Witness Anywhere with Stunnel

Witness Anywhere with Stunnel

List view
Quick Start
User Guide
Policies & GuardRails
Witness Anywhere: Remote Device Security
Witness Attack
Administrator Guide
 

Witness Anywhere with Stunnel

The Witness Anywhere solution uses a Proxy Auto-Configuration (PAC) file to route LLM traffic from client devices through the Witness AI proxy for visibility, control, and guardrail enforcement.
However, many modern productivity applications, such as:
  • Microsoft Copilot Personal Thick Client on Windows
  • Safari Browser, MS Office desktop suite, and other native apps on macOS
fail to honor HTTPS return statements in PAC files. This leads to traffic either failing to connect or bypassing the Witness AI proxy entirely—undermining compliance, security visibility, and guardrail policies.

Solution: TLS Wrapping via Stunnel

  • Stunnel is an open-source proxy designed to wrap legacy or non-TLS-aware applications in a secure TLS tunnel.
  • Stunnel accepts HTTP proxy requests and securely tunnel them using SSL to WitnessAI proxy.
  • Witness Anywhere deploys and configures Stunnel to operate as a local proxy tunnel, resolving compatibility issues without touching the applications.

Key Benefits

  • Compatibility Across Platforms: Works seamlessly with Windows MS Copilot thick client and macOS applications such as Safari that bypass HTTPS-based PAC instructions.
  • Maintains End-to-End Encryption: Traffic is tunneled securely via Stunnel, preserving confidentiality and integrity.
  • Zero Client-Side Changes: No need to reconfigure thick clients or install additional agents or certificates.
  • Rapid, Scalable Deployment: Auto-installed and configured by the Witness Anywhere registration script, also supports auto-start and background operation for persistent protection.

Usage

To deploy Stunnel on user machines, ensure that the Stunnel toggle is enabled when downloading the registration script for your operating system from the WitnessAI console.

Frequently Asked Questions

  1. Does WitnessAI use publicly available stunnel installers or a custom build?
    1. The Stunnel installer used by WitnessAI is an in-house compiled build based on the open-source Stunnel code and is digitally signed by WitnessAI.
  1. How does Stunnel intercept user traffic?
    1. When Witness Anywhere is deployed with Stunnel configuration enabled, Stunnel is installed within the user profile and configured to listen on a loopback interface.
      PAC File logic:
  • On Windows: Copilot personal traffic is routed to the loopback interface where Stunnel is configured to listen, while all other traffic is sent directly to the WitnessAI Proxy.
  • On Mac OS: All AI traffic is routed to the loopback interface where Stunnel is configured to listen.
  1. Can Stunnel installation be skipped if the organization does not use Copilot Personal or Safari on macOS?
    1. For Windows: Yes. If the Copilot Personal thick client application is not installed or is blocked, Stunnel installation is not required.
For macOS: If neither the Safari browser nor Microsoft Office thick client applications are used, Stunnel can be safely omitted.
  1. Do end users have the ability to control the Stunnel service, such as stopping or restarting it?
    1. Stunnel files are stored in protected system directories and cannot be accessed or modified without administrative privileges.
  1. How can we verify that Stunnel is functioning correctly and confirm its connectivity to the WitnessAI Proxy?
For Windows: To verify Stunnel functionality, open Microsoft Copilot Personal using either the desktop application or a supported web browser. Submit a prompt — if the activity appears in the WitnessAI console, Stunnel is operating as expected.
For macOS: To confirm Stunnel is functioning correctly, access ChatGPT or Gemini
using the Safari browser, or use Microsoft Copilot within Word. Submit a prompt — if the
activity is visible in the WitnessAI console, Stunnel is working as intended.
  1. How can Stunnel be properly uninstalled if it is no longer required in the future?
    1. To uninstall Stunnel, execute the Flush script available in the WitnessAI console for your operating system. The script will safely unenroll the device from Witness Anywhere and delete all Stunnel-related components.