SOLVED

NNR When Coming through "NAT"

%3CLINGO-SUB%20id%3D%22lingo-sub-2486629%22%20slang%3D%22en-US%22%3ENNR%20When%20Coming%20through%20%22NAT%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2486629%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20wanted%20to%20see%20if%20there%20is%20any%20real%20solution%20or%20ideas%20on%20handling%20NNR%20when%20a%20workstation%2Fclient%20is%20behind%20a%20NAT.%3CBR%20%2F%3E%3CBR%20%2F%3EWorkstations%20are%20remote%20but%20able%20to%20access%20Domain%20Controllers%20through%20a%20%22proxy%22%20and%20do%20not%20have%20an%20IP%20address%20on%20the%20local%20network%2C%20so%20none%20of%20the%20four%20Network%20Name%20Resolution%20methods%20will%20work.%20There%20is%20no%20way%20for%20direct%20outbound%20communication%20to%20reach%20workstations%20and%20no%20IP%20address%20to%20Hostname%20to%20resolve%20with%20DNS.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2486951%22%20slang%3D%22en-US%22%3ERe%3A%20NNR%20When%20Coming%20through%20%22NAT%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2486951%22%20slang%3D%22en-US%22%3EMDI%20learns%20over%20time%20(should%20be%20relatively%20quick%20for%20active%20NATs)%20that%20certain%20source%20IP%20addresses%20are%20%22NAT%22%20and%20stop%20trying%20to%20resolve%20them%20using%20NNR.%3CBR%20%2F%3EWhat%20is%20exactly%20the%20problem%20you%20see%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Just wanted to see if there is any real solution or ideas on handling NNR when a workstation/client is behind a NAT.

Workstations are remote but able to access Domain Controllers through a "proxy" and do not have an IP address on the local network, so none of the four Network Name Resolution methods will work. There is no way for direct outbound communication to reach workstations and no IP address to Hostname to resolve with DNS.

3 Replies
MDI learns over time (should be relatively quick for active NATs) that certain source IP addresses are "NAT" and stop trying to resolve them using NNR.
What is exactly the problem you see?

@Eli Ofek - Not a major problem, really, just that I would prefer the hosts be able to be resolved. In conjunction with some other tools and logs, we can in many cases go back and determine the host if needed. 

Hunting through the raw data Defender for Identity provides to CloudAppSecurity, Office365, and Sentinel has proven helpful. This has come mostly in the form of "you shouldn't be doing that" type of policy violations, but also shows where there are some apps that are not configured correctly. I'm not directly concerned (too much) with DFI's direct ability to detect. I do miss having some of that host data there in the raw logs, but this isn't specifically a DFI issue but one that comes from NAT being used. Wanted more to see if there are any thoughts/ideas around this. I'm not sure there is a real trivial solution or one at all, just normal difficulty of dealing with NATs/Proxys/Load Balancers.

best response confirmed by archedmeerkat (Occasional Contributor)
Solution
We do have some features where we sometimes can give clues about the machine name, but it's not always possible, as it's usually protocol dependent.