Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Your sites firewall, router, DNS, or content filtering platforms
Environment: Huntress Management Portal, Windows, macOS, Linux
Summary: If you use deep packet inspection (DPI), TLS/SSL interception, certificate pinning, certificate interception, Acronis DeviceLock DLP, or any type of certificate inspecting service you will need to allow-list/exclude the huntress.io certificate or the common name (CN) huntress.io from TLS/SSL inspection. The Huntress Agent uses certificate pinning to verify the huntress.io domain certificate and will cease communications if presented with an unexpected huntress.io certificate.
We provide these tools to test connectivity between your machines and Huntress Portal. If the tool is unable to connect it's highly likely the Huntress agent will be unable to as well, however due to granular app permissions a successful test is not proof that the agent will be able to connect (mostly seen when other security products don't have Huntress excluded). In addition to writing to the console, the tools will also log to huntress_network_test.log in the same directory it was run in.
Testing Scripts/Tools are available in this KB.
Check browser manually for TLS/SSL Interception
In addition to the network test tool, a manual check of the certificate details on an affected endpoint can help identify interception:
- Navigate to https://huntress.io.
- In Chrome, click the Tune icon (
) to the left of the URL, then select “Connection is secure”, followed by “Certificate is valid” to view the details.
If the certificate details differ from the image below, there is likely a certificate interception device in use. Primarily you'll want to compare the "Issued To" and "Issued By" sections, if any company name besides Huntress or DigiCert appears that is likely the company name of the local service which is intercepting or inspecting certificates.