Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor

Occasional Contributor

Hello,

We have installed ATP sensor on, on-premises DC's .
However, after installation we have traffic to external IP’s over port 3389 (RDP) which is being blocked at Zscaler level. Just wanted to know if there is specific application or task making the connection to external IP’s . And is this expected behavior .... If yes, can you please explain a bit on this process.

3 Replies
Hi Eli,

Thanks for your reply ,
Just wanted to clarify one point, should MDI Sensor be trying to RDP for purposes of NNR against external IPs? wanted to know this because there are quite some RDP deny alerts for external IP's.
NNR is reactive. if your DC got a connection from an external IP, then yes, we will try to NNR it as well, we currently do not filter "external IPs".
I would carefully check why an external IP can contact your DC directly, and if this is intentional.