Team: Huntress EDR
Product: Host Isolation
Environment: Huntress Platform
Summary: How to add static IP addresses to an allow list to the account settings before host isolation for partner tooling access.
The Host Isolation IP Allowlist is advanced capability is intended to enable the use of self-hosted RMMs (or other tooling with static IP addresses) on endpoints during an incident response. We recommend leaving it disabled unless you are doing incident response activities frequently.
If you suspect that your RMM or other tooling is compromised, disable the IP Allowlist and contact Huntress Support to request that any currently isolated endpoints be “strictly isolated.”
How it works:
-
The IP Allowlist applies only to endpoints which are currently isolated; it has no impact on endpoints under normal circumstances.
-
In addition to Huntress traffic, these isolated endpoints are only allowed to make outbound connections to the allowed IP addresses; all inbound connections are blocked. This is sufficient for RMMs to operate normally, as in most cases their agents only make outbound network connections.
-
If you change the IP Allow list settings (enabling, disabling, or adding / removing IPs), endpoints that are currently isolated will not be updated; only newly isolated endpoints will have the changes applied.
The Huntress SOC might override your IP Allow list and strictly isolate endpoints (blocking all connections) if we suspect that your RMM or other tooling is compromised.
More info on Host Isolation
Where to add allowed IPs
In the Huntress Portal menu (1), open the Account Settings. (2)
Go to the section Managed Response and scroll to the Tooling Allowlist and enable the feature by toggling the "Tooling Connections" to On (default is Off).
Add the IP address, using a display name that makes sense for your environment and an IPv4 address.
This feature does not support cloud RMMs because the allowed IP addresses must be static, while most cloud tools use dynamic IPs for agent connectivity.