Prospects asks if and how they can change the url that the ActiveGate is using to send the data to the server (https::/xxxx:8443/communications) as there will be DataPower on the way that will get the web request from the ActiveGate (without the /communications) and the DataPower will transform and send the web request to the server (with the /communications)
Solved! Go to Solution.
I don't think this is supported or even possible. If you will do remapping URI, you are just asking for problems. I think the /communications endpoint is hardcoded.
AFAIK the list of endpoints URLs (for both ActiveGate and OneAgent) are updated from Dynatrace server as soon as ActiveGate/OneAgent connects. Anything you modify in the config file will be overwritten.
If you won't remap the URL path, you can probably achieve MITM by putting the entries of Dynatrace cluster node names in /etc/hosts pointing to the DataPower IP and block (using iptables) the IP addresses of cluster nodes so the gateway cannot connect via ip address.
Just curious - what is the reason to do this? Although the transport protocol is HTTP here, the data exchanged is in some binary form and I don't think you extract anything useful without deep knowledge of the protocol.
First thanks for your detailed answer
That was our guess too about the hard coded, just wanted to be sure about that.
Will try to suggest this workaround to the military guys that asked us this question in order to send data from AG to DTM across their separated networks
@Július L. I had a similar question and saw this. My scenario: I have separate DCs connected by VPNs, in each DC there is an environment activegate for forwarding local oneagent data to a pair of cluster activegates which are in only one DC with the managed cluster nodes. Everything is kept internal on the VPNs using internal configured endpoints. I now want to deploy dynatrace oneagent in a different datacenter that does not have VPN connectivity. Intention is to deploy an environment activegate in this datacenter, which would use a public URL to connect to a publicly available endpoint, which would then forward to the internal cluster activegates. Thus I want to configure this external active gate with a unique public URL for communication to the cluster. Due to security constraints the HTTP based traffic needs to come in through this publicly exposed reverse proxy layer and needs to be a URL destination not IP. I cannot use a publicly exposed cluster activegate. I would prefer not to create a new cluster ag just for the purpose of configuring it with a public url to get it into the config, which would now also get added as an endpoint into any new activegate or oneagent I deploy.
Sorry, but Dynatrace does not allow you to set custom endpoints. The only method I know is to play with DNS or with the hosts file, so the host (gateway) thinks is a reachable endpoint, but, in fact, it is for example a forwarded port.
If I understand your situation correctly, I assume you can reach the cluster node only via a reverse proxy deployed in the remote DC. This has to be configured to pass traffic without URL path change (based on hostname only). So if your cluster node endpoint is https://node01.domain:8443/communication , then I would deploy the Environment ActiveGate to the DC and configure /etc/hosts so the node01.domain will target to the IP of the reverse proxy. The reverse proxy must, however, pass this 'virtual host' to the real cluster node. This will definitely work, but it might require to play with the agent truststore.
Another method I can think you would be to engage a HTTP proxy if that is possible