配置设备代理和 Internet 连接设置Configure device proxy and Internet connectivity settings

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

Defender for Endpoint 传感器需要 Microsoft Windows HTTP (WinHTTP) 报告传感器数据并与 Defender for Endpoint 服务通信。The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service.

嵌入的 Defender for Endpoint 传感器使用 LocalSystem 帐户在系统上下文中运行。The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. 该传感器使用 Microsoft Windows HTTP Services (WinHTTP) 启用与 Defender for Endpoint 云服务的通信。The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service.

提示

对于使用正向代理作为 Internet 网关的组织,可以使用网络保护来调查代理背后的情况。For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. 有关详细信息,请参阅调查正向代理背后发生的连接事件For more information, see Investigate connection events that occur behind forward proxies.

WinHTTP 配置设置独立于 Windows Internet (WinINet) Internet 浏览代理设置,并且只能使用下列发现方法发现代理服务器:The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:

  • 自动发现方法:Auto-discovery methods:

    • 透明代理Transparent proxy

    • Web 代理自动发现协议 (WPAD)Web Proxy Auto-discovery Protocol (WPAD)

      备注

      如果在网络拓扑中使用的是透明代理或 WPAD,则不需要特殊的配置设置。If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. 有关代理中的 Defender 终结点 URL 排除项详细信息,请参阅在代理服务器中启用对 Defender for Endpoint 服务 URL 的访问For more information on Defender for Endpoint URL exclusions in the proxy, see Enable access to Defender for Endpoint service URLs in the proxy server.

  • 手动静态代理配置:Manual static proxy configuration:

    • 基于注册表的配置Registry based configuration
    • 使用 netsh 命令配置的 WinHTTP – 仅适用于稳定拓扑中的桌面(例如:同一代理后面的公司网络中的桌面)WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)

使用基于注册表的静态代理手动配置代理服务器Configure the proxy server manually using a registry-based static proxy

配置基于注册表的静态代理,以在不允许计算机连接到 Internet 时仅允许 Defender for Endpoint 传感器报告诊断数据并与 Defender for Endpoint 服务通信。Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet.

备注

静态代理可以通过组策略 (GP) 配置。The static proxy is configurable through Group Policy (GP). 可以在以下位置找到组策略:The group policy can be found under:

  • Windows 组件>模板>数据收集和预览>配置连接的用户体验和遥测服务的已验证代理使用情况Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
    • 将其设置为 已启用, 然后选择 "禁用经过身份验证的代理用法 组策略的图像"设置1Set it to Enabled and select Disable Authenticated Proxy usage: Image of Group Policy setting1
  • Windows 组件>模板>数据收集和预览>配置连接的用户体验和遥测Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
    • 配置代理:Configure the proxy:
      组策略设置 2 的图像Image of Group Policy setting2

      策略将注册表项 HKLM\Software\Policies\Microsoft\Windows\DataCollection 下的两个注册表值 TelemetryProxyServer 设置为 REG\u SZ,DisableEnterpriseAuthProxy 设置为 REG\u DWORD。The policy sets two registry values TelemetryProxyServer as REG_SZ and DisableEnterpriseAuthProxy as REG_DWORD under the registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection.

      注册表值 TelemetryProxyServer 采用以下字符串格式:The registry value TelemetryProxyServer takes the following string format:

      <server name or ip>:<port>
      

      例如:10.0.0.6:8080For example: 10.0.0.6:8080

      此注册表值 DisableEnterpriseAuthProxy 应当设置为 1。The registry value DisableEnterpriseAuthProxy should be set to 1.

使用 netsh 命令手动配置代理服务器Configure the proxy server manually using netsh command

使用 netsh 配置系统范围的静态代理。Use netsh to configure a system-wide static proxy.

备注

  • 这将影响所有应用程序,包括使用带默认代理的 WinHTTP 的 Windows 服务。This will affect all applications including Windows services which use WinHTTP with default proxy.
  • 更改拓扑结构(例如 (:从办公室到家庭) netsh 将发生故障。Laptops that are changing topology (for example: from office to home) will malfunction with netsh. 使用基于注册表的静态代理配置。Use the registry-based static proxy configuration.
  1. 打开提升的命令行:Open an elevated command-line:

    a.a. 转到“开始”并键入“cmd”。Go to Start and type cmd.

    b.b. 右键单击“命令提示符”,然后选择“以管理员身份运行”。Right-click Command prompt and select Run as administrator.

