Anydesk issue.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anydesk issue.

Hi everyone!
I have some issues with anydesk application. It has ssl issue because of decryption, I think.

I've added *.anydesk.com ind 'SSL decryption exclusion', but it didn't worked.

Maybe some of you have faced such kind of issue?

Thanks in advance!

anydesk.jpg

41 REPLIES 41

OK got this working for now but not exactly the way I want. 

 

1) Tag

Nehmaan_2-1582713340970.png

 

2) Address Group

Nehmaan_1-1582713306695.png

 

3) SSL Decryption Policy

Nehmaan_3-1582713514583.png

 

4) Log Forwarding

Nehmaan_4-1582713614994.png

 

5) Built-in Actions

Nehmaan_5-1582713658530.png

 

6) Security Rule

Nehmaan_6-1582713791350.png

 

Hello, guys!

 

I met this issue and found out the root cause. Many of you know that desktop applications often check certificate. Anydesk does it. So we need to exclude it from SSL decryption, but here is the trick: *.anydesk.com works only for Anydesk website (NGFW detects web-browsing application, see that URL match *.anydesk and exclude the session from decryption), but it doesn't work for the desktop application and here is why: 

I made a little investigation and found out that the application makes DNS query for random URL, generated upon installation. (Guess it called DGA, but correct me if I wrong)

 

Here is an example:1.png

 

Then it establishes TCP session to IP, that was previously taken from DNS Query and that's all:

1 (1).png

So our exclusion rules will not work for IP. 

 

Solution:

 

1. Go to Monitor>Traffic and filter logs by application "Anydesk".

2. Export logs to CSV and open it in Excel

3. Find Destination IP column, select all items and delete duplicates

4. Copy this list to *.txt file and create EDL. 

5. Use this EDL in No-Decrypt policy

6. PROFIT!

 

You also can go further. According to WHOIS service - backend IP addresses are located in different DCs all over the world. You can take IPs you found in logs and find the whole IP ranges in WHOIS info and use these ranges in EDL. But it doesn't seem safe to me, because many of those IPs in IP range can be used by other applications, not Anydesk, so this is a potential risk.

Looks cool!

But I think 6 should be after 3. Because you use the security rule name in the filter in Log Forwarding settings

Yes, On the assumption that the security rules doesn't exist. It does in my case. 

Hi @Ilya_Kuranov 

 

Could you please show me how to create a custom EDL IPv4 with Minemeld. Currently I have created and using Office365 IPv4 list but I don't know how to create a custome EDL IPv4 list with a text file as you mentioned.

Hi!

 

Actually I think @Nehmaan  provided a better solution to this problem. You should try it. I use it myself.

I came up with another solution. I imported the certificates these Anydesk "relay" servers use.

 

After some investigations, I found Anydesk was using INTERNALLY created certificates for these relays and since they are internal, there is no way the PAs will trust them. If the PA does not trust the certificate Root it WILL NOT let decryption or even no-decryption work for that site, it simply stops access to it.

 

I noticed in my logs, that the client kept hitting various sites of URL relay-xxxxxxx.net.anydesk.com (ie:relay-dbb2d168.net.anydesk.com). Browsing to that URL would forward you to the Anydesk site, so you couldn't get the SSL certificates it was using.  To grab them I had to use https://www.ssllabs.com/ssltest/index.html then I entered the relay URL (relay-dbb2d168.net.anydesk.com) in this tool and let it run.

 

It returns the following certificates

certificatesfound.png

The benefit of this SSL checker is that it lets you download the certificates it finds so I just downloaded both of them (AnyNet Root CA and AnyNet Relay) and imported them into my PA Certificates section. I also ticked "Trusted CA" for the AnyNet Root CA

Annotation 2020-07-06 175218.png

To be 100% I also added *.net.anydesk.com into my no-decrypt policy and into the ssl-decryption-exclusion section under Certificate Management.

 

Here are the certificates for you to paste them into a text file and save as a .cer for import.  If you wish you can use https://www.sslshopper.com/certificate-decoder.html and copy the below certificate texts to confirm they are legitimate.

 

