locked
Deploy Advanced Threat Analytics with stand alone DNS appliances RRS feed

  • Question

  • We are attempting to deploy Microsoft ATA in our environment. We have successfully deployed ATA Lightweight Gateways to the domain controllers to monitor traffic.

    However, our environment uses standalone DNS appliances. We have configured a ATA Gateway and setup port mirroring between the DNS appliances and the ATA Gateway.

    When configuring the ATA Gateway with the Port Mirrored Domain Controllers (FQDN), using the FQDN for the DNS servers the Gateway service will not start with a All domain controllers unreachable by a Gateway health message in the ATA center.

    If we add a domain controller in the Port Mirrored Domain Controllers (FQDN) list and leave the DNS appliance in, the ATA Gateway service will start; however, a some domain controllers are unreachable by a Gateway message is displayed. The domain controllers listed in the message is the DNS appliance which is not a domain controller. After this I have tried to simulate a DNS recon attack using NSLOOKUP with no luck.

    Has anyone deployed ATA using DNS appliances or is this configuration not supported by Microsoft and will not work?

    Thanks

    Friday, February 28, 2020 8:29 PM

All replies