Mar 22 2021 12:37 PM - edited Mar 22 2021 03:04 PM
Microsoft Edge Version 91.0.834.0 (Official build) canary (64-bit)
The newly added flag for this feature: edge://flags/#edge-wdag-traffic-identification
If enabled, Application Guard traffic will be tagged with a X-MS-ApplicationGuard-Initiated header
– Windows
By the way, if any user or developer is reading this, can you help me understand how exactly we should monitor WDAG connections?
There are some difficulties I've been trying to solve in the past few hours.
Fiddler cannot work with Application Guard because of a small incompatibility.
The Microsoft FAQ about Application Guard has this section:
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as 192.168.1.4:81 can be annotated as itproxy:81 or using a record such as P19216810010 for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
If you start Fiddler and go to Settings > Network & Internet > Proxy, you will see under "Manual proxy setup" that:
The problem here is that Application Guard does not accept such a URL, as it requires the proxy to be identified by name and not by IP address.
If you now try to change that URL to https=localhost:8888 so as to give it a name, and then click the Save button, Fiddler will immediately turn Capture to Off, and will put up a large notice in yellow saying: "The system proxy was changed. Click to reenable capturing". And if you click the yellow header ... the proxy's URL in Settings returns to http=127.0.0.1:8888;https=127.0.0.1:8888 (!).
As far as I can see, the situation is unsolvable: The two applications are mutually incompatible. This might perhaps be by design.
I have tried the new Fiddler and Charles proxy too, unfortunately they all set Windows proxy settings to 127.0.0.1, so only a debugger that uses named proxy would help here.
May 02 2022 04:11 AM
You can use header inspection on your proxy (be aware, ssl deep inspection must be enabled) to use this header to identify the traffic as source.
Btw to your fiddler problem, you can use a local fiddler if you open up the port in the firewall and use the clientname as proxy connection (just set in the gpo for edge application guard the local computer as proxy)
My problem is....i dont have this flag in edge 100 -.-