Anydesk issue.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Hi!

 

Actually I think @Nehmaan  provided a better solution to this problem. You should try it. I use it myself.

Highlighted
L1 Bithead

I came up with another solution. I imported the certificates these Anydesk "relay" servers use.

 

After some investigations, I found Anydesk was using INTERNALLY created certificates for these relays and since they are internal, there is no way the PAs will trust them. If the PA does not trust the certificate Root it WILL NOT let decryption or even no-decryption work for that site, it simply stops access to it.

 

I noticed in my logs, that the client kept hitting various sites of URL relay-xxxxxxx.net.anydesk.com (ie:relay-dbb2d168.net.anydesk.com). Browsing to that URL would forward you to the Anydesk site, so you couldn't get the SSL certificates it was using.  To grab them I had to use https://www.ssllabs.com/ssltest/index.html then I entered the relay URL (relay-dbb2d168.net.anydesk.com) in this tool and let it run.

 

It returns the following certificates

certificatesfound.png

The benefit of this SSL checker is that it lets you download the certificates it finds so I just downloaded both of them (AnyNet Root CA and AnyNet Relay) and imported them into my PA Certificates section. I also ticked "Trusted CA" for the AnyNet Root CA

Annotation 2020-07-06 175218.png

To be 100% I also added *.net.anydesk.com into my no-decrypt policy and into the ssl-decryption-exclusion section under Certificate Management.

 

Here are the certificates for you to paste them into a text file and save as a .cer for import.  If you wish you can use https://www.sslshopper.com/certificate-decoder.html and copy the below certificate texts to confirm they are legitimate.

 

AnyNet Root CA

-----BEGIN CERTIFICATE-----
MIIFYzCCA0ugAwIBAgIJAIf7DQy3sYvoMA0GCSqGSIb3DQEBBQUAMEgxFzAVBgNVBAMMDkFueU5l
dCBSb290IENBMSAwHgYDVQQKDBdwaGlsYW5kcm8gU29mdHdhcmUgR21iSDELMAkGA1UEBhMCREUw
HhcNMTQwNDExMDIzNzU1WhcNMjQwNDA4MDIzNzU1WjBIMRcwFQYDVQQDDA5BbnlOZXQgUm9vdCBD
QTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtBVBDdoa01og/vnfvwqM8aSt79RUlufigrcNAOrxN+LX
jKEWO6BoCDiqbdsmvqZpkzaojh5w3KyBHuLdFoM0tRVw9YrNne5dgHxaeKIHpK7m+NYx+lx7u+Ba
61Evl7/2+zMnkLPY5ODNaDtqh2ymDefYvWHfVmsq4Rwr9Z+/hd2MWwYecX+6SqZAsHcX6iw/W5QU
hS6tEWGriPYBu7NHa+KBGPGOOebYewxjhoOscIR1Jy01PXt7qM6ySHkIOC2CJn6TSzJ2ZoWn/crx
Ci/HYg9qQP4aa1gcU+RjwXWDmqt4BEmDH+cjcJ+jv2jRMy9M3l6GmH1hfQE09Zzpy0FrrlArZ9XZ
8gL8X6NSNLncZ+/6c8WUQOq1iveY7Oibu4ZsbzY3ioCMn4T2ykp2InKNUn2FdU1V762v8+UWIwBb
6Lbtfp8ugEvu1V/cZemJ3NumQwS7zv2pTC8ZM6rmcSCG/kWLl+bIHU9wusfAw/Om8trCpBvdiU7s
HNp7JI+qQvkUMoNoY8gmvOwTsw0L4rYIxsYGfqMWbxXSGxZSPB8ikSUXFcxCgto7qDnHKlDK2Uyg
jJUzdQNwuN+gybKyixs4g3kywxLaM5ZC9JERqsYmMbzqQ4owVGXFQ55QO/qRkw6dOyNKPUPBxiKb
aK8v/AGAUhgFIg69auQuydbsxY/zE7MCAwEAAaNQME4wHQYDVR0OBBYEFBlleQaAxt6yqliZV7I2
XO0BYo1HMB8GA1UdIwQYMBaAFBlleQaAxt6yqliZV7I2XO0BYo1HMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggIBALOqRxekr9JgNBWtJdWOKF7BqrGNMFabR3by4CBUBj3xI8Lvu6Hyn+Or
DAa/VF4MGjVWbeGTS8WZX5CGflKDlKCgRzby/PLCTXDJyW40XKcPBP3rFl6KvoY7oAxzf6P1Xz0r
xUEMZwrjSCvKYvapmh7J5ES8F/nbXEWYCWnsyGPvhSlOce35maxJIIqQvFmO8fOlmZkS46d75Wg0
q1NarfFEyrp/wqZzkhDqjLHGydXkXisPHkqT+W1MBoWQZVHTicwuomu15PDqNzWpfcDLhxIycpMh
UYEdowzKlviB9JKgr/cZJPPmzeoRKcnxKR2yKxgatKPAWMRwOXiniNd0MsKAYoNY47Q+JbhWLGB3
UiWqYTLRl413JDQkxdvy3WHI7WNXDsJw5R9S3WxvOLLa7Z2nL4f6s3DlZE35wwLVRtofy/BYIPxE
lvDKtps55s8n0CyZdNTK3keI7d/3nDusimLSdZDZAIHT+MJHjpq9h23O5Zp/KHakd8Y/ub9N8cvf
Dyxz/rRg4yZeg/KuNlaU6aedoT3KXW49Xahv8qWP855ohSfs6WeFNBYNRTQUjgcMeyVRVPM/oSrv
mheeUd4WZPvd4ciUCYw5u3dz1Ga7SStc+itXi2at96hwO4+eCXHeEi7tAhBM1Wcecv86PjRtkmA9
RF70IWDubC46cxrDJmr0
-----END CERTIFICATE-----

