Does Huntress work with Deep Packet Inspection (TLS/SSL Interception)?

The Huntress Agent communicates over HTTPS (port 443) to the huntress.io domain. If you use deep packet inspection, also known as TLS/SSL interception, you will need to whitelist/exclude the huntress.io certificate or the common name (CN) huntress.io from TLS/SSL inspection. The Huntress Agent uses certificate pinning to verify the huntress.io domain certificate and will cease communications if presented with an unexpected huntress.io certificate.

We provide a command line tool, TestHuntressConnection.exe, you can use to test the connection. If this tool is unable to connect to https://huntress.io, the Huntress Agent will likely be unable to as well. In addition to writing to the console, the tool will also log to C:\WINDOWS\temp\TestHuntressConnection.log. If the tool is able to successfully connect, it will exit with %ERRORLEVEL% 0, otherwise it exit with %ERRORLEVEL% 1.

c:\temp> TestHuntressConnection.exe

2019/03/04 19:33:47 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log
2019/03/04 19:33:47 - Tool for testing connection to https://huntress.io
2019/03/04 19:33:47 - Updated: 3 March 2019
2019/03/04 19:33:47 - Attempting to connect to https://huntress.io...
2019/03/04 19:33:47 - Connection Successful.
c:\temp> TestHuntressConnection.exe

2019/03/04 19:42:31 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log
2019/03/04 19:42:31 - Tool for testing connection to https://huntress.io
2019/03/04 19:42:31 - Updated: 3 March 2019
2019/03/04 19:42:31 - Attempting to connect to https://huntress.io...
2019/03/04 19:42:38 - Connection failed
2019/03/04 19:42:38 - ERROR: Certificate mismatch.
        Please see the following for details: https://support.huntress.io/article/60-packetinspection
2019/03/04 19:42:38 - For help, please send the log (C:\WINDOWS\temp\TestHuntressConnection.log) to the Huntress Team at support@huntresslabs.com

The web browser on one the hosts where the error occurred may help to further identify the issue. Navigate to https://huntress.io and click the lock next to the URL to reveal the certificate details. If the details differ from the image below there is likely an SSL Proxy/Deep Packet Inspection device in use. Often times, the device vendor's name will appear in the "Issued By" field.

Still need help? Contact Us Contact Us