Forum Discussion
Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor
Hello, We have installed ATP sensor on, on-premises DC's . However, after installation we have traffic to external IP’s over port 3389 (RDP) which is being blocked at Zscaler level. Just wanted t...
Hi Eli,
Thanks for your reply ,
Just wanted to clarify one point, should MDI Sensor be trying to RDP for purposes of NNR against external IPs? wanted to know this because there are quite some RDP deny alerts for external IP's.
Thanks for your reply ,
Just wanted to clarify one point, should MDI Sensor be trying to RDP for purposes of NNR against external IPs? wanted to know this because there are quite some RDP deny alerts for external IP's.
EliOfek
Microsoft
MicrosoftNNR is reactive. if your DC got a connection from an external IP, then yes, we will try to NNR it as well, we currently do not filter "external IPs".
I would carefully check why an external IP can contact your DC directly, and if this is intentional.
I would carefully check why an external IP can contact your DC directly, and if this is intentional.
- Hi. Old question but still relevant.
We had the same issue and investigated. The external IPs did not started the connections with the DCs.
Reviewing the IP list they were external DNS servers, so our DC queried (started connections) them about records. This was the only explanation we got.
Can we assume the ATP uses NNR onde all IPs the DC interacts, even when the domain controller starts the connection itself?- EliOfek
piovisqui Which type of connection did the DC start ?
was it bi directional ? if yes, then we will monitor the reply as it's a connection into the DC.- The DC started a DNS query. It ended with aged-out state and we have sent and received bytes. Does it satisfy the bi-direction requirement you mention?
