forked from jnixmsft/defender-connect
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmanual_setup
50 lines (46 loc) · 2.93 KB
/
manual_setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
High-level DIY to build your own
Manual steps
1. Deploy a Linux machine. This machine should have access to at least the same destinations that will be proxied. Ensure this machine can resolve domain names and can reach the internet.
After installation, update & upgrade
$sudo apt-get update
$sudo apt-get -y upgrade
NOTE: this machine should run a firewall. On Ubuntu, we can enable ufw. Allow the port required for the proxy (default 3128)
$sudo ufw enable
$sudo ufw allow 3128
2. Install Squid proxy
$sudo apt -y install squid
3. Create a list of allowed destinations (example at https://github.com/microsoft/defender-connect/blob/main/MDE.destinations)
4. Create a configuration file squid.conf (example at https://github.com/microsoft/defender-connect/blob/main/Squid.conf) that restricts traffic to specific set of ports and destinations
5. Place the squid.conf and MDE.destinations in /etc/squid
6. Reload the configuration
$sudo squid -k reconfigure
7. Configure machines to use the proxy (https://github.com/microsoft/defender-connect/blob/main/Configuring%20clients)
Machines should be uploading telemetry and Defender cloud protection should work.
Auto updating the destinations file from a/our repository
1. Create a script that downloads the destinations file (example generic one but you can select he one for your geo):
$sudo curl -O https://raw.githubusercontent.com/microsoft/defender-connect/main/MDE.destinations
2. Place the script somewhere you can remember. Our example script at https://github.com/microsoft/defender-connect/blob/main/update_urls.sh uses /etc/squid
You can download using:
$sudo curl -O /etc/squid https://raw.githubusercontent.com/microsoft/defender-connect/main/update_urls.sh
Make it executable:
$sudo chmod +x /etc/squid/update_urls.sh
3. Create a crontab job that will execute the script on a schedule (example does it every day of every week of every month at 0 minutes of the hourse 8,12,16):
$sudo crontab -e
Choose your favorite text editor, we chose nano
Enter:
0 8,12,16 * * * /etc/squid/update_urls.sh >> /etc/squid/update_urls.txt
Save the file (CTRL+X, y then enter)
Installing a simple web server on the same machine to serve the wpad.dat to enable Defender updates through Windows Update
1. Install Apache
$sudo apt -y apache2
2. Ensure traffic to port 80 is allowed through the host firewall
$sudo ufw allow 'Apache'
(This will allow port 80/http traffic which is all we need to server the wpad.dat)
3. Download the proxy.pac file $sudo curl -o "https://github.com/microsoft/defender-connect/blob/main/updates.pac"
4. Place the downloaded file in /var/www/html as wpad.dat :
$sudo updates.pac /var/www/html/wpad.dat
5. Make the necessary changes to DNS to serve wpad.dat to your clients for autoconfiguration.
Logging: how to see traffic flowing from your machines to Defender for Endpoint cloud
1. Access log is located in /var/log/squid/access.log
2. You can tail the log for changes:
$sudo tail -f /var/log/squid/access.log