Does Huntress work with Deep Packet Inspection (TLS/SSL Interception)?

The Huntress Agent communicates over HTTPS (port 443) to the domain. If you use deep packet inspection, also known as TLS/SSL interception, you will need to whitelist/exclude the certificate or the common name (CN) from TLS/SSL inspection. The Huntress Agent uses certificate pinning to verify the domain certificate and will cease communications if presented with an unexpected certificate.

The Huntress Agent uses TLS 1.2 to communicate with the Huntress Dashboard. However, the HuntressUpdater uses wyUpdate which uses TLS 1.1 to fetch updates. If TLS 1.1 is blocked/disabled, the Huntress Agent will fail to update. 

We provide a command-line tool, TestHuntressConnection.exe, you can use to test the connection. If this tool is unable to connect to, the Huntress Agent will likely be unable to as well. In addition to writing to the console, the tool will also log to C:\WINDOWS\temp\TestHuntressConnection.log. If the tool is able to successfully connect, it will exit with %ERRORLEVEL% 0, otherwise, it exits with %ERRORLEVEL% 1.

c:\temp> TestHuntressConnection.exe

2019/03/04 19:33:47 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log
2019/03/04 19:33:47 - Tool for testing connection to
2019/03/04 19:33:47 - Updated: 3 March 2019
2019/03/04 19:33:47 - Attempting to connect to
2019/03/04 19:33:47 - Connection Successful.
c:\temp> TestHuntressConnection.exe

2019/03/04 19:42:31 - Log file: C:\WINDOWS\temp\TestHuntressConnection.log
2019/03/04 19:42:31 - Tool for testing connection to
2019/03/04 19:42:31 - Updated: 3 March 2019
2019/03/04 19:42:31 - Attempting to connect to
2019/03/04 19:42:38 - Connection failed
2019/03/04 19:42:38 - ERROR: Certificate mismatch.
        Please see the following for details:
2019/03/04 19:42:38 - For help, please send the log (C:\WINDOWS\temp\TestHuntressConnection.log) to the Huntress Team at

The web browser on one of the hosts where the error occurred may help to further identify the issue. Navigate to and click the lock next to the URL to reveal the certificate details. If the details differ from the image below there is likely an SSL Proxy/Deep Packet Inspection device in use. Often times, the device vendor's name will appear in the "Issued By" field.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Need help? Click here to Contact Us Click here to Contact Us