Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor
Each Microsoft Defender for Identity sensor requires Internet connectivity to the Defender for Identity cloud service to report sensor data and operate successfully. In some organizations, the domain controllers aren't directly connected to the internet, but are connected through a web proxy connection.
We recommend using the command line to configure your proxy server as doing so ensures that only the Defender for Identity sensor services communicate through the proxy.
Configure proxy server using the command line
You can configure your proxy server during sensor installation using the following command line switches.
"Azure ATP sensor Setup.exe" [/quiet] [/Help] [ProxyUrl="http://proxy.internal.com"] [ProxyUserName="domain\proxyuser"] [ProxyUserPassword="ProxyPassword"]
|Name||Syntax||Mandatory for silent installation?||Description|
|ProxyUrl||ProxyUrl="http://proxy.contoso.com:8080"||No||Specifies the ProxyUrl and port number for the Defender for Identity sensor.|
|ProxyUserName||ProxyUserName="Contoso\ProxyUser"||No||If your proxy service requires authentication, supply a user name in the DOMAIN\user format.|
|ProxyUserPassword||ProxyUserPassword="P@ssw0rd"||No||Specifies the password for proxy user name. *Credentials are encrypted and stored locally by the Defender for Identity sensor.|
Alternative methods to configure your proxy server
You can use one of the following alternative methods to configure your proxy server. When configuring the proxy settings using these methods, other services running in the context as Local System or Local Service will also direct traffic through the proxy.
Configure proxy server using WinINet
You can configure your proxy server using Microsoft Windows Internet (WinINet) proxy configuration, to allow Defender for Identity sensor to report diagnostic data and communicate with Defender for Identity cloud service when a computer is not permitted to connect to the Internet. If you use WinHTTP for proxy configuration, you still need to configure Windows Internet (WinINet) browser proxy settings for communication between the sensor and the Defender for Identity cloud service.
When configuring the proxy, remember that the embedded Defender for Identity sensor service runs in system context using the LocalService account, and that the Defender for Identity Sensor Updater service runs in the system context using LocalSystem account.
If you're using Transparent proxy or WPAD in your network topology, you don't need to configure WinINet for your proxy.
Configure proxy server using the registry
You can also configure your proxy server manually using a registry-based static proxy, to allow Defender for Identity sensor to report diagnostic data and communicate with Defender for Identity cloud service when a computer is not permitted to connect to the Internet.
The registry changes should be applied only to LocalService and LocalSystem.
The static proxy is configurable through the Registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:
Make sure to back up the registry keys before you modify them.
In the registry, search for the value
DefaultConnectionSettingsas REG_BINARY under the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettingsand copy it.
If the LocalSystem does not have the correct proxy settings (either they are not configured or they are different from the Current_User), then copy the proxy setting from the Current_User to the LocalSystem. Under the registry key
Paste the value from the Current_user
If the LocalService does not have the correct proxy settings, then copy the proxy setting from the Current_User to the LocalService. Under the registry key
Paste the value from the Current_User
This will affect all applications including Windows services which use WinINET with LocalService, LocalSytem context.
Enable access to Defender for Identity service URLs in the proxy server
To enable access to Defender for Identity, we recommend allowing traffic to the following URLs. The URLs automatically map to the correct service location for your Defender for Identity instance.
<your-instance-name>.atp.azure.com– for console connectivity. For example,
<your-instance-name>sensorapi.atp.azure.com– for sensors connectivity. For example,
You can also use the IP address ranges in our Azure service tag (AzureAdvancedThreatProtection) to enable access to Defender for Identity. For more information about service tags, see Virtual network service tags or download the service tags file.
Alternatively, if you require more granular control, consider allowing traffic to the relevant endpoints from the following table:
|Service location||*.atp.azure.com DNS record|
|US GCC High||
- To ensure maximal security and data privacy, Defender for Identity uses certificate based mutual authentication between each Defender for Identity sensor and the Defender for Identity cloud backend. If SSL inspection is used in your environment, make sure that the inspection is configured for mutual authentication so it does not interfere in the authentication process.
- Occasionally, the Defender for Identity service IP addresses may change. Therefore, if you manually configure IP addresses or if your proxy automatically resolves DNS names to their IP address and uses them, you should periodically check that the configured IP addresses are still up-to-date.