This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Solution for "SSL decryption bypass for Anydesk"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Solution for "SSL decryption bypass for Anydesk"

OZamir
L1 Bithead

‎02-11-2021 05:43 AM - edited ‎03-22-2021 01:45 AM

Hello,

 

I am being asked a lot about why is Anydesk getting a "decrypt-error" end reason when SSL Decryption is active.

Here is a simple explanation and how to overcome this.

 

What you usually going to do with this kind of errors is creating a Decryption bypass rule for Anydesk (in this example)

Since is it impossible to bypass based on application, you would probably use a Custom URL category with a wildcard (*.anydesk.com), and apply it in a bypass rule. Unfortunately, this doesn't work (I'm not sure why, I think Anydesk uses IP addresses and not URLs)

The other option I came across is using an FQND (relays.net.anydesk.com) published in one of the related articles, that also didn't work for me. It was not consistent.

 

Then I found that Anydesk is being bypassed by default in PANOS (Device -->  Certificate management --> SSL Decryption Exclusion).

 

Then why isn't it being bypassed?!

Well, it is because of the certificate Anydesk uses. It is using a Self-Signed certificate, and your device does not trust it (yet).

This is the reason for the decrypt-error.

 

Basically, what you would like to do now is:

Start a packet capture and export the CA certificate.

Then, import the certificate to your device, and mark it as a trusted CA.

Commit, and now Anydesk should work.

 

I am sharing here the CA certificate currently being used by Anydesk.

 

Copy the text below to a text file and rename it to ".crt"

 

-----BEGIN CERTIFICATE-----
MIIFYzCCA0ugAwIBAgIJAIf7DQy3sYvoMA0GCSqGSIb3DQEBBQUAMEgxFzAVBgNV
BAMMDkFueU5ldCBSb290IENBMSAwHgYDVQQKDBdwaGlsYW5kcm8gU29mdHdhcmUg
R21iSDELMAkGA1UEBhMCREUwHhcNMTQwNDExMDIzNzU1WhcNMjQwNDA4MDIzNzU1
WjBIMRcwFQYDVQQDDA5BbnlOZXQgUm9vdCBDQTEgMB4GA1UECgwXcGhpbGFuZHJv
IFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAtBVBDdoa01og/vnfvwqM8aSt79RUlufigrcNAOrxN+LXjKEW
O6BoCDiqbdsmvqZpkzaojh5w3KyBHuLdFoM0tRVw9YrNne5dgHxaeKIHpK7m+NYx
+lx7u+Ba61Evl7/2+zMnkLPY5ODNaDtqh2ymDefYvWHfVmsq4Rwr9Z+/hd2MWwYe
cX+6SqZAsHcX6iw/W5QUhS6tEWGriPYBu7NHa+KBGPGOOebYewxjhoOscIR1Jy01
PXt7qM6ySHkIOC2CJn6TSzJ2ZoWn/crxCi/HYg9qQP4aa1gcU+RjwXWDmqt4BEmD
H+cjcJ+jv2jRMy9M3l6GmH1hfQE09Zzpy0FrrlArZ9XZ8gL8X6NSNLncZ+/6c8WU
QOq1iveY7Oibu4ZsbzY3ioCMn4T2ykp2InKNUn2FdU1V762v8+UWIwBb6Lbtfp8u
gEvu1V/cZemJ3NumQwS7zv2pTC8ZM6rmcSCG/kWLl+bIHU9wusfAw/Om8trCpBvd
iU7sHNp7JI+qQvkUMoNoY8gmvOwTsw0L4rYIxsYGfqMWbxXSGxZSPB8ikSUXFcxC
gto7qDnHKlDK2UygjJUzdQNwuN+gybKyixs4g3kywxLaM5ZC9JERqsYmMbzqQ4ow
VGXFQ55QO/qRkw6dOyNKPUPBxiKbaK8v/AGAUhgFIg69auQuydbsxY/zE7MCAwEA
AaNQME4wHQYDVR0OBBYEFBlleQaAxt6yqliZV7I2XO0BYo1HMB8GA1UdIwQYMBaA
FBlleQaAxt6yqliZV7I2XO0BYo1HMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADggIBALOqRxekr9JgNBWtJdWOKF7BqrGNMFabR3by4CBUBj3xI8Lvu6Hyn+Or
DAa/VF4MGjVWbeGTS8WZX5CGflKDlKCgRzby/PLCTXDJyW40XKcPBP3rFl6KvoY7
oAxzf6P1Xz0rxUEMZwrjSCvKYvapmh7J5ES8F/nbXEWYCWnsyGPvhSlOce35maxJ
IIqQvFmO8fOlmZkS46d75Wg0q1NarfFEyrp/wqZzkhDqjLHGydXkXisPHkqT+W1M
BoWQZVHTicwuomu15PDqNzWpfcDLhxIycpMhUYEdowzKlviB9JKgr/cZJPPmzeoR
KcnxKR2yKxgatKPAWMRwOXiniNd0MsKAYoNY47Q+JbhWLGB3UiWqYTLRl413JDQk
xdvy3WHI7WNXDsJw5R9S3WxvOLLa7Z2nL4f6s3DlZE35wwLVRtofy/BYIPxElvDK
tps55s8n0CyZdNTK3keI7d/3nDusimLSdZDZAIHT+MJHjpq9h23O5Zp/KHakd8Y/
ub9N8cvfDyxz/rRg4yZeg/KuNlaU6aedoT3KXW49Xahv8qWP855ohSfs6WeFNBYN
RTQUjgcMeyVRVPM/oSrvmheeUd4WZPvd4ciUCYw5u3dz1Ga7SStc+itXi2at96hw
O4+eCXHeEi7tAhBM1Wcecv86PjRtkmA9RF70IWDubC46cxrDJmr0
-----END CERTIFICATE-----