AnyNet Root CA

-----BEGIN CERTIFICATE-----
MIIFYzCCA0ugAwIBAgIJAIf7DQy3sYvoMA0GCSqGSIb3DQEBBQUAMEgxFzAVBgNVBAMMDkFueU5l
dCBSb290IENBMSAwHgYDVQQKDBdwaGlsYW5kcm8gU29mdHdhcmUgR21iSDELMAkGA1UEBhMCREUw
HhcNMTQwNDExMDIzNzU1WhcNMjQwNDA4MDIzNzU1WjBIMRcwFQYDVQQDDA5BbnlOZXQgUm9vdCBD
QTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtBVBDdoa01og/vnfvwqM8aSt79RUlufigrcNAOrxN+LX
jKEWO6BoCDiqbdsmvqZpkzaojh5w3KyBHuLdFoM0tRVw9YrNne5dgHxaeKIHpK7m+NYx+lx7u+Ba
61Evl7/2+zMnkLPY5ODNaDtqh2ymDefYvWHfVmsq4Rwr9Z+/hd2MWwYecX+6SqZAsHcX6iw/W5QU
hS6tEWGriPYBu7NHa+KBGPGOOebYewxjhoOscIR1Jy01PXt7qM6ySHkIOC2CJn6TSzJ2ZoWn/crx
Ci/HYg9qQP4aa1gcU+RjwXWDmqt4BEmDH+cjcJ+jv2jRMy9M3l6GmH1hfQE09Zzpy0FrrlArZ9XZ
8gL8X6NSNLncZ+/6c8WUQOq1iveY7Oibu4ZsbzY3ioCMn4T2ykp2InKNUn2FdU1V762v8+UWIwBb
6Lbtfp8ugEvu1V/cZemJ3NumQwS7zv2pTC8ZM6rmcSCG/kWLl+bIHU9wusfAw/Om8trCpBvdiU7s
HNp7JI+qQvkUMoNoY8gmvOwTsw0L4rYIxsYGfqMWbxXSGxZSPB8ikSUXFcxCgto7qDnHKlDK2Uyg
jJUzdQNwuN+gybKyixs4g3kywxLaM5ZC9JERqsYmMbzqQ4owVGXFQ55QO/qRkw6dOyNKPUPBxiKb
aK8v/AGAUhgFIg69auQuydbsxY/zE7MCAwEAAaNQME4wHQYDVR0OBBYEFBlleQaAxt6yqliZV7I2
XO0BYo1HMB8GA1UdIwQYMBaAFBlleQaAxt6yqliZV7I2XO0BYo1HMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggIBALOqRxekr9JgNBWtJdWOKF7BqrGNMFabR3by4CBUBj3xI8Lvu6Hyn+Or
DAa/VF4MGjVWbeGTS8WZX5CGflKDlKCgRzby/PLCTXDJyW40XKcPBP3rFl6KvoY7oAxzf6P1Xz0r
xUEMZwrjSCvKYvapmh7J5ES8F/nbXEWYCWnsyGPvhSlOce35maxJIIqQvFmO8fOlmZkS46d75Wg0
q1NarfFEyrp/wqZzkhDqjLHGydXkXisPHkqT+W1MBoWQZVHTicwuomu15PDqNzWpfcDLhxIycpMh
UYEdowzKlviB9JKgr/cZJPPmzeoRKcnxKR2yKxgatKPAWMRwOXiniNd0MsKAYoNY47Q+JbhWLGB3
UiWqYTLRl413JDQkxdvy3WHI7WNXDsJw5R9S3WxvOLLa7Z2nL4f6s3DlZE35wwLVRtofy/BYIPxE
lvDKtps55s8n0CyZdNTK3keI7d/3nDusimLSdZDZAIHT+MJHjpq9h23O5Zp/KHakd8Y/ub9N8cvf
Dyxz/rRg4yZeg/KuNlaU6aedoT3KXW49Xahv8qWP855ohSfs6WeFNBYNRTQUjgcMeyVRVPM/oSrv
mheeUd4WZPvd4ciUCYw5u3dz1Ga7SStc+itXi2at96hwO4+eCXHeEi7tAhBM1Wcecv86PjRtkmA9
RF70IWDubC46cxrDJmr0
-----END CERTIFICATE-----

 

 

 

