This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

dcaporetto
L1 Bithead
In response to Ilya_Kuranov

‎07-06-2020 12:59 AM - edited ‎07-06-2020 01:02 AM

I came up with another solution. I imported the certificates these Anydesk "relay" servers use.

 

After some investigations, I found Anydesk was using INTERNALLY created certificates for these relays and since they are internal, there is no way the PAs will trust them. If the PA does not trust the certificate Root it WILL NOT let decryption or even no-decryption work for that site, it simply stops access to it.

 

I noticed in my logs, that the client kept hitting various sites of URL relay-xxxxxxx.net.anydesk.com (ie:relay-dbb2d168.net.anydesk.com). Browsing to that URL would forward you to the Anydesk site, so you couldn't get the SSL certificates it was using.  To grab them I had to use https://www.ssllabs.com/ssltest/index.html then I entered the relay URL (relay-dbb2d168.net.anydesk.com) in this tool and let it run.

 

It returns the following certificates

certificatesfound.png

The benefit of this SSL checker is that it lets you download the certificates it finds so I just downloaded both of them (AnyNet Root CA and AnyNet Relay) and imported them into my PA Certificates section. I also ticked "Trusted CA" for the AnyNet Root CA

Annotation 2020-07-06 175218.png

To be 100% I also added *.net.anydesk.com into my no-decrypt policy and into the ssl-decryption-exclusion section under Certificate Management.

 

Here are the certificates for you to paste them into a text file and save as a .cer for import.  If you wish you can use https://www.sslshopper.com/certificate-decoder.html and copy the below certificate texts to confirm they are legitimate.

 

AnyNet Root CA

-----BEGIN CERTIFICATE-----
MIIFYzCCA0ugAwIBAgIJAIf7DQy3sYvoMA0GCSqGSIb3DQEBBQUAMEgxFzAVBgNVBAMMDkFueU5l
dCBSb290IENBMSAwHgYDVQQKDBdwaGlsYW5kcm8gU29mdHdhcmUgR21iSDELMAkGA1UEBhMCREUw
HhcNMTQwNDExMDIzNzU1WhcNMjQwNDA4MDIzNzU1WjBIMRcwFQYDVQQDDA5BbnlOZXQgUm9vdCBD
QTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtBVBDdoa01og/vnfvwqM8aSt79RUlufigrcNAOrxN+LX
jKEWO6BoCDiqbdsmvqZpkzaojh5w3KyBHuLdFoM0tRVw9YrNne5dgHxaeKIHpK7m+NYx+lx7u+Ba
61Evl7/2+zMnkLPY5ODNaDtqh2ymDefYvWHfVmsq4Rwr9Z+/hd2MWwYecX+6SqZAsHcX6iw/W5QU
hS6tEWGriPYBu7NHa+KBGPGOOebYewxjhoOscIR1Jy01PXt7qM6ySHkIOC2CJn6TSzJ2ZoWn/crx
Ci/HYg9qQP4aa1gcU+RjwXWDmqt4BEmDH+cjcJ+jv2jRMy9M3l6GmH1hfQE09Zzpy0FrrlArZ9XZ
8gL8X6NSNLncZ+/6c8WUQOq1iveY7Oibu4ZsbzY3ioCMn4T2ykp2InKNUn2FdU1V762v8+UWIwBb
6Lbtfp8ugEvu1V/cZemJ3NumQwS7zv2pTC8ZM6rmcSCG/kWLl+bIHU9wusfAw/Om8trCpBvdiU7s
HNp7JI+qQvkUMoNoY8gmvOwTsw0L4rYIxsYGfqMWbxXSGxZSPB8ikSUXFcxCgto7qDnHKlDK2Uyg
jJUzdQNwuN+gybKyixs4g3kywxLaM5ZC9JERqsYmMbzqQ4owVGXFQ55QO/qRkw6dOyNKPUPBxiKb
aK8v/AGAUhgFIg69auQuydbsxY/zE7MCAwEAAaNQME4wHQYDVR0OBBYEFBlleQaAxt6yqliZV7I2
XO0BYo1HMB8GA1UdIwQYMBaAFBlleQaAxt6yqliZV7I2XO0BYo1HMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggIBALOqRxekr9JgNBWtJdWOKF7BqrGNMFabR3by4CBUBj3xI8Lvu6Hyn+Or
DAa/VF4MGjVWbeGTS8WZX5CGflKDlKCgRzby/PLCTXDJyW40XKcPBP3rFl6KvoY7oAxzf6P1Xz0r
xUEMZwrjSCvKYvapmh7J5ES8F/nbXEWYCWnsyGPvhSlOce35maxJIIqQvFmO8fOlmZkS46d75Wg0
q1NarfFEyrp/wqZzkhDqjLHGydXkXisPHkqT+W1MBoWQZVHTicwuomu15PDqNzWpfcDLhxIycpMh
UYEdowzKlviB9JKgr/cZJPPmzeoRKcnxKR2yKxgatKPAWMRwOXiniNd0MsKAYoNY47Q+JbhWLGB3
UiWqYTLRl413JDQkxdvy3WHI7WNXDsJw5R9S3WxvOLLa7Z2nL4f6s3DlZE35wwLVRtofy/BYIPxE
lvDKtps55s8n0CyZdNTK3keI7d/3nDusimLSdZDZAIHT+MJHjpq9h23O5Zp/KHakd8Y/ub9N8cvf
Dyxz/rRg4yZeg/KuNlaU6aedoT3KXW49Xahv8qWP855ohSfs6WeFNBYNRTQUjgcMeyVRVPM/oSrv
mheeUd4WZPvd4ciUCYw5u3dz1Ga7SStc+itXi2at96hwO4+eCXHeEi7tAhBM1Wcecv86PjRtkmA9
RF70IWDubC46cxrDJmr0
-----END CERTIFICATE-----