 

 

Hope this is helpful.

 

Cheers!

6 people had this problem.
(1)
32 REPLIES 32

S-Battermann
L1 Bithead

‎04-17-2024 07:00 AM

-----BEGIN CERTIFICATE-----
MIIFbDCCA1SgAwIBAgIJAOcOOMSgQkRlMA0GCSqGSIb3DQEBDQUAMEoxGTAXBgNV
BAMMEEFueU5ldCBSb290IENBIDIxIDAeBgNVBAoMF3BoaWxhbmRybyBTb2Z0d2Fy
ZSBHbWJIMQswCQYDVQQGEwJERTAgFw0xOTAyMjcyMDEyNDJaGA8yMTE5MDIwMzIw
MTI0MlowSjEZMBcGA1UEAwwQQW55TmV0IFJvb3QgQ0EgMjEgMB4GA1UECgwXcGhp
bGFuZHJvIFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAqUhRKwaqr1CtntCMZuAUNG5XbII8il8yXSScuhcU
3esJbXdiDWXqKd8HS4h3hTTiKsrPa7vx8SZXG+rlAigmfpgYe6CLK1DvW5AIjrUe
kOmyt9h6eMQ1aYl+YWVAaiFZuU6HHdVVkAvJLABRNs1Mg6PU05gMVrugEbRq/8nl
urQLjfPAszqu2hNE9Vhupf0agw2hbSJ6WzeQnaubOZPs1bQ3uD8bJKVMg/ttgJ9c
wkyqDLVP4zs3Wz8L1g2+EdwuQxJnN9rLdlunb+Hop86+ZaJXPWqJzqOZCa3EA9As
RxQVhL9h35fktdu5u0CL5ZBS9B2jumydmRWGTfwFxbMThd/tn/e9BzorTCKEcvJr
DoqxaCxE8iOGbjTN2zIC0PTIv6g0sj28nbPF5FBelpF5D5k+o1SZ9xjDG4xmcovU
u3W1nrKf60CLoHTqQ2XeUYu7NkKOr9Fn72hSqDACRBJQIGxZnresFSRY2IS6FTy4
8zyfnz0Qrlj/A5vzAOqKA7S3XNCT1DcjlA6V4a5AWe1bdsW/MB9fsFuPPmknLa8n
GOW2Y57eXgQ9SShz/Mn9+5nzOTSWpFbP7r5kZt6lDyMvrA2TN4PS2teuKy/ndna8
XV/ad8yD4Uf4slVPU0g9r2ZEb8PyxS3z1E1DbZ4nJBQTCI2dgBpeseP7rWGAGHKY
zMkCAwEAAaNTMFEwHQYDVR0OBBYEFFnC16nf4dqWO76ICbRqUvhBCPUbMB8GA1Ud
IwQYMBaAFFnC16nf4dqWO76ICbRqUvhBCPUbMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQENBQADggIBADsJ7G/zeZhpGAzLbhzYo/bnvrpFV9F77JybAKpG+Oit
ByYvH8jLdQjoBNRPGv8Cd5U6kehaS2wXF3NbGLVF5MpHZL6QFQnEplfwpIz1jLxn
LFL2zzD/Yxtb5Noef5CIklb2JSejDMwz3AoVMru5OzQZn0O+eQHHY/PT/4hc7KWQ
e3IkJKjwf7drAVgKKzpaUsXD6mrzFdYPYThWUtrse+al37pyJWZYaYddqUMvBiLh
MrG/E9su5p/nRVSWv7W5h+03dciN+F70RcJD/yD22NSa02swMKLqWAbdrDbScYER
eraUizYRrtPCttch4pLAZUDUNmgftGR52lJ679945EoLLEDvOyKrLz+dPZ+dHZS9
qvfvyHGV/zCnDNI3oDZM3M/l8WINapU8oWlfWpTdC1w6aNPnxoS1QuIGFVVdzBbG
SV7ngG9YLqgIPw1EpxPyu4T7o8XLoD5z0U/u9wR32W3W5Bekzq7DmgL/uSTrP5WH
qsqx23y7fziLCiJE1k7dJwt2IEhQJrdhpcy8UrUEf9F/HyB0RJw0i6/5aswg/6gw
EVR+qbECD/osvRsZQTLCK+66z2jleK/Ooh0Wj4mrhiTsDdNgGK5W/TGVoeeKxGnm
CBnBW2cvz0o4RUw3jGY1AGSYvIYxy7qGsa6XAn0C1NkIc9dUoV8XhhH1Wo3uQbHO
-----END CERTIFICATE-----
AnyNet Root CA 2 Certificate

