Dynatrace ActiveGate is a component that routes data between your monitored environment and the Dynatrace server (SaaS or Managed). It handles traffic routing, runs monitoring extensions for technologies that don’t support OneAgent, and enables multi-environment management from a single gateway. ActiveGate is required when your hosts can’t reach the Dynatrace cluster directly, when you need to monitor cloud services like AWS or Azure, or when running ActiveGate extensions for databases, HTTP checks, and other remote monitoring.
This guide walks through installing and configuring Dynatrace ActiveGate on Ubuntu 24.04 and Rocky Linux 10 / RHEL 10. We cover the full setup – downloading the installer from the Dynatrace UI, running the installation, verifying the service, configuring routing modes, SSL/TLS, and firewall rules. For the official reference, see the Dynatrace ActiveGate documentation.
Prerequisites
Before starting, make sure you have the following in place:
- A Dynatrace SaaS or Managed account with admin access
- A server running Ubuntu 24.04 LTS or Rocky Linux 10 / RHEL 10 / AlmaLinux 10
- Root or sudo access on the target server
- Minimum 2 GB RAM and 1 vCPU (4 GB RAM recommended for production)
- Outbound HTTPS access to your Dynatrace environment (port 443)
- Port 9999/TCP open for inbound connections from OneAgents (if using routing mode)
Step 1: Download the ActiveGate Installer from Dynatrace UI
The ActiveGate installer is downloaded directly from your Dynatrace environment. Log in to your Dynatrace dashboard and navigate to the ActiveGate deployment page.
- Go to Manage > Deploy Dynatrace > Install ActiveGate
- Select Linux as the platform
- Copy the download command provided – it includes your environment-specific token
The download command looks like this (your URL and token will differ):
wget -O Dynatrace-ActiveGate-Linux-x86-latest.sh "https://YOUR_ENVIRONMENT_ID.live.dynatrace.com/api/v1/deployment/installer/gateway/unix/latest?arch=x86&flavor=default" --header="Authorization: Api-Token YOUR_PAAS_TOKEN"Replace YOUR_ENVIRONMENT_ID with your Dynatrace environment ID and YOUR_PAAS_TOKEN with the PaaS token from your Dynatrace settings. You can generate a PaaS token under Settings > Integration > Platform as a Service.
After downloading, verify the file exists and is executable:
ls -lh Dynatrace-ActiveGate-Linux-x86-latest.shYou should see the installer file with a size around 100-150 MB:
-rw-r--r-- 1 root root 138M Mar 22 10:15 Dynatrace-ActiveGate-Linux-x86-latest.shStep 2: Install Dynatrace ActiveGate on Ubuntu 24.04
On Ubuntu 24.04, run the installer with root privileges. The installer is self-contained and handles all dependencies internally.
First, make sure your system packages are up to date:
sudo apt update && sudo apt upgrade -yRun the ActiveGate installer:
sudo /bin/sh Dynatrace-ActiveGate-Linux-x86-latest.shThe installer outputs its progress as it extracts, installs, and registers with your Dynatrace environment:
Unpacking...
Installing to /opt/dynatrace/gateway
Starting Dynatrace ActiveGate...
Connecting to https://YOUR_ENVIRONMENT_ID.live.dynatrace.com
ActiveGate successfully connected.ActiveGate installs to /opt/dynatrace/gateway by default and runs as the dtuser system user. The installer creates the systemd service automatically.
If you want to monitor server metrics with Prometheus and Grafana alongside Dynatrace, both tools complement each other well for full observability coverage.
Step 3: Install Dynatrace ActiveGate on Rocky Linux 10 / RHEL 10
The installation on Rocky Linux 10 and RHEL 10 follows the same pattern. Start by updating system packages:
sudo dnf update -yRun the installer with root privileges:
sudo /bin/sh Dynatrace-ActiveGate-Linux-x86-latest.shThe installation output is identical to Ubuntu. ActiveGate installs to /opt/dynatrace/gateway and registers with your Dynatrace cluster automatically.
