Forum Discussion

tanves's avatar
tanves
Copper Contributor
Dec 04, 2019
Solved

Error Communication WebClient

We are deploying Azure ATP Sensor on a DC and are getting the following error:   2019-12-04 15:06:10.3678 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.Extend...
  • EliOfek's avatar
    EliOfek
    Dec 06, 2019
    Both SamName and full UPN formats should work. Set the dc domain of the account. This is if all domains have full 2 way trust.
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Dec 04, 2019

tanves 

This error means there is still a networking issue which blocks the sensor from contacting the AATP Azure backend via HTTPS/443.

Although  white listed, it might still be blocked int he proxy or somewhere else.

Note: If you install the sensor in silent mode, you have an option to install it with proxy support, including a proxy that requires an authentication, so instead of trying to bypass the proxy, maybe try to work with it...

  https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation#proxy-authentication

tanves's avatar
tanves
Copper Contributor
Dec 05, 2019

EliOfek 

Thanks for the quick turnaround! Very much appreciated!

 

We did start off with setting the proxy authentication and attempting connection via that route by using the silent mode install method. Gradually we then started troubleshooting and reached a point where we had to whitelist the server IP on the proxy without any success.

 

We are going to check our perimeter firewall to validate if any traffic is being dropped there.

 

In the meanwhile, does anyone know if there are any specific ports that need to be opened up for traffic related to ATP sensor communication?

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Dec 05, 2019

    tanves 

    Just 443, both to azure, and to localhost.

    (The sensor service is communicating with the updater service via localhsot 443 as well).

    • tanves's avatar
      tanves
      Copper Contributor
      Dec 06, 2019

      EliOfek 

      Thanks for your assistance so far! We had traffic on 443 getting dropped on our Perimeter Firewall. Once the DC IP was allowed to communicate over that port, we saw a new set of errors.

       

      These errors have been discussed in the Tech Community

      https://techcommunity.microsoft.com/t5/Microsoft-Advanced-Threat/Azure-Advanced-Thread-Protection-Sensor-service-failed-to-start/m-p/293855

       

      In our case, we have a forest where the root domain is root.com with two child domains, partner.root.com and partner1.root.com (I have used example names). We are testing ATP sensor install on partner.root.com. We are using an account which is created in partner1.root.com as that is our user domain. Questions I had were, under Directory Services config on the portal:

       

      - In the user name do I put just the SAM account or the UPN excluding the domain name

      - In the domain, do I put partner1.root.com or partner.root.com or root.com

       

      Any help on this matter would be greatly appreciated!

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Dec 06, 2019
        Both SamName and full UPN formats should work. Set the dc domain of the account. This is if all domains have full 2 way trust.

Resources