How do I install Dynatrace Security Gateway?

Before you begin

Security Gateway requires

  • 1 GB free disk space
  • 2 GB RAM (4 GB recommended)
  • Dynatrace SaaS installations use HTTPS port 443 to connect to monitored environments. URLs for monitored environments use the form <YourEnvironmentID>.live.dynatrace.com.
  • Dynatrace Managed installations use HTTPS port 8443 to connect to Dynatrace Server.
  • Security Gateway receives data from the Dynatrace OneAgent on port 9999 on HTTPS.

If you’re installing OneAgent on a system that runs on VMware, install Security Gateway in a network segment that can easily reach your VMware solution.

For details on the platforms on which you can install Security Gateway, see Security Gateway requirements.

Download and run the installer

If you’re setting up Dynatrace for the first time you’ll see a link to the Security Gateway installer on your home dashboard once monitoring setup is complete.

Click the VMware tile to get to the installer download link. You can get to our Security Gateway installer anytime via the Settings menu, even if you’ve already installed your first Dynatrace OneAgent or completely changed your home dashboard layout.

If you've already downloaded OneAgent

In some cases Security Gateway installation is directly related to Dynatrace OneAgent installation.

When you download OneAgent installer before installing Security Gateway and use it for installation in a DMZ, or a network segment that has no Internet access you’ll need to download the OneAgent installer again because the file will not contain proper configuration (OneAgent is configured during installation to connect to Dynatrace directly). You’ll need to first install Security Gateway and then download the Dynatrace OneAgent installer. Then Dynatrace OneAgent will be able to send data to Dynatrace.

You can install Security Gateway on a Linux or Windows machine. Security Gateway needs to send monitoring data to Dynatrace, that’s why it needs Internet access. Security Gateway listens (i.e., accepts incoming connections) on port 9999 and talks to Dynatrace Server (i.e., makes outgoing connections) on port 443. Ensure that your firewall settings allow communication through these ports.

How you download your installer depends on your setup and needs. You can choose to download an installer directly to the server where you plan to install Security Gateway or you can download an installer to a different machine and then transfer the installer to the server.

Getting the Linux installer

Downloading the installer for Linux is fairly easy—just copy the command line for wget from your web browser and paste it into your terminal window. Wait for the download to complete and you can begin installation.

The Security Gateway download page has everything you need to download Security Gateway—a wget command line for downloading directly to a server and a download link for saving the installer elsewhere. Make sure to copy the command directly from the Dynatrace page because it contains your environment ID.

Make sure your system is up to date, especially SSL and related certificate libraries. If you plan to download Security Gateway directly to the server, note that outdated libraries (for example, CA certificates) or missing OpenSSL will prevent the installer from downloading (we use encrypted connections and OpenSSL is needed to enable wget to access the server).

You can also download the installer by clicking the link and saving the installer script to any location you want (bypassing the wget command altogether).

Getting the Windows installer

Downloading the Security Gateway installer for Windows can be achieved with a single click-click the button to download the installer directly to the server intended for installation, or to any other suitable location.

Security Gateway download page for Windows gives you access to the standard installer.

You’ll need administrator rights to install your Security Gateway.

In Windows, run the executable file using administrator rights, and follow the displayed instructions.

In Linux, you’ll need root privileges. You can use su or sudo to run the installation script. You’ll need to make the script executable before you can run it. To do this, type one of the following commands in the directory where you downloaded the installation script.

How to run the Security Gateway installer on Linux

If you’re on an Ubuntu Server, use the following command:

chmod + x Dynatrace-Security-Gateway-Linux-1.0.0.sh
sudo ./Dynatrace-Security-Gateway-Linux-1.0.0.sh

If you’re using Red Hat Enterprise Linux:

chmod + x Dynatrace-Security-Gateway-Linux-1.0.0.sh
su ./Dynatrace-Security-Gateway-Linux-1.0.0.sh

If you start a root session:

chmod + x Dynatrace-Security-Gateway-Linux-1.0.0.sh
./Dynatrace-Security-Gateway-Linux-1.0.0.sh

Security Gateway can use an HTTP proxy server address. On Windows you can enter this address in one of the installer steps. On Linux you need to pass an extra parameter, PROXY, whose value is the proxy address and port, for example PROXY="172.18.18.100:8080". For more information see, How can I pass a proxy address during installation?

Once Security Gateway connects to Dynatrace Server, the installation is complete. You’ll see the result in the Dynatrace web interface. That’s all there is to it!

As soon as Security Gateway connects to Dynatrace Server, Dynatrace OneAgent is informed and re-configured to send monitoring data through Security Gateway.

What is Security Gateway?

Security Gateway works as a proxy between Dynatrace OneAgent and Dynatrace Server. It collects monitoring data, keeps the data encrypted, aggregates and encrypts the data, and sends the data to Dynatrace. If you have Security Gateway in your data center, know that this is the only Dynatrace software component that requires full Internet access. You don’t need to do any extra configuration (if this is a new installation, install it first to make things easier), just install Security Gateway in a network segment that all your agents can access (or install one Security Gateway per segment if some agents won’t be able to send monitoring data toSecurity Gateway). The rest of the setup is handled automatically.

Do I need Security Gateway?

Security Gateway is an optional Dynatrace component. Install Security Gateway if you need to:

  • Monitor virtualization
    Your monitoring likely won’t be complete without virtualization monitoring. If your hosts run in a VMware virtual environment, install Security Gateway and complete the virtualization monitoring step.
  • Keep your environment secure and save firewall settings
    Security Gateway works as a proxy between Dynatrace OneAgent and Dynatrace Server. If you have a Security Gateway in your data center, know that it is the only Dynatrace software component that requires full Internet access. It saves you the effort of rewriting routing tables and changing firewall settings for each monitored host.
  • Introduce load balancing for monitoring data within a large deployment
    In large deployments, Dynatrace OneAgent can generate a lot of monitoring data. You can use Security Gateway to maximize throughput and avoid overload, especially on the agent side.
  • Increase the effectiveness of your installed Dynatrace components
    You can use more than one Security Gateway if your monitored hosts work in isolated zones—this can save you from otherwise being forced to violate your security or networking policies.

Installing Security Gateway

Because OneAgent has no direct access to Dynatrace, if you decide to install Security Gateway, perform installations in the following order:

  1. Download and install Security Gateway.
  2. Ensure that Security Gateway is connected to Dynatrace.
  3. Download and install OneAgent.

It’s crucial that you download the OneAgent installer when Security Gateway is connected to Dynatrace. Otherwise, the OneAgent installer won’t be updated with your Security Gateway information and OneAgent won’t be able to connect to Dynatrace via your Security Gateway.