Does Huntress work with Deep Packet Inspection (TLS/SSL Interception)?
The Huntress Agent communicates over HTTPS (port 443) to the huntress.io domain. If you use deep packet inspection, also known as TLS/SSL interception, you will need to whitelist/exclude the huntress.io certificate or the common name (CN) huntress.io from TLS/SSL inspection. The Huntress Agent uses certificate pinning to verify the huntress.io domain certificate and will cease communications if presented with an unexpected huntress.io certificate.
We provide a command line tool, TestHuntressConnection.exe, you can use to test the connection. If this tool is unable to connect to https://huntress.io, the Huntress Agent will likely be unable to as well. In addition to writing to the console, the tool will also log to
C:\WINDOWS\temp\TestHuntressConnection.log. If the tool is able to successfully connect, it will exit with
%ERRORLEVEL% 0, otherwise, it exits with
c:\temp> TestHuntressConnection.exe 2019/03/04 19:33:47 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log 2019/03/04 19:33:47 - Tool for testing connection to https://huntress.io 2019/03/04 19:33:47 - Updated: 3 March 2019 2019/03/04 19:33:47 - Attempting to connect to https://huntress.io... 2019/03/04 19:33:47 - Connection Successful.
c:\temp> TestHuntressConnection.exe 2019/03/04 19:42:31 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log 2019/03/04 19:42:31 - Tool for testing connection to https://huntress.io 2019/03/04 19:42:31 - Updated: 3 March 2019 2019/03/04 19:42:31 - Attempting to connect to https://huntress.io... 2019/03/04 19:42:38 - Connection failed 2019/03/04 19:42:38 - ERROR: Certificate mismatch. Please see the following for details: https://support.huntress.io/article/60-packetinspection 2019/03/04 19:42:38 - For help, please send the log (C:\WINDOWS\temp\TestHuntressConnection.log) to the Huntress Team at email@example.com
The web browser on one the hosts where the error occurred may help to further identify the issue. Navigate to https://huntress.io and click the lock next to the URL to reveal the certificate details. If the details differ from the image below there is likely an SSL Proxy/Deep Packet Inspection device in use. Often times, the device vendor's name will appear in the "Issued By" field.