Thank you it makes sense! Is there a way to change the user running the activegate?

Following iptables rule should work, however I guess the advertised port will stil be 9999 as configured at the gateway.

iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 9999

Exactly! The issue here is that even if I set up the new routing using IP tables agents keep connecting to 9999. Is there a way to manually set up the 443 on oneagent side?

Yes, in "/opt/dynatrace/oneagent/conf/ruxitagent.conf" (or similar), the list of endpoints is defined.

Server https://ip-of-the-ag:443/communication

This will get overwritten as soon as agent connects.
Actually, the correct method is to set the property in custom.properties as described in the very first post in this thread.
However, until you run the gateway as root, you cannot bind to ports lower than 1024 anyway.

I am not referring to the config of the activegate, but to the config of the oneagent. This file "ruxitagent.conf" also states "This file is generated automatically. Please do not modify." But when it can't reach any of the configured endpoints, you need to do something. Reinstall of the oneagent also helps (after new download from the dynatrace cluster) as it will use the updated activegate configuration.

I don't know about this actual use case of moving from port 9999 to 443, but I often use a proxy or loadbalancer to achieve this. The activegate's port is still 9999 and you use an external gateway to proxy traffic from port 443 to port 9999. Oneagent traffic is all TCP.

Apart from the PaaS agents where the ruxitagentproc.conf never gets modified - connecting (once) to a predefined endpoint is probably the only use case I can imagine.