Applies to: Azure Advanced Threat Protection

Configure endpoint proxy and Internet connectivity settings for your Azure ATP Sensor

Each Azure Advanced Threat Protection (ATP) sensor requires Internet connectivity to the Azure ATP cloud service to operate successfully. In some organizations, the domain controllers aren’t directly connected to the Internet, but are connected through a web proxy connection. Each Azure ATP sensor requires that you use the Microsoft Windows Internet (WinINET) proxy configuration to report sensor data and communicate with the Azure ATP service. If you use WinHTTP for proxy configuration, you still need to configure Windows Internet (WinINet) browser proxy settings for communication between the sensor and the Azure ATP cloud service.

When configuring the proxy, you'll need to know that the embedded Azure ATP sensor service runs in system context using the LocalService account and the Azure ATP Sensor Updater service runs in the system context using LocalSystem account.

Note

If you're using Transparent proxy or WPAD in your network topology, you don't need to configure WinINET for your proxy.

Configure the proxy

Configure your proxy server manually using a registry-based static proxy, to allow Azure ATP sensor to report diagnostic data and communicate with Azure ATP cloud service when a computer is not permitted to connect to the Internet.

Note

The registry changes should be applied only to LocalService and LocalSystem.

The static proxy is configurable through the Registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:

  1. Make sure to back up the registry keys before you modify them.

  2. In the registry, search for the value DefaultConnectionSettings as REG_BINARY under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings and copy it.

  3. If the LocalSystem does not have the correct proxy settings (either they are not configured or they are different from the Current_User), then copy the proxy setting from the Current_User to the LocalSystem. Under the registry key HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings.

  4. Paste the value from the Current_user DefaultConnectionSettings as REG_BINARY.

  5. If the LocalService does not have the correct proxy settings, then copy the proxy setting from the Current_User to the LocalService. Under the registry key HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings.

  6. Paste the value from the Current_User DefaultConnectionSettings as REG_BINARY.

Note

This will affect all applications including Windows services which use WinINET with LocalService, LocalSytem context.

Enable access to Azure ATP service URLs in the proxy server

If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with the Azure ATP service in port 443:

Service location .Atp.Azure.com DNS record
US triprd1wcusw1sensorapi.atp.azure.com
triprd1wcuswb1sensorapi.atp.azure.com
triprd1wcuse1sensorapi.atp.azure.com
Europe triprd1wceun1sensorapi.atp.azure.com
triprd1wceuw1sensorapi.atp.azure.com
Asia triprd1wcasse1sensorapi.atp.azure.com

You can also harden the firewall or proxy rules for a specific instance you created, by creating a rule for the following DNS records:

  • <your-instance-name>.atp.azure.com – for console connectivity. For example, "Contoso-corp.atp.azure.com"
  • <your-instance-name>sensorapi.atp.azure.com – for sensors connectivity. For example, "contoso-corpsensorapi.atp.azure.com"

Note

When performing SSL inspection on the Azure ATP network traffic (between the sensor and the Azure ATP service), the SSL inspection must support mutual inspection.

See Also