Forum Discussion

srogersp's avatar
srogersp
Copper Contributor
Apr 05, 2022

Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor

Hello,

We have installed ATP sensor on, on-premises DC's .
However, after installation we have traffic to external IP’s over port 3389 (RDP) which is being blocked at Zscaler level. Just wanted to know if there is specific application or task making the connection to external IP’s . And is this expected behavior .... If yes, can you please explain a bit on this process.

    • srogersp's avatar
      srogersp
      Copper Contributor
      Hi Eli,

      Thanks for your reply ,
      Just wanted to clarify one point, should MDI Sensor be trying to RDP for purposes of NNR against external IPs? wanted to know this because there are quite some RDP deny alerts for external IP's.
      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        NNR is reactive. if your DC got a connection from an external IP, then yes, we will try to NNR it as well, we currently do not filter "external IPs".
        I would carefully check why an external IP can contact your DC directly, and if this is intentional.

Resources