Team: Huntress EDR
Product: Your sites firewall, router, DNS, PSA, and/or content filtering platforms
Environment: Huntress Management Portal
Summary: Any firewall that restricts port 443 outbound will need to add these URL's to their exclusion / allow list in order for the Huntress agents to communicate securely with the Huntress.io portal. These are not static IP addresses or FQDNs but are set by AWS and should be added to your DNS and content filter tools. Additionally if you're configuring a self-hosted ticketing system (PSA aka Professional Services Automation) you may need to open up communication. Finally you may notice Huntress "taking" a high number port occasionally, read on for more information.
Agent communication
PSA communication (self hosted)
Active port considerations
Agent Communication
What are the IP addresses/ranges that should be allowed hosts to communicate with huntress.io?
We utilize a fully scalable infrastructure within the Amazon Web Services (AWS) platform paired with Cloudflare storage. In order to maintain redundant connectivity and allow for failover, there are no static IP addresses or FQDNs.
If you restrict outbound traffic, you will need to allow outbound communication to the following over port 443:
- *.huntress.io
- *.huntresscdn.com
- huntress-*.s3.amazonaws.com
- *.wyserver.wys
- *.bugsnag.com (this is for our bug reporting software if an Agent has an issue communicating) (you may see it point to something like
6.205.186.35.bc.googleusercontent.com
)
Normally covered by the wildcards above, but in the case where wildcards are not available you'll need:
- update.huntress.io
- huntress.io
- eetee.huntress.io
- eetee.huntresscdn.com
- huntresscdn.com
- huntress-installers.s3.amazonaws.com
- huntress-updates.s3.amazonaws.com
- huntress-uploads.s3.us-west-2.amazonaws.com
- huntress-user-uploads.s3.amazonaws.com
- huntress-rio.s3.amazonaws.com
- huntress-survey-results.s3.amazonaws.com
- notify.bugsnag.com
- sessions.bugsnag.com
- wyserver.wys
- huntress-log-uploads.s3.amazonaws.com
For accounts with Host Isolation enabled where the site's DC is also the DNS server, it may be necessary for the Huntress agent to fall back on CloudFlare's public DNS, thus 1.1.1.1:53/udp should also be added to allowed outbound traffic. Normal operation of the agent does not require communication with this IP, this is strictly for Host Isolation events where the DNS server could be isolated. We do also have a connectivity check for Cloudflare on port 80 to determine whether the fallback DNS is available. See this article for more details.
PSA communication
Please note: These addresses are for traffic coming from our systems for self hosted PSA's. Traffic coming from our systems should come from one of the following IP addresses:
52.4.130.244
34.205.224.75
184.72.103.99
107.21.187.4
Active port considerations
It's quite rare but occasionally you might run into issues where Huntress is "taking" ownership of a listening port which might interfere with another program (usually a hosting/dev app like Visual Studio/IIS/etc). These high numerical-value port's are randomized, temporary, and uncontrollable.
Windows: You can verify which ports Huntress is currently using by running this PoSh cmd:
Get-NetTcpConnection | Select Local*,Remote*,State,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | Where-Object{$_.Process -eq "HuntressAgent"}
macOS: You can verify which ports Huntress is currently using by running this terminal cmd:
sudo lsof -i -P | grep "Huntress"
Comments
0 comments
Please sign in to leave a comment.