deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

clean/linted configure proxy internet

Browse Source
This commit is contained in:
martyav
2019-08-01 16:52:21 -04:00
parent 76d4d57fa8
commit beee821d6c
1 changed files with 43 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
--- ---
# Configure machine proxy and Internet connectivity settings # Configure machine proxy and Internet connectivity settings
**Applies to:** **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
@ -33,25 +31,25 @@ The embedded Microsoft Defender ATP sensor runs in system context using the Loca
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Auto-discovery methods: - Auto-discovery methods:
- Transparent proxy - Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD) - Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE] > [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration:
- Manual static proxy configuration: - Registry based configuration
- Registry based configuration - WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
- WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy ## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
The static proxy is configurable through Group Policy (GP). The group policy can be found under: The static proxy is configurable through Group Policy (GP). The group policy can be found under:
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**: - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
![Image of Group Policy setting](images/atp-gpo-proxy1.png) ![Image of Group Policy setting](images/atp-gpo-proxy1.png)
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- Configure the proxy:<br> - Configure the proxy:<br>
![Image of Group Policy setting](images/atp-gpo-proxy2.png) ![Image of Group Policy setting](images/atp-gpo-proxy2.png)
@ -63,6 +61,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can
```text ```text
<server name or ip>:<port> <server name or ip>:<port>
``` ```
For example: 10.0.0.6:8080 For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1. The registry value `DisableEnterpriseAuthProxy` should be set to 1.
@ -82,35 +81,39 @@ Use netsh to configure a system-wide static proxy.
b. Right-click **Command prompt** and select **Run as administrator**. b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**: 2. Enter the following command and press **Enter**:
```
```PowerShell
netsh winhttp set proxy <proxy>:<port> netsh winhttp set proxy <proxy>:<port>
``` ```
For example: netsh winhttp set proxy 10.0.0.6:8080 For example: netsh winhttp set proxy 10.0.0.6:8080
To reset the winhttp proxy, enter the following command and press **Enter** To reset the winhttp proxy, enter the following command and press **Enter**
```
```PowerShell
netsh winhttp reset proxy netsh winhttp reset proxy
``` ```
See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more. See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
## Enable access to Microsoft Defender ATP service URLs in the proxy server ## Enable access to Microsoft Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
>[!NOTE] > [!NOTE]
> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. > URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record Service location | Microsoft.com DNS record
:---|:--- -|-
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com``` Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com```
European Union | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com``` United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com``` United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
## Microsoft Defender ATP service backend IP range ## Microsoft Defender ATP service backend IP range
If you network devices don't support the URLs white-listed in the prior section, you can use the following information. If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@ -123,13 +126,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\<Region Name="uksouth"> - \+\<Region Name="uksouth">
- \+\<Region Name="ukwest"> - \+\<Region Name="ukwest">
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
>[!NOTE] > [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
## Verify client connectivity to Microsoft Defender ATP service URLs ## Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
@ -146,11 +147,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
4. Enter the following command and press **Enter**: 4. Enter the following command and press **Enter**:
``` ```PowerShell
HardDrivePath\WDATPConnectivityAnalyzer.cmd HardDrivePath\WDATPConnectivityAnalyzer.cmd
``` ```
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
```
```PowerShell
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
``` ```
@ -158,13 +161,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br> 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
```text ```text
Testing URL : https://xxx.microsoft.com/xxx Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200) 1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200) 2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200) 3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist 4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist 5 - Command line proxy: Doesn't exist
``` ```
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br> If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
@ -172,10 +176,11 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE] > [!NOTE]
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Conduct investigations with Microsoft Defender ATP behind a proxy ## Conduct investigations with Microsoft Defender ATP behind a proxy
Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br> By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
@ -192,15 +197,16 @@ Event's information:
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type.<br> All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type.<br>
Using this simple query will show you all the relevant events: Using this simple query will show you all the relevant events:
``` ```PowerShell
NetworkCommunicationEvents NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" | where ActionType == "ConnectionSuccess"
| take 10 | take 10
``` ```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png) ![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy: You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
```
```PowerShell
NetworkCommunicationEvents NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP" | where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10 | take 10
@ -209,7 +215,7 @@ NetworkCommunicationEvents
**How to enable the advanced network connection sensor**<br> **How to enable the advanced network connection sensor**<br>
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machines timeline you need to turn Network Protection on at least in audit mode. <br> Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machines timeline you need to turn Network Protection on at least in audit mode. <br>
Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit. <br> Network protection is a feature that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit. <br>
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br> If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br> If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
@ -222,9 +228,11 @@ If you do not configure this policy, network blocking will be disabled by defaul
> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode. > In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
Additional documentation: Additional documentation:
- [Applying network protection with GP policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) - [Applying network protection with GP policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) - [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
## Related topics ## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md) - [Onboard Windows 10 machines](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)