Forum Discussion
NTLM over RDP
Thanks, Eli,
What are the implications are the customer does not want to open that port on the firewall? Are there other ways to connect to the ATP endpoint besides using the internet? Maybe VPN?
Microsoftjbchris , Not sure I follow.
This connection is initiated from the sensor (usually installed on the DC) to the endpoint in the network that contacted the DC. in most cases Internet is not involved...
In rare cases where the DC is opened to the internet (usually a bad idea) , then if a machine from the internet tried to contact the DC, we will try to "ping" it back via several methods to collect info about it.
Now, In case the customer blocked RDP ports on all the endpoints in the network, the sensor will still work, but might get hit to some degree in resolution success which my impact detection and false positives. How much? it depends on how well the other methods we use work well in your network...
we use several as we are aware that networks can be different, and also endpoints, so when we have several ways, we increase the chances of getting a successful resolution.
Let me see if I can ask the question a better way: (Forgive me if I am missing something)
The customer domain is behind a firewall. ATP is in the cloud. The ATP Agents, either DC's or Standalone, need to communicate with ATP in the cloud.
How do the event and logs get to the ATP cloud service to analysis? Azure AD Connect? Is there documentation that explains this for me?
Thanks
- EliOfek
jbchris , not sure how this is related to NTLM or RDP,
But to your last question:
the sensors initiate a connection to the cloud via HTTPS.
You can have the FW opened just for the specific endpoints in azure that you need for your workspace.
Another option is to configure the agents to connect via an internet proxy, if you prefer the DCs more separated, but eventually you need this data transferred to the AATP backend.