  2. 输入以下命令,再按 EnterEnter the following command and press Enter:

    netsh winhttp set proxy <proxy>:<port>
    

    例如:netsh winhttp set proxy 10.0.0.6:8080For example: netsh winhttp set proxy 10.0.0.6:8080

若要重置 winhttp 代理,请输入以下命令并按 EnterTo reset the winhttp proxy, enter the following command and press Enter

netsh winhttp reset proxy

若要了解详细信息。,请参见 Netsh 命令语法、上下文和格式See Netsh Command Syntax, Contexts, and Formatting to learn more.

在代理服务器中启用对 Microsoft Defender for Endpoint 服务 URL 的访问Enable access to Microsoft Defender for Endpoint service URLs in the proxy server

如果代理或防火墙在默认情况下阻止所有通信,并且只允许特定域通过,请将可下载工作表中列出的域添加到允许的域列表中。If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.

以下可下载的电子表格列出了网络必须能够连接到的服务及其关联 URL。The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. 应确保没有拒绝访问这些 URL 的防火墙或网络筛选规则,或者您可能需要专门为它们创建允许规则。 You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.

域列表电子表格Spreadsheet of domains list 说明Description
适用于终结点 URL 电子表格的 Microsoft Defender 缩略图
服务位置、地理位置和操作系统的特定 DNS 记录的电子表格。Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

在此处下载电子表格。Download the spreadsheet here.

如果代理或防火墙启用了 HTTPS 扫描(SSL 检查),则从 HTTPS 扫描中排除上表中列出的域。If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.

备注

settings-win.data.microsoft.com 运行版本 1803 或更早版本的 Windows 10 设备时,才需要此配置。settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.

备注

仅在 Windows 10 设备运行版本 1803 或更高版本时,才需要包含 v20 的 URL。URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. 例如,运行版本 1803 或更高版本并载入到美国数据存储地区的 us-v20.events.data.microsoft.com Windows 10 设备需要 。For example, us-v20.events.data.microsoft.com is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.

备注

如果你正在环境中使用 Microsoft Defender 防病毒,请参阅配置与 Microsoft Defender 防病毒云服务的网络连接If you are using Microsoft Defender Antivirus in your environment, see Configure network connections to the Microsoft Defender Antivirus cloud service.

如果代理或防火墙阻止匿名流量,因为 Defender for Endpoint 传感器从系统上下文连接,请确保允许匿名流量位于前面列出的 URL 中。If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.

Microsoft Monitoring Agent (MMA) - 旧版 Windows 客户端或 Windows Server 的代理和防火墙要求Microsoft Monitoring Agent (MMA) - proxy and firewall requirements for older versions of Windows client or Windows Server

以下信息列出了与 Log Analytics 代理通信所需的代理和防火墙配置信息 (通常称为以前版本的 Windows(如 Windows 7 SP1、Windows 8.1、Windows Server 2008 R2、Windows Server 2012 R2 和 Windows Server 2016)的 Microsoft 监视代理) 。The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.

代理资源Agent Resource 端口Ports DirectionDirection 绕过 HTTPS 检查Bypass HTTPS inspection
*.ods.opinsights.azure.com*.ods.opinsights.azure.com 端口 443Port 443 出站Outbound Yes
*.oms.opinsights.azure.com*.oms.opinsights.azure.com 端口 443Port 443 出站Outbound Yes
*.blob.core.windows.net*.blob.core.windows.net 端口 443Port 443 出站Outbound Yes
*.azure-automation.net*.azure-automation.net 端口 443Port 443 出站Outbound Yes

备注

作为基于云的解决方案,IP 范围可能会更改。As a cloud-based solution, the IP range can change. 建议移动到 DNS 解析设置。It's recommended you move to DNS resolving setting.

确认 Microsoft 监控代理 (MMA) 服务 URL 要求Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements

请参阅以下指南,在将 Microsoft 监视代理 (MMA) 用于以前版本的 Windows 时,消除特定环境的通配符 (*) 要求。Please see the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows.

  1. 使用 Microsoft 监视代理 (MMA) 将以前的操作系统载入到 Defender for Endpoint (中有关详细信息,请参阅在 Defender for Endpoint 上载入以前版本的 Windows 和载入 Windows 服务器Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see Onboard previous versions of Windows on Defender for Endpoint and Onboard Windows servers.

  2. 确保计算机已成功报告到 Microsoft Defender 安全中心门户。Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal.

  3. 从"C:\Program Files\Microsoft Monitoring Agent\Agent"运行 TestCloudConnection.exe 工具,以验证连接并查看特定工作区所需的 URL。Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.

  4. 请查看 Microsoft Defender 终结点 URL 列表,了解你的地区要求的完整 (请参阅服务 URL电子表格) 。Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs Spreadsheet).