 

 

 

AnyNet Relay

-----BEGIN CERTIFICATE-----
MIIECjCCAfICCQCU2suhOazUYTANBgkqhkiG9w0BAQsFADBIMRcwFQYDVQQDDA5B
bnlOZXQgUm9vdCBDQTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgx
CzAJBgNVBAYTAkRFMB4XDTE4MTExMjE4MDUzOVoXDTI4MTEwOTE4MDUzOVowRjEL
MAkGA1UEBhMCREUxIDAeBgNVBAoMF3BoaWxhbmRybyBTb2Z0d2FyZSBHbWJIMRUw
EwYDVQQDDAxBbnlOZXQgUmVsYXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6ysgUWfAYUkJb68TFtX+MtdpN0+uCDnqnFV+kSdMhlazT3Z2WIlEeAIwk
H0KDrOJ2oUZaYo+N15CmMhu5pmlobXnPSHq4E4k6Z7NCCqLsgJFUpowCrshADFe7
BflWC3D16n0seoElsphBQNYZorlEr3TziGdVqwcjCqYu3Eyhd9akCcW94T2Is31E
Llah1xBeSoVewzoP3L7uoIjCNIYGsIgU/7SYERkdcFiZwVHI/hgQN1E0q38lbSjC
4/V4LpXwfJoEbktT7TZDOSAk9LSUHYRr43BwyPiANJKTEkCyWTv4kjfRdMAcywak
twifQbR2gYgJKpLzXTIg8CaW5NFFAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAGqM
On7XkIok+ZA56KH+v/3b4ltTkaZnY+8CM/7D4gjCwbAeer5/WJBIFNCAk+FY3tym
t9CfkshsAJqL9zh9neIF1UFy+cTBeCCZ8P8GP8pPzV8/1NecAHBa+Owbj6oX9yao
SAyiw9OoFUqTBIUGvGeWmLF0cVTD4xonBo0woJ1KJKYLPCk32eyA3QdehNJlPeH5
wqASanvIQb4jQU6GXZWbzYR6SOcYg9ofRUAXXK/7cUI2Kdxrq7DGAO5IwTDEnMv/
c+cnZuRiIWbf8syiDvPrJ4valyfgxnhi12QGHjlKUPgEhsbWazEnAYqmenljKuOn
DKFOiPdfGM6ep/AncGzC5H+wHO3OIqeBLNJb/0sjEfnJuP/OCZlYC1T9SLV760cp
fgj23xUBm4JbXAf1SxuZ85urYEOguNgsaRG1BbKOOZeUA5edQHwpXaIddfTG2ke5
MvU8qcoI+Cu0nM5PUKRarNYVTflkTn9gsT/2tCbr7Lzdr+IWkuCuocnOZK3j3pBk
1I3ZWwnf5LSNE/puo+G4jeverBV8yMiGhWeFj272VvFjuyl60JK6fl+3fPm1IgCM
3ZiW/a5SZN+Xs4zK3dIzoAp1XlwSZ9l3oVr2UWh7l+aFiPxX4lS37tyjLF46tTBp
3w2M1LSWZuOgnuf4TXpPwTAVve8nLoxIpKGhQozQ
-----END CERTIFICATE-----

 

 

(4)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks