- The ATA Gateway supports installation on a server running Windows Server 2012 R2 or Windows Server 2016
- The ATA Gateway can be installed on a server that is a member of a domain or workgroup.
- The ATA Gateway can be used to monitor Domain Controllers with Domain Functional Level of Windows 2003 and above.
Port mirroring on Virtual /physical Machine
|ATA Gateway||Domain Controller||Considerations|
|Virtual||Virtual on same host||The virtual switch needs to support port mirroring.
Moving one of the virtual machines to another host by itself may break the port mirroring.
|Virtual||Virtual on different hosts||Make sure your virtual switch supports this scenario.|
|Virtual||Physical||Requires a dedicated network adapter otherwise ATA sees all of the traffic coming in and out of the host, even the traffic it sends to the ATA Center.|
|Physical||Virtual||Make sure your virtual switch supports this scenario – and port mirroring configuration on your physical switches based on the scenario:
If the virtual host is on the same physical switch, you need to configure a switch level span.
If the virtual host is on a different switch, you need to configure RSPAN or ERSPAN*.
|Physical||Physical on the same switch||Physical switch must support SPAN/Port Mirroring.|
|Physical||Physical on a different switch||Requires physical switches to support RSPAN or ERSPAN*.|
* ERSPAN is only supported when decapsulation is performed before the traffic is analyzed by ATA.
- For optimal performance, set the Power Optionof the ATA Gateway to High Performance.
- virtual machine dynamic memory or any other memory ballooning feature is not supported
- The ATA Center server, the ATA Gateway servers, and the domain controllers must have time synchronized to within five minutes of each other.
The ATA Gateway requires at least one Management adapter and at least one Capture adapter:
- Management adapter– used for communications on your corporate network
- Static IP address including default gateway
- Preferred and alternate DNS servers
- The DNS suffix for this connectionshould be the DNS name of the domain for each domain being monitored.
- Capture adapter– used to capture traffic to and from the domain controllers.
- Configure port mirroring for the capture adapter as the destination of the domain controller network traffic.
- Configure a static non-routable IP address for your environment with no default gateway and no DNS server addresses.
|LDAP||TCP and UDP||389||Domain controllers||Outbound|
|Secure LDAP (LDAPS)||TCP||636||Domain controllers||Outbound|
|LDAP to Global Catalog||TCP||3268||Domain controllers||Outbound|
|LDAPS to Global Catalog||TCP||3269||Domain controllers||Outbound|
|Kerberos||TCP and UDP||88||Domain controllers||Outbound|
|Netlogon (SMB, CIFS, SAM-R)||TCP and UDP||445||All devices on network||Outbound|
|Windows Time||UDP||123||Domain controllers||Outbound|
|DNS||TCP and UDP||53||DNS Servers||Outbound|
|NTLM over RPC||TCP||135||All devices on the network||Outbound|
|NetBIOS||UDP||137||All devices on the network||Outbound|
|Syslog (optional)||UDP||514||SIEM Server||Inbound|
As part of the resolution process done by the ATA Gateway, the following ports need to be open inbound on devices on the network from the ATA Gateways.
- NTLM over RPC (TCP Port 135)
- NetBIOS (UDP port 137)
- Using the Directory service user account, the ATA Gateway queries endpoints in your organization for local admins using SAM-R (network logon) in order to build the lateral movement path graph.
- The following ports need to be open inbound on devices on the network from the ATA Gateway:
- NTLM over RPC (TCP Port 135) for resolution purposes
- NetBIOS (UDP port 137) for resolution purposes