网站中的管理员Windows PowerShell

*.ods.opinsights.azure.com、) *.oms.opinsights.azure.com 和 *.agentsvc.azure-automation.net URL 终结点中使用的通配符 (*agentsvc.azure-automation.net ID 可以替换为特定的工作区 ID。The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. 工作区 ID 特定于你的环境和工作区,可以在 Microsoft Defender 安全中心门户内的租户载入部分找到。The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal.

*.blob.core.windows.net URL 终结点可以替换为测试结果的"防火墙规则: *.blob.core.windows.net"部分中显示的 URL。The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results.

备注

如果通过 Azure Defender 载入,可能使用多个工作区。In the case of onboarding via Azure Defender, multiple workspaces maybe used. 你需要在每个工作区 (的已载入计算机上执行上述 TestCloudConnection.exe 过程,以确定工作区和工作区之间的 *.blob.core.windows.net URL) 。You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces).

验证与 Microsoft Defender for Endpoint 服务 URL 的客户端连接Verify client connectivity to Microsoft Defender for Endpoint service URLs

验证代理配置是否成功完成,WinHTTP 是否可以在你的环境中发现代理服务器并通过代理服务器进行通信,以及代理服务器是否允许到 Defender for Endpoint 服务 URL 的通信。Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.

  1. MDATP 客户端分析器工具 下载到运行 Defender for Endpoint 传感器的电脑。Download the MDATP Client Analyzer tool to the PC where Defender for Endpoint sensor is running on.

  2. 提取设备上 MDATPClientAnalyzer.zip 的内容。Extract the contents of MDATPClientAnalyzer.zip on the device.

  3. 打开提升的命令行:Open an elevated command-line:

    a.a. 转到“开始”并键入“cmd”。Go to Start and type cmd.

    b.b. 右键单击“命令提示符”,然后选择“以管理员身份运行”。Right-click Command prompt and select Run as administrator.

  4. 输入以下命令,再按 EnterEnter the following command and press Enter:

    HardDrivePath\MDATPClientAnalyzer.cmd
    

    例如,用下载 MDATPClientAnalyzer 工具的路径替换 HardDrivePathReplace HardDrivePath with the path where the MDATPClientAnalyzer tool was downloaded to, for example

    C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd
    
  5. 提取 MDATPClientAnalyzerResult.zip**在 HardDrivePath 中使用的文件夹中创建的文件。Extract the MDATPClientAnalyzerResult.zip file created by tool in the folder used in the HardDrivePath.

  6. 打开 MDATPClientAnalyzerResult.txt 并验证是否已执行代理配置步骤以启用服务器发现和对服务 URL 的访问。Open MDATPClientAnalyzerResult.txt and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    该工具检查 Defender for Endpoint 客户端配置为与之交互的 Defender for Endpoint 服务 URL 的连接性。The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. 然后,它将结果打印到每个可能用于与 Defender for Endpoint 服务进行通信的 URL 的 MDATPClientAnalyzerResult.txt 文件中。It then prints the results into the MDATPClientAnalyzerResult.txt file for each URL that can potentially be used to communicate with the Defender for Endpoint services. 例如:For example:

    Testing URL : https://xxx.microsoft.com/xxx
    1 - Default proxy: Succeeded (200)
    2 - Proxy auto discovery (WPAD): Succeeded (200)
    3 - Proxy disabled: Succeeded (200)
    4 - Named proxy: Doesn't exist
    5 - Command line proxy: Doesn't exist
    

如果至少有一个连接选项返回 (200) 状态,则 Defender for Endpoint 客户端可以使用此连接方法与测试的 URL 正确通信。If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.

但是,如果连接检查结果显示失败,则会显示 HTTP 错误(请参阅 HTTP 状态代码)。However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). 然后,可以使用在代理服务器 中启用对 Defender for Endpoint 服务 URL的访问中显示的表中的 URL。You can then use the URLs in the table shown in Enable access to Defender for Endpoint service URLs in the proxy server. 将使用的 URL 取决于在载入过程中选择的区域。The URLs you'll use will depend on the region selected during the onboarding procedure.

备注

Connectivity Analyzer 工具与 ASR 规则不兼容阻止源自 PSExec 和 WMI 命令的进程创建The Connectivity Analyzer tool is not compatible with ASR rule Block process creations originating from PSExec and WMI commands. 需要暂时禁用此规则才能运行连接工具。You will need to temporarily disable this rule to run the connectivity tool.

备注

当在注册表中或通过组策略设置 TelemetryProxyServer 时,如果 Defender for Endpoint 无法访问定义的代理,它将回退到直接。When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy.