Time to upgrade! NAM is scheduled for end of support. It's time to move to Dynatrace our all-in-one software intelligence platform.

How to configure the environment for security

NAM is a monitoring system composed of several components communicating with each other. These components have default security settings for communicating with each other and for monitoring. You can apply your own security policy for a single operating system that hosts several components. Some security actions, however, specifically apply to the report server or database server.
Firewalls and antivirus software can be installed on NAM component machines - because these use OS versions and builds that you provide.

Hardening NAM component systems

You should apply general operating system guidelines for securing the report server. Depending on your deployment scenario, securing the operating system could also secure other NAM components (NAM Server, ADS, NAM Console, and MS SQL).

TLS 1.2 support

By default, every component of the NAM May 2017 release uses TLS 1.2. If you are using a legacy NAM Probe installation, you will have to upgrade to the newest NAM Probe release. For more information, see Upgrading Classic AMD.


  • Locate the server behind a firewall with default rules to set up a whitelist or blacklist for server URLs.
  • Open the server only to specific applications or web servers.


  • Maintain the latest operating system version.
  • Apply all current software security patches.
  • Disable any unnecessary file and printer sharing services.
  • Remove unnecessary services, applications, and network protocols.
  • Remove or disable any development tools
  • Configure custom LDAP SSL certificate.


  • Change default password policy.
  • Provide the accounts with system administration capabilities to as few individuals as is practical.

  • Remove unnecessary default accounts and non-interactive accounts.

Hardening report server (NAM Server & ADS)

Perform the following security actions specifically on NAM report servers:


  • NAM Server server can only be access on port 80 by the Reverse Proxy Server.

Reverse proxy

Set up a reverse proxy for NAM Server using the configuration that best reflects your access policy.
The following example illustrates a setup with access from the external network only for mobile and desktop report users.

Create a whitelist and blacklist of URLs:

  • Pass only those URLs which are required to serve the DMI reports to the non-admin users (whitelist).
    For example, direct all report users through this proxy (including the mobile app users). This way admin users’ access to NAM will be restricted to stations that can access the NAM servers directly from the network segments behind the reverse proxy.
  • Block specific URLs which are used for report server administration and configuration (blacklist).
    For example, the report server contains a set of specific web-enabled diagnostic tools that can be accessed via the client's browser.

  • The tool to execute diagnostic and database maintenance queries on the report server database.

  • Location of the administration console enabling performance of configuration management, system management, and diagnostics.

In deployments requiring high security, you can disable or block access to these tools.

As an additional, optional safety measure, the NAM Console server service can be disabled on the NAM servers (in Windows Control panel, and enabled only when configuration tasks have to be performed).

Hardening NAM Probe

Because the NAM Probe (network probe) has insight into customer data, it should be protected in the same manner as the network and server equipment is protected on the customer data processing path. Set secure access to the NAM Probe, including restriction and auditing of the management connection to the NAM Probe, and maintain firewall and antivirus software updated and patched.

For more information on how to harden the NAM Probe security, see Hardening NAM Probe.