I try to get anydesk running with TLS Inspection. I´ve read this post: https://community.sophos.com/sophos-xg-firewall/f/discussions/123967/how-to-allow-or-block-anydesk-when-using-tls-scanning
I created a IP List with all the anydesk Servers, but where can I define the exception?
I did not create this entry, it came default on the XG.
If you need an exception then you do not need to use the DPI engine.
Unfortunately https://community.sophos.com/sophos-xg-firewall/f/discussions/123967/how-to-allow-or-block-anydesk-when-using-tls-scanning is now locked, which is why you will have had to create a new post here.
If those providing answers read the original post, they will see this is nothing to do with URLs. Anydesk uses IP connections, not URLs for the remote access sessions, hence the need to create an IP list and exempt that from scanning, which is what the OP was asking about.
I'm glad you figured out how to do it hoosty. For those coming across this post as a search result, here is the rule I use (pick 'Rule and Policies' on the left, then the 'SSL/TLS inspection rules' on the top tab). It's very standard stuff, which is why I didn't put it in the original post, but if you aren't used to setting up Exceptions, I can understand struggling to find it.
Unfortunately, Anydesk seem to regularly add to this list (currently about 400 IPs) so it needs updating quite often. Would be nice if Sophos could just make inspection work with Anydesk.
There is an easier way to control anydesk using application control policy.
Now that's an idea worth investigating. I've never used it but it has the potential to be a much better solution if it works. I'll try and find the time to have a look at it tomorrow.
Looks like there is no way to do it with application control.
This is not really an issue because TLS inspection does not work with this application, so try using application policy in a the web proxy, that is assuming he has a web proxy licence?
We're using DPI not Web Proxy
The question is, why do you want an exception in SSL/TLS (DPI) when there is no benefit because nothing is being scanned because DPI does not work with anydesk in the current version of XG? Whereas you can create an application policy for use with the web proxy.