locked
ATA Lightweight strange behavior "contacting servers/client workstations" RRS feed

  • Question

  • Hi,

    we've deployed ATA 1.6 w update 1 and as per the attachment snap, the lightweight GW on DC started communicating not only with the ATA center but also with client workstations and servers. i need to know why LW GW does this behavior.

    Thanks.

    • Edited by Hany Mansour Wednesday, August 24, 2016 10:37 AM
    Wednesday, August 24, 2016 10:32 AM

All replies

  • Hi Hany

    The ATA Gateway service (doesn’t matter if it is the ATA Gateway or the Lightweight Gateway), will resolve the IP addresses seen in the network traffic to a computer name. This active network name resolution  is performed by attempting to contact the IP address either with NTLM over RPC or NetBIOS connection. This gives ATA the highest confidence of the name of the device that is sending that traffic. Just looking at the IP address is not sufficient as IP addresses assigned to a device will change, even multiple times a day. ATA will then lookup to see if there is an object in AD with the same name.

     

    This requirement is documented in the requirements for the Lightweight Gateway located here, https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-prerequisites#ata-lightweight-gateway-requirements.  

    HTH

    ATA Customer Experience Team


    Gershon Levitz [MSFT]

    Wednesday, August 24, 2016 12:34 PM