Block incoming teamviewer
-
Dear folks!
I need to block incoming teamviewer connections, but allow outgoing connections.
I have read this: http://forum.pfsense.org/index.php/topic,22632.0.html, but it only discusses blocking everything.Essentially, I only want support people to be able to open a connection to other people's desktop, but disallow them creating TV sessions for someone else to log on to.
Has anyone dealt with this scenario before?
-
TV makes the outgoing connection to the TV servers, then the remote session comes back through this session. Not sure if you can allow for outgoing and block incoming.
I don't believe that is how TV works, there is no unsolicited inbound traffic that you could block. One of the main features of TV is the ability to control through a firewall without having to setup any rules. The services makes connections to the TV servers.
http://www.teamviewer.com/hi/kb/9-Does-it-work-behind-firewalls-proxy-server-and-NAT-routers.aspx
TeamViewer will allow you to share your desktop over any kind of internet-/LAN-connection and over almost any firewall.Sure you could block access to TV servers, they use ports 80 and 443, and alternative of 5938, but then you would not be able to make outbound connections if you did that.
-
If their protocol is transmitted in the clear (unencrypted), and the outbound control messages are distinguishable from the inbound control messages (you'd need to compare a capture of each) then it might be possible to write an L7 pattern to match and block.
Not exactly easy, but it's the only thing that comes to mind.
-
That's impossible to do at a network level, can't decipher their encrypted traffic to tell what it's doing.
-
Yeah the traffic is encrypted that is for sure!
http://www.teamviewer.com/images/pdf/TeamViewer_SecurityStatement.pdf
-
So you don't want TV installed on any computers in your network, but you want to be able to access remote TV hosts for support?
Block TV completely via CIDRs, etc.
Use an SSH tunnel or VPN (redirect gateway option) to access TV externally from a completely different network.