Forum Discussion

srogersp's avatar
srogersp
Copper Contributor
Apr 05, 2022

Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor

Hello, We have installed ATP sensor on, on-premises DC's . However, after installation we have traffic to external IP’s over port 3389 (RDP) which is being blocked at Zscaler level. Just wanted t...
piovisqui's avatar
piovisqui
Copper Contributor
Nov 21, 2023
Hi. Old question but still relevant.

We had the same issue and investigated. The external IPs did not started the connections with the DCs.
Reviewing the IP list they were external DNS servers, so our DC queried (started connections) them about records. This was the only explanation we got.

Can we assume the ATP uses NNR onde all IPs the DC interacts, even when the domain controller starts the connection itself?
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Nov 21, 2023

piovisqui Which type of connection did the DC start ? 
was it bi directional ? if yes, then we will monitor the reply as it's a connection into the DC.

  • piovisqui's avatar
    piovisqui
    Copper Contributor
    Nov 23, 2023
    The DC started a DNS query. It ended with aged-out state and we have sent and received bytes. Does it satisfy the bi-direction requirement you mention?
    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Nov 24, 2023

      piovisqui on which port did you get the traffic from outside ? was it a standard DNS port ?

      • piovisqui's avatar
        piovisqui
        Copper Contributor
        Jan 16, 2024
        Yes, port 53 UDP.