• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
  • Home
  • Public Forums
  • Application Monitoring & UEM
  • AppMon & UEM Open Q&A
avatar image
Question by Tomislav F. · Jan 21, 2014 at 04:52 PM ·

X-Forwarded-For - get real IP for UEM world map

Hello,
We have recently enabled dynaTrace 5.5 with UEM for our customer. The problem is that the customer is not seeing users (e.g. Southeast Asia) on the world map. During the POC these more granular entries were visible on the world map (see screenshot world map.jpg )

We suspect that some of the Client IP addresses are NAT addresses and are therefore being "aggregated" in the world map view. The real IP could be in the X-Forwarded-For (XFF) header attribute (see screenshot X_Forwarded_For_01.jpg). According to my research, the left value should be the "real IP address". Please correct me if I am wrong. Since today we are capturing the X-Forwarded-For attribute in the Request header (Frontend sensor ASP.NET and Web Server sensor). In dT server settings / Geographical Locations, the X-Forwarded-For entry has been pushed up to have highest priority for UEM (see screenshot X_Forwarded_For_02.jpg)

Now the question is: How can UEM extract the real IP address, so that we can display all regions in the UEM world map accordingly?

Best Regards
Tomislav

Comment

People who like this

0 Show 0
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

6 Replies

  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image

Answer by Sindu m. · Mar 04, 2014 at 06:40 PM

Can UEM be used for masked ip's monitoring and provide geographic specific latencies

Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image

Answer by Tomislav F. · Jan 23, 2014 at 12:59 PM

I have tried to perform a UEM health check to verify whether the UEM dynaTrace cookies are being filtered out (dtCookie, dtPC, dtLatc). During our WebEx session there was a general outage of the customer's application which prevented us from accessing the application URL. Once the URL is reachable again, another UEM heal check will be attempted again.
Regarding the proxy server visits: At this point in time we know that certain end-users access the application through proxy servers (see screenshot proxy_visits.jpg). It has been mentioned that the high amount of US users are in fact also accessing the application from outside of the US

  • One solution would be to map the known proxy servers to an exact location in dynaTrace (dynaTrace server => Geographical Locations), if the exact locations of the proxy servers are known. The disadvantage of that is that we would have an aggregate as well.
  • Another option would be that the customer adjusts his proxy server settings. The question is whether the proxy servers can be configured in that way, that the real IP address is being passed through as well. There are currently two entries in the X-Forwarded-For (XFF) header attribute, whereas dT would expect only one entry. Therefore I was told that dT would have problems in processing the XFF attribute for UEM. I am also not sure whether the XFF attribute contains the "real" IP address. Is there any other attribute which contains the "real" IP address and which we could use for UEM?
Comment

People who like this

0 Show 1 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Roman S. · Jan 23, 2014 at 01:17 PM 0
Share

Regarding the two entries - PM confirmed that this is not a problem and we will take the first (or most left) of those addresses as client IP for geo-location.

avatar image

Answer by Herwig R. · Jan 22, 2014 at 09:30 PM

Hi Tomislav,
is it possible that for some reason our cookis are filtered out (dtCookie, dtPC, dtLatc) for the missing user actions.
If so this would be an explanation why you see server side PP but no user action (and so no visits).

Best, Herwig

Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image

Answer by Tomislav F. · Jan 22, 2014 at 05:18 PM

That is a good question about why there are two IP addresses in the X-Forwarded-For (XFF) field. From my understanding the left XFF value should be the original IP, and all subsequent XFF values should be proxy entries? During today's remote session dT only offered me to drill down to user action Purepaths (starting from the visits dashlet) and not to Purepaths, where I would see the XFF header field. What the customer also mentioned is that in the North America they have an unexpectedly high amount of visit counts, whereas in Asia the visit count is rather low. Maybe the reason for that is because end-users are using a VPN from Asia (connecting to the US) and then using the application?

From an older local session file, the following attached screenshot shows how I can drill down to the IP address in the Request Header visits_ip_drill_down.jpg

Another more important question: in UEM we currently have missing entries / visits. Are these missing entries also reflected "everywhere else" in dT? (meaning in the server-side Purepaths). As far as I understand, UEM is considered separately in dT and therefore other parts in dT should provide a complete picture. Is that correct? (e.g. dashlets for Web Requests, Transaction Flow, hotspots)

Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image

Answer by Tomislav F. · Jan 22, 2014 at 11:59 AM

After yesterday's change, the first customer feedback today is that there is no improvement. The expected dots in the world map are still missing. In the System Profile, I have checked the "User Experience" settings and they seem to be fine. In the "Visits by Location" dashlet, there are proxy entries (see attached screenshot proxy_visits_by_location.jpg ). What could be the reason?

Comment

People who like this

0 Show 1 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Roman S. · Jan 22, 2014 at 12:17 PM 0
Share

Hi Tomislav,

If you drill down to a single visit - does it show the right IP address there (meaning the one from the HTTP header)?

Also - why are there two IP addresses in the X-Forwarded-For header attribute. In the past I have only seen single entries, not two IPs.

Best, Roman

avatar image

Answer by Rick B. · Jan 21, 2014 at 06:43 PM

Hi Tomislav,

Pushing the X-Fowarded-For attribute to the top of the list in the Geographical Locations dialog did not resolve this issue for you?

Rick

Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

How to get started

First steps in the forum
Read Community User Guide
Best practices of using forum

NAM 2019 SP5 is available


Check the RHEL support added in the latest NAM service pack.

Learn more

LIVE WEBINAR

"Performance Clinic - Monitoring as a Self Service with Dynatrace"


JANUARY 15, 3:00 PM GMT / 10:00 AM ET

Register here

Follow this Question

Answers Answers and Comments

5 People are following this question.

avatar image avatar image avatar image avatar image avatar image

Forum Tags

dotnet mobile monitoring load iis 6.5 kubernetes mainframe rest api dashboard framework 7.0 appmon 7 health monitoring adk log monitoring services auto-detection uem webserver test automation license web performance monitoring ios nam probe collector migration mq web services knowledge sharing reports window java hybris javascript appmon sensors good to know extensions search 6.3+ server documentation easytravel web dashboard kibana system profile purelytics docker splunk 6.1 process groups account 7.2 rest dynatrace saas spa guardian appmon administration production user actions postgresql upgrade oneagent measures security Dynatrace Managed transactionflow technologies diagnostics user session monitoring unique users continuous delivery sharing configuration alerting NGINX splitting business transaction client 6.3 installation database scheduler apache mobileapp RUM php dashlet azure purepath agent 7.1 appmonsaas messagebroker nodejs 6.2 android sensor performance warehouse
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A