locked
Question about ATA Gateway Deployment RRS feed

  • Question

  • Hello,  Can someone pls clarify what is the caveat or limitation if we go with Using only ATA Lightweight Gateways v/s  using both  ATA Lightweight Gateways and  ATA Gateways ?   Is it that if we go with only the light gateways then  would we only have visibility on all the usual events getting logged on Domain controllers (like the logon/logoff, DNS events) ?  And is it if we go with the 2nd option of both (lightweight gateway + gateway) then then this will give us more visibility into the overall network and not just limited to events on Domain controllers ?   The reason i am asking is if we go with the later option of having both, then the mirror port which gets connected to Gateway server (whatever we configure on our switch) will be capturing all the traffic flowing through all the servers (not just to DC's) so wouldn't we get more visibility into our rest of network as well ? 

    Am i misunderstanding this ?  Appreciate any help .



    • Edited by Neeraj_Shah Thursday, September 15, 2016 11:48 PM
    Thursday, September 15, 2016 11:45 PM

Answers

  • Both lightweight gateway (LWGW) and gateway perform same functionality. You may deploy ATA with either or both options. Difference is in the supported packets per sec threshold on the DCs. LWGW has 10k limit. 

    Windows event forwarding is supported in both scenarios. In case of LWGW DCs would forward events to itself. ATA uses event log ID 4776 to enhance detection for pass-the-hash. For port mirroring only traffic bound to/from DCs should be sent to ATA gateways.

    Take a look at the below TechNet article for comparison of for both options.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-capacity-planning


    Shalini Pasupneti, PointBridge | MCITP: Exchange2010 | CCNA https://blogs.pointbridge.com/Pages/Default.aspx

    • Marked as answer by Neeraj_Shah Tuesday, September 20, 2016 1:43 PM
    Tuesday, September 20, 2016 3:31 AM

All replies

  • Both lightweight gateway (LWGW) and gateway perform same functionality. You may deploy ATA with either or both options. Difference is in the supported packets per sec threshold on the DCs. LWGW has 10k limit. 

    Windows event forwarding is supported in both scenarios. In case of LWGW DCs would forward events to itself. ATA uses event log ID 4776 to enhance detection for pass-the-hash. For port mirroring only traffic bound to/from DCs should be sent to ATA gateways.

    Take a look at the below TechNet article for comparison of for both options.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-capacity-planning


    Shalini Pasupneti, PointBridge | MCITP: Exchange2010 | CCNA https://blogs.pointbridge.com/Pages/Default.aspx

    • Marked as answer by Neeraj_Shah Tuesday, September 20, 2016 1:43 PM
    Tuesday, September 20, 2016 3:31 AM
  • Thank you. 
    Tuesday, September 20, 2016 1:43 PM