On RHEL/Rocky systems with SELinux enforcing, ActiveGate works without additional SELinux policy changes. The installer configures the required contexts during setup.
Step 4: Verify ActiveGate Status
After installation, confirm that the ActiveGate service is running. The service name is dynatracegateway on both Ubuntu and RHEL-based systems.
sudo systemctl status dynatracegatewayThe output should show the service as active and running:
● dynatracegateway.service - Dynatrace ActiveGate
Loaded: loaded (/etc/systemd/system/dynatracegateway.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-03-22 10:20:35 UTC; 2min ago
Main PID: 4521 (gateway)
Tasks: 45 (limit: 4651)
Memory: 512.0M
CPU: 8.234s
CGroup: /system.slice/dynatracegateway.serviceEnable the service to start on boot (the installer usually does this, but verify):
sudo systemctl enable dynatracegatewayYou can also verify ActiveGate connectivity from the Dynatrace UI. Go to Manage > Deploy Dynatrace > ActiveGates and confirm your new gateway appears in the list with a green status indicator.
Check that ActiveGate is listening on its default port:
sudo ss -tlnp | grep 9999You should see the gateway process listening on port 9999:
LISTEN 0 128 *:9999 *:* users:(("gateway",pid=4521,fd=12))Step 5: Configure ActiveGate for Cluster Routing
Cluster routing mode makes ActiveGate act as a proxy between OneAgents and the Dynatrace cluster. This is the most common deployment scenario – useful when monitored hosts sit in a restricted network segment without direct internet access.
Edit the ActiveGate configuration file:
sudo vi /var/lib/dynatrace/gateway/config/custom.propertiesAdd or verify the following settings to enable routing:
[connectivity]
# Enable data routing from OneAgents through this ActiveGate
dnsEntryPoint = https://YOUR_ENVIRONMENT_ID.live.dynatrace.com/communication
[collector]
# Listen on all interfaces for OneAgent connections
localURI = 0.0.0.0:9999Replace YOUR_ENVIRONMENT_ID with your actual environment ID. After saving the configuration, restart ActiveGate to apply changes:
sudo systemctl restart dynatracegatewayVerify the service came back up cleanly:
sudo systemctl status dynatracegatewayOnce routing is enabled, configure your OneAgents to communicate through this ActiveGate by setting the --set-server parameter during OneAgent installation or updating /var/lib/dynatrace/oneagent/agent/config/communication-endpoints.conf on existing installations.
Step 6: Configure ActiveGate for Multi-Environment Monitoring
A single ActiveGate can serve multiple Dynatrace environments. This is useful in managed service provider setups or large organizations with separate Dynatrace tenants per team. For broader server monitoring tool options, consider running multiple observability platforms alongside Dynatrace.
Edit the configuration file:
sudo vi /var/lib/dynatrace/gateway/config/custom.propertiesAdd the environments you want this ActiveGate to serve:
[connectivity]
# Primary environment
dnsEntryPoint = https://ENV1_ID.live.dynatrace.com/communication
# Additional environments (comma-separated)
tenantToken = ENV1_TOKEN
additionalTenants = ENV2_ID,ENV3_ID
[http.client]
# Increase timeout for multi-environment setups
socketTimeout = 30000Each additional environment requires its own tenant token. Generate these from the respective Dynatrace environment under Settings > Integration > Platform as a Service.
Restart ActiveGate after making changes:
sudo systemctl restart dynatracegatewayConfirm the gateway appears in all configured Dynatrace environments by checking the ActiveGate list in each tenant dashboard.
Step 7: Configure SSL/TLS for ActiveGate
ActiveGate uses SSL/TLS by default for communication with the Dynatrace cluster. For the ActiveGate-to-OneAgent connection, you can configure a custom certificate instead of the self-signed one generated during installation. If you need to generate certificates, check out our guide on generating Let’s Encrypt SSL certificates on Linux.
