Host isolation whitelist for RMM & cloud AV
complete
J
Jim Greco
We are very happy with the host isolation feature but it would be very helpful to have the ability to whitelist our RMM even if it had to be done manually. That way we can confirm remediation and preform additional scans before restoring complete LAN access to a host. Also many 3rd party antiviruses are cloud hosted now. We would like the ability to whitelist the AV cloud servers so that we can continue to manage security/AV on isolated hosts. I know there is a concern that the RMM may be infected itself so you could have a new option after isolation occurs. i.e. A manual "Allow RMM hosts or Allow Whitelisted hosts" button rather than having to completely remove the isolation protection to gain access. Or possibly allow whitelist connections for X minutes.... Something to avoid having to dispatch a technician onsite for verification before completely lifting the isolation.
J
Joe Cimino
This seems like it might be an issue, as an isolated host would also be isolated from DNS, but maybe that could be an exception, where it is allowed DNS port traffic? The FQDN would work. You might pull the specifics from the 'ipconfig' then natively whitelist those addresses for 53 and 853?
Just a thought, but definitely would prefer FQDN if possible for all the reasons others mention.
J
Jan Broucinek - GA
Not allowing FQDN makes this somewhat unworkable for hosted ScreenConnect.
R
Robert Dana
Merged in a post:
Isolation Exceptions
J
Jeff Knapp
One of the things we like about Third-Wall's Isolation implementation in/with Automate is it isolates network traffic but it allows the IPs/ports for our Automate server and ScreenConnect server to remain unblocked so we can continue to manage the machine remotely.
It would be nice to be able to tell the isolation routine "allow access to this IP from an isolated machine" so we can still remotely control it as part of the investigation phase.
I understand that there would be risks involved on this; but on an ad hoc basis it would be nice to allow the Huntress isolate routine to punch a small hole in the firewall.
M
Martin Twerski
R
Robert Dana
Jeff Knapp We just delivered IP allow lists for isolated endpoints last week (see my post in this thread I merged your request with). The feature request Martin linked to above is to extend that to DNS names.
R
Robert Dana
complete
We're happy to announce that we now support the configuration of a list of IP addresses that isolated endpoints can connect to. This advanced feature enables partners who do incident response regularly to work more efficiently by remotely investigating and remediating isolated hosts using their self-hosted RMM or other tooling. This feature supports static IP addresses only and will not work with cloud RMM or other tools which use dynamic IP addresses for agent connectivity.
We are marking this feature request complete but recognize that many may have wanted us to also support Cloud RMM and AV; this is a more complex feature to support in a secure way, and we chose to ship this initial version for those who are able to use it.
We've added a new feature request for extending this feature to support allow-listing for DNS addresses; please vote and share your feedback here if you would like to see this added!
B
Berk Mustafa
Robert Dana Thank you. Does this only support IPv4 right now?
R
Robert Dana
Berk Mustafa Yes.
R
Robert Dana
Merged in a post:
Add DNS or IPs for allow communication of Isolated systems
M
Michael Ferree
It would be nice if we could allow specific DNS or IPs to be able to communicate after a machine is isolated in Huntress. This would be helpful so the computer can communicate with the RMM tool and other tools that might be useful for remote control of the computer for the MSP.
J
Jonathan Baynes
Yes, this is really needed. Can't use our RMM when as host is isolated. Then we can't remidate without going in person. Just had to spend hours wiping a computer since we had to do it remotely.
D
Dale'la Considine'la
I, too, am pleading for Brodie Case. This would be insanely helpful to have. Tho I am sure that there would be security issues to mull over. Namely man in the middle type attacks where those connections would NEED to be ensured that they are going to/from the proper place... We've had some false alarms in the past that would have been very helpful to be able to remote in and verify rather than having the remote user ship their computer back to us.
And also, also... For Brodie. Nuff said.
S
Salvatore'la Moen'la
We have this ability with a plugin for our RMM, so we have multiple isolation options. It would be nice to get them all to play nice together
E
Eric Acker
Brodie Case needs the assist on this one!
Load More
→