Does Huntress work with Deep Packet Inspection (TLS/SSL Interception)?
The Huntress Agent communicates over HTTPS (port 443) to the huntress.io domain. If you use deep packet inspection, also known as TLS/SSL interception, you will need to whitelist/exclude the huntress.io certificate or the common name (CN) huntress.io from TLS/SSL inspection. The Huntress Agent uses certificate pinning to verify the huntress.io domain certificate and will cease communications if presented with an unexpected huntress.io certificate.
The Huntress Agent uses TLS 1.2 to communicate with the Huntress Dashboard. However, the HuntressUpdater uses wyUpdate which uses TLS 1.1 to fetch updates. If TLS 1.1 is blocked/disabled, the Huntress Agent will fail to update.
We provide a command-line tool, TestHuntressConnection.exe, you can use to test the connection. If this tool is unable to connect to https://huntress.io, the Huntress Agent will likely be unable to as well. In addition to writing to the console, the tool will also log to
C:\WINDOWS\temp\TestHuntressConnection.log. If the tool is able to successfully connect, it will exit with
%ERRORLEVEL% 0, otherwise, it exits with
c:\temp> TestHuntressConnection.exe 2019/03/04 19:33:47 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log 2019/03/04 19:33:47 - Tool for testing connection to https://huntress.io 2019/03/04 19:33:47 - Updated: 3 March 2019 2019/03/04 19:33:47 - Attempting to connect to https://huntress.io... 2019/03/04 19:33:47 - Connection Successful.
c:\temp> TestHuntressConnection.exe 2019/03/04 19:42:31 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log 2019/03/04 19:42:31 - Tool for testing connection to https://huntress.io 2019/03/04 19:42:31 - Updated: 3 March 2019 2019/03/04 19:42:31 - Attempting to connect to https://huntress.io... 2019/03/04 19:42:38 - Connection failed 2019/03/04 19:42:38 - ERROR: Certificate mismatch. Please see the following for details: https://support.huntress.io/article/60-packetinspection 2019/03/04 19:42:38 - For help, please send the log (C:\WINDOWS\temp\TestHuntressConnection.log) to the Huntress Team at email@example.com
The web browser on one of the hosts where the error occurred may help to further identify the issue. Navigate to https://huntress.io and click the lock next to the URL to reveal the certificate details. If the details differ from the image below there is likely an SSL Proxy/Deep Packet Inspection device in use. Often times, the device vendor's name will appear in the "Issued By" field.