Hi autopoiesis,
No, I can't recommend a specific proxy server or service for Defender for Endpoint. Any proxy that adheres to the recipe will work. Let's examine your requirements and their relationship with Defender for Endpoint:
- No TLS inspection: This is necessary for security, but may be hard to argue with security departments. Microsoft uses certificate pinning to prevent man-in-the-middle attacks, and we can't determine if a tampered connection was legitimate, so we drop it.
- Authenticated/unauthenticated connections: Most proxy servers support authenticated or unauthenticated traffic. As Defender for Endpoint services run at the SYSTEM level, authentication with a user account is not possible. A proxy server with certificate validation would confirm if the source is legitimate. This is not a necessity for Defender for Endpoint, it's more of a self-imposed standard.
- Dynamic URL Lists, constantly-changing geo-specific IPs: The challenge is communication with the right URLs without TLS inspection. Ideally, endpoints should speak to a specific proxy server using static proxy configuration (GPO/Registry settings). This proxy server should only communicate with the URL list outlined in the mde-urls-commercial.xlsx. Supporting dynamic URL lists (including wildcard URLs) is critical, not mandatory but important and will make the admins life easier.
You want a proxy server that supports wildcard URLs, but it may not be required if the gateway behind the proxy has this capability. Hope this helps.
Microsoft