SSL/TLS Exception for Anydesk

Unfortunately https://community.sophos.com/sophos-xg-firewall/f/discussions/123967/how-to-allow-or-block-anydesk-when-using-tls-scanning is now locked, which is why you will have had to create a new post here.

If those providing answers read the original post, they will see this is nothing to do with URLs. Anydesk uses IP connections, not URLs for the remote access sessions, hence the need to create an IP list and exempt that from scanning, which is what the OP was asking about.

I'm glad you figured out how to do it hoosty. For those coming across this post as a search result, here is the rule I use (pick 'Rule and Policies' on the left, then the 'SSL/TLS inspection rules' on the top tab). It's very standard stuff, which is why I didn't put it in the original post, but if you aren't used to setting up Exceptions, I can understand struggling to find it.

Unfortunately, Anydesk seem to regularly add to this list (currently about 400 IPs) so it needs updating quite often. Would be nice if Sophos could just make inspection work with Anydesk.

Unfortunately https://community.sophos.com/sophos-xg-firewall/f/discussions/123967/how-to-allow-or-block-anydesk-when-using-tls-scanning is now locked, which is why you will have had to create a new post here.

If those providing answers read the original post, they will see this is nothing to do with URLs. Anydesk uses IP connections, not URLs for the remote access sessions, hence the need to create an IP list and exempt that from scanning, which is what the OP was asking about.

I'm glad you figured out how to do it hoosty. For those coming across this post as a search result, here is the rule I use (pick 'Rule and Policies' on the left, then the 'SSL/TLS inspection rules' on the top tab). It's very standard stuff, which is why I didn't put it in the original post, but if you aren't used to setting up Exceptions, I can understand struggling to find it.

Unfortunately, Anydesk seem to regularly add to this list (currently about 400 IPs) so it needs updating quite often. Would be nice if Sophos could just make inspection work with Anydesk.

So, you are saying the ip addresses are hardcoded into the application, so unless you update the application the IP address list doesn’t change.

ian

It wouldn't require an application update. You can have a mechanism in the software that retrieves an up to date IP list. The way Anydesk works is a pain. The fact Sophos doesn't work with Anydesk is a pain. I spent many, many hours getting the info I needed to create a working solution and it isn't a perfect because the IPs get added to quite regularly.

I've only come across one other piece of software that uses IP connections rather than URLs, DUO two factor authentication. Even then it was only for one of their modules. I did contact their tech support to see if they would rectify it but couldn't convince the level 1 technician, "we only use URLs". Life is too short so I just ended up creating an exception for the one IP it used.

There is an easier way to control anydesk using application control policy.

ian

Now that's an idea worth investigating. I've never used it but it has the potential to be a much better solution if it works. I'll try and find the time to have a look at it tomorrow.

Looks like there is no way to do it with application control.

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/118245/ssl-tls-inspection-rules-and-synchronized-applications/427939

This is not really an issue because TLS inspection does not work with this application, so try using application policy in a the web proxy, that is assuming he has a web proxy licence?

Ian

We're using DPI not Web Proxy

The question is, why do you want an exception in SSL/TLS (DPI) when there is no benefit because nothing is being scanned because DPI does not work with anydesk in the current version of XG? Whereas you can create an application policy for use with the web proxy.

Ian