Forum Discussion

Copper Contributor

Dec 02, 2021

Error Installing ATP sensor on DC

Hi, Installing on Windows server 2019 DC Worked on one DC and failed on the second one. It says its about proxy or SSL incpection but using the same network configuration for both DC..... Only...

Martin_Schvartzman

Icon for Microsoft rank

Microsoft

Jun 16, 2022

No. It's not required for .NET v2.0. But you may be encountering a different issue.

Did you install the sensor with the proxyUrl switch, or are you using a transparent proxy? It (the proxy) might be doing SSL inspection and it's breaking the sensor's communication.

Brass Contributor

Jun 16, 2022

We installed it with the proxyURL switch and it is doing SSL inspection.
I did not read anything in the documentation that SSL inspection is forbidded...

EliOfek
Microsoft
Jun 17, 2022
https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#applyinternal-failed-two-way-ssl-connection-to-service-error

The sensor is doing mutual authentication, thus ssl inspection will fail it.
- aexlz
  Brass Contributor
  Jun 17, 2022
  Thank you for yor confirmation. We will disable ssl inspection.
  However: It would be an advantage if this was cleary stated in the documentation like e.g. for Defender for Endpoint:
  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-support-connectivity?view=o365-worldwide#troubleshooting-steps-for-environments-with-static-proxy
  - Martin_Schvartzman
    Microsoft
    Jul 06, 2022
    aexlz
    
    We updated the documentation:
    https://docs.microsoft.com/en-us/defender-for-identity/configure-proxy#:~:text=SSL%20inspection%20and%20intercepting%20proxies%20are%20not%20supported%20for%20security%20reasons.%20Your%20proxy%20server%20should%20allow%20the%20data%20to%20directly%20pass%20from%20the%20Defender%20for%20Identity%20sensors%20to%20the%20relevant%20URLs%20without%20interception.