Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Your sites firewall, router, DNS, and/or content filtering platforms
Environment: Huntress Management Portal, Windows, macOS, Linux
Summary: If you use deep packet inspection (DPI), TLS/SSL interception, certificate pinning, certificate interception, Acronis DeviceLock DLP, or any type of certificate inspecting service you will need to allow-list/exclude the huntress.io certificate or the common name (CN) huntress.io from TLS/SSL inspection. The Huntress Agent uses certificate pinning to verify the huntress.io domain certificate and will cease communications if presented with an unexpected huntress.io certificate.
We provide these tools to test connectivity between your machines and Huntress Portal. If the tool is unable to connect it's highly likely the Huntress agent will be unable to as well. In addition to writing to the console, the tools will also log to huntress_network_test.log in the same directory it was run in. An example snippet of the output is shown below (both environments have virtually the same output).
Testing Scripts are available in this KB.
Check browser manually for TLS/SSL Interception
In addition to the network test tool, a manual check of the certificate details on an affected endpoint can help identify interception:
- Navigate to https://huntress.io.
- In Chrome, click the Tune icon (
) to the left of the URL, then select “Connection is secure”, followed by “Certificate is valid” to view the details.
If the certificate details differ from the image below, there is likely a certificate interception device in use. The device vendor's name will often appear in the "Issued By" field instead of the expected Certificate Authority.
Note: HuntressSupport.exe is the current file. We are providing previous versions here for compatibility reasons.