 

(1)

erikda
L2 Linker
In response to Tomasz_W

‎11-01-2024 03:52 AM

This is the way!

0 Likes Likes

anmcin
L0 Member

‎08-14-2025 09:11 PM - edited ‎08-14-2025 09:37 PM

Just as an FYI to all that come across this in the future, there is a much easier solution to this and does not require anything such as a new custom URL category for the reasons below.

As an addendum, your other alternative is to configure split tunneling for the application itself and never have to think about AnyDesk not working ever again.

The AnyDesk application does not communicate via a hostname, i.e. DNS, to these relay servers. The misleading part to this problem is that you expect an application to use a hostname since from an infrastructure POV it would be easier to manage scaling through DNS, but what AnyDesk do is hardcode the relay addresses into the application and they update the list as they update the software. If you are at all curious, you can tshark/wireshark/packet capture during boot of the application to see what the IPs are that are loaded in.

I did not see a benefit to adding in the Root CA to the NGFW since it didn't help and AnyDesk was connecting regardless of whether I had it or not...the way the application actually behaves does not follow the logic you come to expect from most remote access software.


They instead do direct IP connections over 443 to relay-*randomChars*.net.anydesk.com. As another FYI, PAN recommends blocking "Unknown" so this isn't to say you should be doing the below. It's more that if you are in serious need to get AnyDesk to work then this is the way.

 

What you need to check is the below. I do not have a specific security rule for this and instead this traffic falls into a policy like this.

Security Policy

anmcin_1-1755232649790.png


URL Filtering Policy
The category "Unknown" is either set to Alert or Allow (your preference but I recommend Alert so that it is logged)

anmcin_1-1755226838839.png

 

Decryption Profile

This is decryption profile I have for those that aren't sure if it matters or not (it doesn't)

anmcin_9-1755229894563.png

 

For anyone who is trying to follow earlier replies, I strongly advise against selecting both of these and just tick "Block sessions with expired certificates". It may have some serious impact like breaking Windows Update. Not a coincidence either since the same behaviour was observed on numerous machine when this option turned on (only remedy was reinstalling Windows)

 

Blocking Sessions with Untrusted Issuers will only result in a serious number of decryption errors and the way that many businesses do their certificate chains, like Microsoft, does not bode well for this particular config option. Your browser and company's security policy should already take care of this.

anmcin_10-1755230180942.png

TLS/SSL Decryption
The URL category "Unknown" is a part of your "No Decrypt" Policy.

anmcin_11-1755230418986.png

 

Device > Certificate Management > Device Certificates > Certificates

anmcin_6-1755227799808.png


AnyDesk before and after "unknown" URL category is added to No Decrypt policy

anmcin_5-1755227640373.png

AnyDesk Connected

anmcin_7-1755228362923.png




0 Likes Likes
  • 34861 Views
  • 32 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks