Customer is not able to run Anydesk application behind ProxySG/EdgeSWG

Anydesk > Configuration > Connectivity

In order to see any blockage on ProxySG, please take a Policy Trace and Packet Capture

TEST CLIENT: x.x.x.x

POLICY TRACE CPL CODE:

<ssl-intercept>

client.address=x.x.x.x trace.destination(Trace1) trace.request(yes)

<proxy>

client.address=x.x.x.x trace.destination(Trace1) trace.request(yes)

Policy Trace can be easily searched (by pressing CTRL+F in text editor) with phrase User-Agent: Anydesk for any DENIED verdicts

PROXYSG PACKET CAPTURE:

ip host x.x.x.x or ip host anydesk.com or ip host net.anydesk.com or port 80 or port 443 or port 6568 or ip host 85.25.103.30 or ip host 78.46.49.23 or ip host 176.9.17.73 or ip host 217.182.197.144 or ip host 194.71.18.111 or ip host 5.9.105.232 or ip host 176.9.65.111

Wireshark capture can be searched with Packet Details search for with a string anydesk.com for any corresponding urls

Add the following, modified CPL code (from article 167379) to the ProxySG

You can replace client.address with your IP list

METHOD A:

Define the Web Access Layer rule via VPM:

Source: <authenticated user> ex. ADGROUP/admins

Destination: Combined object consisting of the request URLS/IPs ex. Anydesk_links

• anydesk.com
• net.anydesk.com
• boot.net.anydesk.com
• relays.net.anydesk.com
• boot-01.net.anydesk.com
• boot-02.net.anydesk.com
• 37.59.29.33/32
• 92.223.88.41/32
• 185.229.191.44/32
• 85.25.103.30/32
• 78.46.49.23/32
• 176.9.17.73/32
• 217.182.197.144/32
• 194.71.18.111/32
• 5.9.105.232/32
• 176.9.65.111/32
• 203.17.244.57/32

Service: Any

Action: ALLOW

Add new CPL Layer that contains additional settings via VPM:

<SSL>
condition=Anydesk_links server.certificate.validate(no)
<cache>
condition=Anydesk_links  pipeline(no) cache(no)
<cache>
condition=Anydesk_links  request.icap_service(no) response.icap_service(no)
<proxy>
condition=Anydesk_links  detect_protocol(none)
<ssl-intercept>
condition=Anydesk_links  ssl.forward_proxy(no)
<proxy>
condition=Anydesk_links  http.client.persistence(no) http.server.persistence(no) bypass_cache(yes) http.request.version(1.0) http.response.version(1.0) server_url.dns_lookup(ipv4-only)

METHOD B: CPL CODE BYPASS PER IP ADDRESS

; ################# ANYDESK BYPASS START #################
<proxy>
condition=AllowAnydeskUser condition=Anydeskurl authenticate(no) ALLOW
<SSL>
condition=Anydeskurl server.certificate.validate(no)
<cache>
condition=Anydeskurl pipeline(no) cache(no)
<cache>
condition=Anydeskurl request.icap_service(no) response.icap_service(no)
<proxy>
condition=Anydeskurl detect_protocol(none)
<ssl-intercept>
condition=Anydeskurl ssl.forward_proxy(no)
<proxy>
condition=Anydeskurl http.client.persistence(no) http.server.persistence(no) bypass_cache(yes) http.request.version(1.0) http.response.version(1.0) server_url.dns_lookup(ipv4-only)

; Define users allowed to access Anydesk
define condition AllowAnydeskUser
client.address=<client-ip-address>
end condition AllowAnydeskUser

; Define Anydesk URLs
define condition Anydeskurl
url.domain=anydesk.com
url.domain=net.anydesk.com
url.domain=boot.net.anydesk.com
url.domain=relays.net.anydesk.com
url.domain=boot-01.net.anydesk.com
url.domain=boot-02.net.anydesk.com
url.address=37.59.29.33/32
url.address=92.223.88.41/32
url.address=185.229.191.44/32
url.address=85.25.103.30/32
url.address=78.46.49.23/32
url.address=176.9.17.73/32
url.address=217.182.197.144/32
url.address=194.71.18.111/32
url.address=5.9.105.232/32
url.address=176.9.65.111/32
url.address=203.17.244.57/32
end condition Anydeskurl

; ################# ANYDESK BYPASS END #################

Please ensure that the upstream devices are following:

• https://support.anydesk.com/knowledge/firewall
• https://www.netify.ai/resources/applications/anydesk (IPs can differ based on region relays)

Please note that Anydesk first establishes connection to boot.net.anydesk.com then chooses the closest relay