that the request came from the correct source ?

Is it only x-dynatrace-application ?

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to MAkimov

‎20 Jul 2020 10:32 AM

The header that needs to be transmitted is"Server" : "ruxit security gateway"

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
MAkimov
Mentor
In response to Radoslaw_Szulgo

‎20 Jul 2020 11:03 AM

A couple more questions.

Does AG not verify that the request came from our js?


Is it necessary for the balancer to forward/save the client's ip address or all the necessary information for monitoring RUM is contained in the request body ?

0 Kudos
Reply

Go to solution
MAkimov
Mentor
In response to MAkimov

‎20 Jul 2020 04:24 PM

on the second additional question found the answer in the documentation:

Be sure to configure the load balancer to set the x-forwarded-for parameter for all forwarded requests. This parameter contains the IP address of the original request. Dynatrace needs this parameter to determine where the request originated from

Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to MAkimov

‎21 Jul 2020 03:13 PM

LB does need to send the true client IP otherwise we show the IP address as being that of the load balancer, this page lets you set which headers are looked at Settings -> Web and mobile monitoring --> IP determination


Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
MAkimov
Mentor

‎21 Jul 2020 03:00 PM

Hello @Radoslaw S.

Could you please tell me what kind of validation and verification does Cluster ActiveGate for data from js agent (agentless) ?

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to MAkimov

‎21 Jul 2020 03:26 PM

Dynatrace checks payload and URL (parameters). Additionally user-agent header.
Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
MAkimov
Mentor
In response to Radoslaw_Szulgo

‎21 Jul 2020 03:42 PM

does checks ActiveGate or the Dynatrace server?

Does ActiveGate verify that the request came from our js-agent (what parameters are checked)?

Or ActiveGate simply redirects all traffic to the server ?

Thanks!

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to MAkimov

‎21 Jul 2020 03:44 PM

AG aggregates and redirect the traffic to Cluster nodes. Then cluster node (server) extracts the data and validates.

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to Radoslaw_Szulgo

‎21 Jul 2020 03:48 PM

AG only does some checks on the querystring/url and a payload length restrictions

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
MAkimov
Mentor
In response to Radoslaw_Szulgo

‎21 Jul 2020 04:09 PM

thanks a lot for the answers!

the last question - is the data of js-agent in protobuff format ?

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to MAkimov

‎21 Jul 2020 04:27 PM

between agent and AG - it's just a string key-value pairs. between AG and Cluster node - protobuf.

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
MAkimov
Mentor
In response to Radoslaw_Szulgo

‎22 Jul 2020 10:01 AM

Is it possible to fix the parameters of the AG SSL certificate in the js to prevent the transfer of metrics to a fake server?

0 Kudos
Reply

Go to solution
Radoslaw_Szulgo
Inactive
In response to MAkimov

‎22 Jul 2020 11:10 AM

I don't understand the question. Can you please give some examples?

Senior Product Manager,
Dynatrace Managed expert
0 Kudos
Reply

Go to solution
fstekelenburg
DynaMight Pro
DynaMight Pro

‎28 Apr 2021 11:50 AM - edited ‎30 Apr 2021 09:54 PM

Care needs to be taken if also F5 ASM is involved. 
See: CORS error on agentless RUM page with JavaScript t... - Dynatrace Community

 

Kind regards, Frans Stekelenburg                 Certified Dynatrace Associate | measure.works, Dynatrace Partner
Reply
Ask a question

Featured Posts