Applies to: Azure Advanced Threat Protection
Configure endpoint proxy and Internet connectivity settings for your Azure ATP Sensor
Each Azure Advanced Threat Protection (ATP) sensor requires Internet connectivity to the Azure ATP cloud service to operate successfully. In some organizations, the domain controllers aren’t directly connected to the Internet, but are connected through a web proxy connection. Each Azure ATP sensor requires that you use the Microsoft Windows Internet (WinINET) proxy configuration to report sensor data and communicate with the Azure ATP service. If you use WinHTTP for proxy configuration, you still need to configure Windows Internet (WinINet) browser proxy settings for communication between the sensor and the Azure ATP cloud service.
When configuring the proxy, you'll need to know that the embedded Azure ATP sensor service runs in system context using the LocalService account and the Azure ATP Sensor Updater service runs in the system context using LocalSystem account.
If you're using Transparent proxy or WPAD in your network topology, you don't need to configure WinINET for your proxy.
Configure the proxy
Configure your proxy server manually using a registry-based static proxy, to allow Azure ATP sensor to report diagnostic data and communicate with Azure ATP cloud service when a computer is not permitted to connect to the Internet.
The registry changes should be applied only to LocalService and LocalSystem.
The static proxy is configurable through the Registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:
Make sure to back up the registry keys before you modify them.
In the registry, search for the value
DefaultConnectionSettingsas REG_BINARY under the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettingsand copy it.
If the LocalSystem does not have the correct proxy settings (either they are not configured or they are different from the Current_User), then copy the proxy setting from the Current_User to the LocalSystem. Under the registry key
Paste the value from the Current_user
If the LocalService does not have the correct proxy settings, then copy the proxy setting from the Current_User to the LocalService. Under the registry key
Paste the value from the Current_User
This will affect all applications including Windows services which use WinINET with LocalService, LocalSytem context.
Enable access to Azure ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with the Azure ATP service in port 443:
|Service location||.Atp.Azure.com DNS record|
You can also harden the firewall or proxy rules for a specific instance you created, by creating a rule for the following DNS records:
- <your-instance-name>.atp.azure.com – for console connectivity. For example, "Contoso-corp.atp.azure.com"
- <your-instance-name>sensorapi.atp.azure.com – for sensors connectivity. For example, "contoso-corpsensorapi.atp.azure.com"
When performing SSL inspection on the Azure ATP network traffic (between the sensor and the Azure ATP service), the SSL inspection must support mutual inspection.