What are the available communication endpoints?

This topic applies to Dynatrace Managed installations only.

Dynatrace Managed includes two different types of endpoints:

In the Cluster Management Console, you can configure custom IP addresses and ports both for monitoring endpoints as well as the web UI. Just select Home in the navigation menu and then click a cluster node to open the overview page of the node.

You can configure the IP addresses and ports in the Customize node endpoints pane. If you specify an IP address for OneAgents, the address will be used for all endpoint monitoring.

Communication from within your network

Sending monitoring data directly to a cluster node (i.e., directly to a public Security Gateway (PSG) is typically possible from within your network, where OneAgents and user sessions can directly interact with the cluster node, regardless of whether they are using an IP address or a domain name. In both cases, the traffic is sent over HTTPS in an encrypted form but only when using a domain with a valid SSL certificate is the traffic considered to be fully secured. Synthetic monitoring is by definition not possible in such a scenario.

Communication from outside your network

For security reasons, direct communication from outside your network with a Dynatrace Managed cluster isn't recommended. If you want to enable synthetic monitoring or monitor hosts and user sessions from outside your network, you need to set up a separate communication proxy (i.e., a public Managed Security Gateway). This Security Gateway will handle cluster communication. It requires:

  • Publicly available IP address
  • Domain name with a valid SSL certificate, since external communication is only supported in a secure manner using HTTPS (port 443). This domain must be different from the Web UI domain and the public Security Gateway domain. You can choose to provide a domain and a SSL certificate on your own or let Dynatrace do this for you. Dynatrace can generate a domain and a valid SSL certificate on your behalf.

For high-load, production-ready installations with external hosts, apps, sessions, and synthetic monitoring, it's recommended that you set up two load-balanced public Managed Security Gateways with the same domain name and certificate. For smaller, low-load installations only a single public Managed Security Gateway is recommended.

Note: Web UI traffic or cluster administration should remain on-premises, within your network. Although unsecure IP traffic is acceptable in this case, you may want Web UI traffic and cluster administration to be carried out in a secure manner as well. In such cases, you can provide a domain name and a SSL certificate, or these can be generated by Dynatrace with a Let’s Encrypt certificate. However, you don’t need to add any public Managed Security Gateways, since Dynatrace only supports Cluster Management control internally.


The following table sums up the required configuration for each discrete traffic case, indicating with an x whether a public IP is required, a valid SSL certificate, or both. Note that Real User Monitoring (RUM), agentless RUM, and mobile RUM normally relate to your customers' traffic, which takes place outside your network. Theoretically, however, they can also be considered inside your network and therefore these cases are also included in the following table.

Traffic type Public IP Valid SSL certificate
OneAgent (on-premises)
OneAgent (external) x
RUM (on-premises)
RUM (external)
Agentless RUM (on-premises) x
Agentless RUM (external) x x
Mobile RUM (on-premises) x
Mobile RUM (external) x x
Synthetic x

Note: Agentless real user monitoring, mobile-app monitoring, and synthetic monitors all use the same endpoint to transmit monitoring data to Dynatrace.