Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor

Each Microsoft Defender for Identity sensor requires Internet connectivity to the Defender for Identity cloud service to report sensor data and operate successfully. In some organizations, the domain controllers aren't directly connected to the internet, but are connected through a web proxy connection.

We recommend using the command line to configure your proxy server as doing so ensures that only the Defender for Identity sensor services communicate through the proxy.

Configure proxy server using the command line

You can configure your proxy server during sensor installation using the following command line switches.

Syntax

"Azure ATP sensor Setup.exe" [/quiet] [/Help] [ProxyUrl="http://proxy.internal.com"] [ProxyUserName="domain\proxyuser"] [ProxyUserPassword="ProxyPassword"]

Switch descriptions

Name Syntax Mandatory for silent installation? Description
ProxyUrl ProxyUrl="http://proxy.contoso.com:8080" No Specifies the ProxyUrl and port number for the Defender for Identity sensor.
ProxyUserName ProxyUserName="Contoso\ProxyUser" No If your proxy service requires authentication, supply a user name in the DOMAIN\user format.
ProxyUserPassword ProxyUserPassword="P@ssw0rd" No Specifies the password for proxy user name. *Credentials are encrypted and stored locally by the Defender for Identity sensor.

Alternative methods to configure your proxy server

You can use one of the following alternative methods to configure your proxy server. When configuring the proxy settings using these methods, other services running in the context as Local System or Local Service will also direct traffic through the proxy.

Configure proxy server using WinINet

You can configure your proxy server using Microsoft Windows Internet (WinINet) proxy configuration, to allow Defender for Identity sensor to report diagnostic data and communicate with Defender for Identity cloud service when a computer is not permitted to connect to the Internet. If you use WinHTTP for proxy configuration, you still need to configure Windows Internet (WinINet) browser proxy settings for communication between the sensor and the Defender for Identity cloud service.

When configuring the proxy, remember that the embedded Defender for Identity sensor service runs in system context using the LocalService account, and that the Defender for Identity Sensor Updater service runs in the system context using LocalSystem account.

Note

If you're using Transparent proxy or WPAD in your network topology, you don't need to configure WinINet for your proxy.

Configure proxy server using the registry

You can also configure your proxy server manually using a registry-based static proxy, to allow Defender for Identity sensor to report diagnostic data and communicate with Defender for Identity cloud service when a computer is not permitted to connect to the Internet.

Note

The registry changes should be applied only to LocalService and LocalSystem.

The static proxy is configurable through the Registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:

  1. Make sure to back up the registry keys before you modify them.

  2. In the registry, search for the value DefaultConnectionSettings as REG_BINARY under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings and copy it.

  3. If the LocalSystem does not have the correct proxy settings (either they are not configured or they are different from the Current_User), then copy the proxy setting from the Current_User to the LocalSystem. Under the registry key HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings.

  4. Paste the value from the Current_user DefaultConnectionSettings as REG_BINARY.

  5. If the LocalService does not have the correct proxy settings, then copy the proxy setting from the Current_User to the LocalService. Under the registry key HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings.

  6. Paste the value from the Current_User DefaultConnectionSettings as REG_BINARY.

Note

This will affect all applications including Windows services which use WinINET with LocalService, LocalSytem context.

Enable access to Defender for Identity service URLs in the proxy server

To enable access to Defender for Identity, we recommend allowing traffic to the following URLs. The URLs automatically map to the correct service location for your Defender for Identity instance.

  • <your-instance-name>.atp.azure.com – for console connectivity. For example, contoso-corp.atp.azure.com

  • <your-instance-name>sensorapi.atp.azure.com – for sensors connectivity. For example, contoso-corpsensorapi.atp.azure.com

You can also use the IP address ranges in our Azure service tag (AzureAdvancedThreatProtection) to enable access to Defender for Identity. For more information about service tags, see Virtual network service tags or download the service tags file.

Alternatively, if you require more granular control, consider allowing traffic to the relevant endpoints from the following table:

Service location *.atp.azure.com DNS record
US triprd1wcusw2sensorapi.atp.azure.com
triprd1wcuswb3sensorapi.atp.azure.com
triprd1wcuse3sensorapi.atp.azure.com
US GCC High https://triff1wcva2sensorapi.atp.azure.us
Europe triprd1wceun2sensorapi.atp.azure.com
triprd1wceuw3sensorapi.atp.azure.com
Asia triprd1wcasse2sensorapi.atp.azure.com
UK triprd1wcuks2sensorapi.atp.azure.com

Note

  • To ensure maximal security and data privacy, Defender for Identity uses certificate based mutual authentication between each Defender for Identity sensor and the Defender for Identity cloud backend. If SSL inspection is used in your environment, make sure that the inspection is configured for mutual authentication so it does not interfere in the authentication process.
  • Occasionally, the Defender for Identity service IP addresses may change. Therefore, if you manually configure IP addresses or if your proxy automatically resolves DNS names to their IP address and uses them, you should periodically check that the configured IP addresses are still up-to-date.

See Also