To use a custom SSL certificate, place your certificate and key files on the server:
sudo cp /path/to/your/certificate.pem /opt/dynatrace/gateway/ssl/server.pem
sudo cp /path/to/your/private.key /opt/dynatrace/gateway/ssl/server.keySet proper ownership so the ActiveGate process can read the files:
sudo chown dtuser:dtuser /opt/dynatrace/gateway/ssl/server.pem
sudo chown dtuser:dtuser /opt/dynatrace/gateway/ssl/server.key
sudo chmod 600 /opt/dynatrace/gateway/ssl/server.keyEdit the configuration to reference the custom certificate:
sudo vi /var/lib/dynatrace/gateway/config/custom.propertiesAdd the SSL configuration section:
[http.server.ssl]
# Path to custom SSL certificate
keyStorePath = /opt/dynatrace/gateway/ssl/server.pem
keyStorePassword = YOUR_KEYSTORE_PASSWORDRestart the service to apply the SSL changes:
sudo systemctl restart dynatracegatewayVerify the certificate is being served correctly by testing the connection:
openssl s_client -connect localhost:9999 -showcerts /dev/null | openssl x509 -noout -subject -datesThe output confirms the certificate subject and validity dates:
subject=CN = activegate.example.com
notBefore=Mar 22 00:00:00 2026 GMT
notAfter=Jun 20 00:00:00 2026 GMTStep 8: Configure Firewall for ActiveGate (Port 9999)
ActiveGate listens on port 9999/TCP for incoming OneAgent connections. Open this port in your firewall so that monitored hosts can reach the gateway.
Firewall rules on Ubuntu 24.04 (UFW)
Allow port 9999 through UFW:
sudo ufw allow 9999/tcp comment "Dynatrace ActiveGate"
sudo ufw reloadConfirm the rule was added:
sudo ufw status | grep 9999The output should show the port allowed from any source:
9999/tcp ALLOW Anywhere
9999/tcp (v6) ALLOW Anywhere (v6)Firewall rules on Rocky Linux 10 / RHEL 10 (firewalld)
Add the port to the active firewalld zone:
sudo firewall-cmd --add-port=9999/tcp --permanent
sudo firewall-cmd --reloadVerify the port is open:
sudo firewall-cmd --list-portsYou should see 9999/tcp in the output:
9999/tcpActiveGate also needs outbound HTTPS (port 443) access to reach your Dynatrace cluster. Make sure your network or cloud security group allows outbound traffic on port 443 to your Dynatrace SaaS endpoint.
Step 9: Monitor ActiveGate Health
ActiveGate exposes health information through its built-in status endpoint and log files. Regular monitoring catches issues before they affect your OneAgent fleet.
Check the ActiveGate health endpoint:
curl -sk https://localhost:9999/rest/healthA healthy ActiveGate responds with its status:
{"state":"HEALTHY"}Review the ActiveGate log files for errors or connection issues. The logs are stored under /var/lib/dynatrace/gateway/log:
sudo tail -50 /var/lib/dynatrace/gateway/log/gateway.logLook for connection errors or authentication failures. Common issues include expired PaaS tokens, network connectivity problems, or certificate mismatches.
For a quick ActiveGate status summary, use the built-in version check:
sudo /opt/dynatrace/gateway/bin/gateway.sh versionSet up a cron job or integrate with your existing monitoring stack to run periodic health checks. If you use Nagios for monitoring, you can create a custom check against the health endpoint.
In the Dynatrace UI, ActiveGate health is visible under Manage > ActiveGates. The dashboard shows connection status, version, connected OneAgents, and resource usage. Set up alerting profiles in Dynatrace to get notified when an ActiveGate goes offline.
Conclusion
Dynatrace ActiveGate is now installed and configured on your Ubuntu 24.04 or Rocky Linux 10 server, with routing enabled for OneAgent communication, firewall rules in place, and health monitoring set up. For production environments, deploy at least two ActiveGate instances behind a load balancer for high availability, rotate your SSL certificates before expiry, and keep ActiveGate updated to the latest version through the Dynatrace auto-update mechanism.