AnyNet Relay

-----BEGIN CERTIFICATE-----
MIIECjCCAfICCQCU2suhOazUYTANBgkqhkiG9w0BAQsFADBIMRcwFQYDVQQDDA5B
bnlOZXQgUm9vdCBDQTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgx
CzAJBgNVBAYTAkRFMB4XDTE4MTExMjE4MDUzOVoXDTI4MTEwOTE4MDUzOVowRjEL
MAkGA1UEBhMCREUxIDAeBgNVBAoMF3BoaWxhbmRybyBTb2Z0d2FyZSBHbWJIMRUw
EwYDVQQDDAxBbnlOZXQgUmVsYXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6ysgUWfAYUkJb68TFtX+MtdpN0+uCDnqnFV+kSdMhlazT3Z2WIlEeAIwk
H0KDrOJ2oUZaYo+N15CmMhu5pmlobXnPSHq4E4k6Z7NCCqLsgJFUpowCrshADFe7
BflWC3D16n0seoElsphBQNYZorlEr3TziGdVqwcjCqYu3Eyhd9akCcW94T2Is31E
Llah1xBeSoVewzoP3L7uoIjCNIYGsIgU/7SYERkdcFiZwVHI/hgQN1E0q38lbSjC
4/V4LpXwfJoEbktT7TZDOSAk9LSUHYRr43BwyPiANJKTEkCyWTv4kjfRdMAcywak
twifQbR2gYgJKpLzXTIg8CaW5NFFAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAGqM
On7XkIok+ZA56KH+v/3b4ltTkaZnY+8CM/7D4gjCwbAeer5/WJBIFNCAk+FY3tym
t9CfkshsAJqL9zh9neIF1UFy+cTBeCCZ8P8GP8pPzV8/1NecAHBa+Owbj6oX9yao
SAyiw9OoFUqTBIUGvGeWmLF0cVTD4xonBo0woJ1KJKYLPCk32eyA3QdehNJlPeH5
wqASanvIQb4jQU6GXZWbzYR6SOcYg9ofRUAXXK/7cUI2Kdxrq7DGAO5IwTDEnMv/
c+cnZuRiIWbf8syiDvPrJ4valyfgxnhi12QGHjlKUPgEhsbWazEnAYqmenljKuOn
DKFOiPdfGM6ep/AncGzC5H+wHO3OIqeBLNJb/0sjEfnJuP/OCZlYC1T9SLV760cp
fgj23xUBm4JbXAf1SxuZ85urYEOguNgsaRG1BbKOOZeUA5edQHwpXaIddfTG2ke5
MvU8qcoI+Cu0nM5PUKRarNYVTflkTn9gsT/2tCbr7Lzdr+IWkuCuocnOZK3j3pBk
1I3ZWwnf5LSNE/puo+G4jeverBV8yMiGhWeFj272VvFjuyl60JK6fl+3fPm1IgCM
3ZiW/a5SZN+Xs4zK3dIzoAp1XlwSZ9l3oVr2UWh7l+aFiPxX4lS37tyjLF46tTBp
3w2M1LSWZuOgnuf4TXpPwTAVve8nLoxIpKGhQozQ
-----END CERTIFICATE-----

 

 

L1 Bithead

Not sure what happened to my last post, it hasn't come up (maybe because I included a certificate code) but I believe I found a quick solution.

 

Essentially I discovered my clients were hitting Anydesk relay sites of relay-xxxxxxx.net.anydesk.com (ie: relay-dbb2d168.net.anydesk.com). I used https://www.ssllabs.com/ssltest/index.html to check the above URL to see what certificates it was using and it's using INTERNALLY created certificates (WTF). No wonder why the PAs are denying it entirely!

 

NOTE: you cannot see its certificates jsut by browsing to the URL as it has an auto-forward to the Anydesk main site.

 

certificatesfound.png

 

The ssllabs site lets you download the certificates it discovers, you then need to import them into your PA and mark the AnyNet Root CA as a trusted Root CA and then it will work.

 

Annotation 2020-07-06 175218.png

 

I also added *.net.anydesk.com as a decryption exception.

Adding the AnyNet Root/Relay certs resolved it for me immediately.

 

Great find, thanks!

Now it works. Thank you!!! 

Claudio VERNIANI Pae

Anynet Relay certificate, doesn't seem to be a CA Certificate, so it cannot be marked as trusted CA once imported into Paloalto.

Anyone has this problem?

Same problem.

 

Is there a definitive solution for this?

 

The provided instructions are not working.

Now it works. Thank you !

 

L3 Networker

Hello,

 

For a period of time, the solution proposed by @dcaporetto worked also for me, but starting with one month ago I start having problems with Anydesk clients. After investigation, the following solution work for my PA:

 

Update on April 10th, 2024:

Because I saw that there is interest in managing Anydesk traffic through the Palo Alto Networks firewall and the changes from April 2024, I decided to update this. In fact, at least one change in the decryption profile is necessary, that is, to stop verifying the issuer of the certificate because we have no way until we can obtain the new AnyDesk Root CA 2 certificate.

 

Update 2 on April 10th, 2024: (a big Thank You! for @S-Battermann, because we have now the new AnyDesk Root CA 2 certificate)

  1. Unzip the AnyDesk-Root-CA-2.zip attached file
  2. Import into firewall the AnyNet Root CA 2 certificate (AnyDesk ROOT CA 2.crt) and marked as Trusted Root CA.
    • Anydesk-ROOT-CA-2_Certificate.png

       

  3. Create a service object for TCP 80 and 6568
    • AnyDesk-ports.png
  4. Create a custom URL list for: 
    • anynet%20relay/
    • anynet%20relay:80/
    • anynet%20relay:6568/
    • anynet relay:6568/
    • anynet relay:80/
    • anynet relay/
    • *.net.anydesk.com/
    • AnyDesk-URL.png

       

  5. Create a decryption profile with "Block sessions with expired certificates" and "Block sessions with untrusted issuers" checked on No Decryption tab
    • AnyDesk-Decrypt-Profile.png
  6. Create a decryption policy with action of NO-DECRYPT using custom URL categories and services configured above as match criteria and action of NO-DECRYPT
    • Anydesk-Decrypt-Policy.png

Note: If your service object includes only destination port 6568, then in your decryption policy you need to include also service-http, on service criteria.

Cheers,
Cosmin

Can you make us some screenshots?

Thank you

  • 35048 Views
  • 41 replies
  • 1 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!