Forum Discussion

Copper Contributor

Apr 05, 2022

Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor

Hello, We have installed ATP sensor on, on-premises DC's . However, after installation we have traffic to external IP’s over port 3389 (RDP) which is being blocked at Zscaler level. Just wanted t...

Icon for Microsoft rank

Microsoft

Apr 05, 2022

Yes,
You can read about it here:
https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy

srogersp
Copper Contributor
Apr 05, 2022
Hi Eli,

Thanks for your reply ,
Just wanted to clarify one point, should MDI Sensor be trying to RDP for purposes of NNR against external IPs? wanted to know this because there are quite some RDP deny alerts for external IP's.
- EliOfek
  Microsoft
  Apr 05, 2022
  NNR is reactive. if your DC got a connection from an external IP, then yes, we will try to NNR it as well, we currently do not filter "external IPs".
  I would carefully check why an external IP can contact your DC directly, and if this is intentional.
  - piovisqui
    Copper Contributor
    Nov 21, 2023
    Hi. Old question but still relevant.
    
    We had the same issue and investigated. The external IPs did not started the connections with the DCs.
    Reviewing the IP list they were external DNS servers, so our DC queried (started connections) them about records. This was the only explanation we got.
    
    Can we assume the ATP uses NNR onde all IPs the DC interacts, even when the domain controller starts the connection itself?

Share

Resources