How do I enable agentless real user monitoring?

This topic applies to Dynatrace Managed installations only.

To use real user monitoring without Dynatrace you need to set up a publicly accessible Security Gateway. You can use the same Security Gateway for both web checks and agentless real user monitoring.

Normally you benefit from real user monitoring only after you’ve installed Dynatrace. The manual approach to setup described here—otherwise known as agentless real user monitoring—should only be used for installations where you aren’t able to start deep monitoring, for example because you have no Dynatrace installed on your web server machine.

Before you begin:

  • Keep in mind that you’ll need to manually insert a JavaScript tag into each of your application’s pages.
  • You may find it challenging to insert the JavaScript tags in the right places (this is something that Dynatrace handles automatically).
  • The JavaScript tags embedded in your application’s pages will not be automatically updated if you change application monitoring settings—you’ll need to update the tags manually (this is something that Dynatrace handles automatically).

What you’ll need:

  • Access to your application’s HTML source so that you can insert the JavaScript tags.
  • Custom JavaScript tag generated by Dynatrace.

Install Security Gateway

Don’t install a Security gateway on the same host where a Dynatrace cluster node is installed.

To install a Security Gateway:

  1. Go to the Dynatrace Managed Clusters page.
  2. Click Download Security Gateway installer.
  3. Follow the instructions included in the installer. Be sure to install the Security Gateway in a network segment that is accessible from the Internet.
  4. Go to Settings > Public endpoints and type in the URL where your new Security Gateway can be reached. The URL must be publicly accessible and able to accept both HTTP and HTTPS requests. Note: Agentless real user monitoring and mobile-app monitoring use this same endpoint to transmit monitoring data to Dynatrace.

Once Dynatrace has validated that your Security Gateway can be reached from the Dynatrace cloud, you will be able to schedule web checks from all environments.

Monitoring HTTPS-based web apps

If your web application uses HTTPS, you need a load balancer or proxy that terminates the SSL connection and forwards the traffic using HTTPS to your Security Gateway. The Security Gateway listens on port 9999.

Load balancing mutiple Security Gateways

For production monitoring with high load and fail-over requirements it’s recommended that you use multiple load balanced Security Gateways. If you take this approach, you will need to provide your load-balancer URL in the Security Gateway URL field, as explained in the above procedure.

Configure load balancer

Requests that your load balancer forwards to Security Gateways appear as follows:

GET and POST requests for transmitting session information to Dynatrace Managed:


GET requests for the JavaScript tag:


If your website uses HTTPS, we recommend that your load balancer terminate the SSL connection and communicate to the Security Gateways using plain HTTP. In this way you don’t have to install certificates on the Security Gateways.

Cache the JavaScript tag

To support higher load scenarios when using a load balancer, we recommend that you cache the JavaScript tag that is loaded from the Security Gateway using a caching proxy.

Serving the JavaScript tag via CDN

In addition to the obvious benefits of serving the JavaScript tag from your CDN, with this approach the GET requests for the JavaScript tag are directed to your CDN.

To serve the JavaScript tag from your own CDN:

  1. Go to Settings > Public endpoints.
  2. Type the root path of your CDN into the CDN for JS tag field.