Configure endpoint proxy and Internet connectivity settings for your Azure ATP Sensor
Each Azure Advanced Threat Protection (ATP) sensor requires Internet connectivity to the Azure ATP cloud service to operate successfully. In some organizations, the domain controllers aren’t directly connected to the Internet, but are connected through a web proxy connection. Each Azure ATP sensor requires that you use the Microsoft Windows Internet (WinINET) proxy configuration to report sensor data and communicate with the Azure ATP service. If you use WinHTTP for proxy configuration, you still need to configure Windows Internet (WinINet) browser proxy settings for communication between the sensor and the Azure ATP cloud service.
When configuring the proxy, you'll need to know that the embedded Azure ATP sensor service runs in system context using the LocalService account and the Azure ATP Sensor Updater service runs in the system context using LocalSystem account.
If you're using Transparent proxy or WPAD in your network topology, you don't need to configure WinINET for your proxy.
Configure the proxy
Configure your proxy server manually using a registry-based static proxy, to allow Azure ATP sensor to report diagnostic data and communicate with Azure ATP cloud service when a computer is not permitted to connect to the Internet.
The registry changes should be applied only to LocalService and LocalSystem.
The static proxy is configurable through the Registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:
Make sure to back up the registry keys before you modify them.
In the registry, search for the value
DefaultConnectionSettingsas REG_BINARY under the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettingsand copy it.
If the LocalSystem does not have the correct proxy settings (either they are not configured or they are different from the Current_User), then copy the proxy setting from the Current_User to the LocalSystem. Under the registry key
Paste the value from the Current_user
If the LocalService does not have the correct proxy settings, then copy the proxy setting from the Current_User to the LocalService. Under the registry key
Paste the value from the Current_User
This will affect all applications including Windows services which use WinINET with LocalService, LocalSytem context.
Enable access to Azure ATP service URLs in the proxy server
To enable access to Azure ATP allow traffic to the following URLs:
<your-instance-name>.atp.azure.com – for console connectivity. For example, "Contoso-corp.atp.azure.com"
<your-instance-name>sensorapi.atp.azure.com – for sensors connectivity. For example, "contoso-corpsensorapi.atp.azure.com"
The previous URLs automatically map to the correct service location for your Azure ATP instance. If you require more granular control, consider allowing traffic to the relevant endpoints from the following table:
|Service location||*.atp.azure.com DNS record|
When performing SSL inspection on the Azure ATP network traffic (between the sensor and the Azure ATP service), the SSL inspection must support mutual inspection.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.