 

 

 

AnyNet Relay

-----BEGIN CERTIFICATE-----
MIIECjCCAfICCQCU2suhOazUYTANBgkqhkiG9w0BAQsFADBIMRcwFQYDVQQDDA5B
bnlOZXQgUm9vdCBDQTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgx
CzAJBgNVBAYTAkRFMB4XDTE4MTExMjE4MDUzOVoXDTI4MTEwOTE4MDUzOVowRjEL
MAkGA1UEBhMCREUxIDAeBgNVBAoMF3BoaWxhbmRybyBTb2Z0d2FyZSBHbWJIMRUw
EwYDVQQDDAxBbnlOZXQgUmVsYXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6ysgUWfAYUkJb68TFtX+MtdpN0+uCDnqnFV+kSdMhlazT3Z2WIlEeAIwk
H0KDrOJ2oUZaYo+N15CmMhu5pmlobXnPSHq4E4k6Z7NCCqLsgJFUpowCrshADFe7
BflWC3D16n0seoElsphBQNYZorlEr3TziGdVqwcjCqYu3Eyhd9akCcW94T2Is31E
Llah1xBeSoVewzoP3L7uoIjCNIYGsIgU/7SYERkdcFiZwVHI/hgQN1E0q38lbSjC
4/V4LpXwfJoEbktT7TZDOSAk9LSUHYRr43BwyPiANJKTEkCyWTv4kjfRdMAcywak
twifQbR2gYgJKpLzXTIg8CaW5NFFAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAGqM
On7XkIok+ZA56KH+v/3b4ltTkaZnY+8CM/7D4gjCwbAeer5/WJBIFNCAk+FY3tym
t9CfkshsAJqL9zh9neIF1UFy+cTBeCCZ8P8GP8pPzV8/1NecAHBa+Owbj6oX9yao
SAyiw9OoFUqTBIUGvGeWmLF0cVTD4xonBo0woJ1KJKYLPCk32eyA3QdehNJlPeH5
wqASanvIQb4jQU6GXZWbzYR6SOcYg9ofRUAXXK/7cUI2Kdxrq7DGAO5IwTDEnMv/
c+cnZuRiIWbf8syiDvPrJ4valyfgxnhi12QGHjlKUPgEhsbWazEnAYqmenljKuOn
DKFOiPdfGM6ep/AncGzC5H+wHO3OIqeBLNJb/0sjEfnJuP/OCZlYC1T9SLV760cp
fgj23xUBm4JbXAf1SxuZ85urYEOguNgsaRG1BbKOOZeUA5edQHwpXaIddfTG2ke5
MvU8qcoI+Cu0nM5PUKRarNYVTflkTn9gsT/2tCbr7Lzdr+IWkuCuocnOZK3j3pBk
1I3ZWwnf5LSNE/puo+G4jeverBV8yMiGhWeFj272VvFjuyl60JK6fl+3fPm1IgCM
3ZiW/a5SZN+Xs4zK3dIzoAp1XlwSZ9l3oVr2UWh7l+aFiPxX4lS37tyjLF46tTBp
3w2M1LSWZuOgnuf4TXpPwTAVve8nLoxIpKGhQozQ
-----END CERTIFICATE-----

 

 

Highlighted
L1 Bithead

Not sure what happened to my last post, it hasn't come up (maybe because I included a certificate code) but I believe I found a quick solution.

 

Essentially I discovered my clients were hitting Anydesk relay sites of relay-xxxxxxx.net.anydesk.com (ie: relay-dbb2d168.net.anydesk.com). I used https://www.ssllabs.com/ssltest/index.html to check the above URL to see what certificates it was using and it's using INTERNALLY created certificates (WTF). No wonder why the PAs are denying it entirely!

 

NOTE: you cannot see its certificates jsut by browsing to the URL as it has an auto-forward to the Anydesk main site.

 

certificatesfound.png

 

The ssllabs site lets you download the certificates it discovers, you then need to import them into your PA and mark the AnyNet Root CA as a trusted Root CA and then it will work.

 

Annotation 2020-07-06 175218.png

 

I also added *.net.anydesk.com as a decryption exception.

Tags (4)
Highlighted
L0 Member

Adding the AnyNet Root/Relay certs resolved it for me immediately.

 

Great find, thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!