×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to block Teamviewer,Logmein,GotoMyPC etc?

Answered Question
Nov 15th, 2011
User Badges:

Hello Everyone,


I am trying to block Teamviewer in our network using Cisco ASA. I blocked port 5938 but it dynamically connected to on port 443 which is https. I even tried blocking via the regex way but could not stop the connection.

My conclusion, since it falls back to https blocking it from the firewall becomes all the more difficult as it wont do https inspection. I guess IPS also will fail to inspect https.

Other option would be through Microsoft GPO, but this would be my last option. Is there an alternate solution to accomplish this task?


Regards

Correct Answer by mirober2 about 5 years 9 months ago

Hi Sundeep,


As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.


The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).


Hope that helps.


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mirober2 Thu, 11/17/2011 - 07:55
User Badges:
  • Cisco Employee,

Hi Sundeep,


As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.


The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).


Hope that helps.


-Mike

alain Fremont Tue, 12/20/2011 - 05:39
User Badges:

I have just the same topic to solve.

For now, I am using a squid proxy to filter specific dstdomains, such as  .teamviewer.com or by means of RegEx acls

But I am expecting to solve it across ASA with IDS/IPS signatures


Do you jnow if it is possible ?


Thanks

Alain

raga.fusionet Tue, 12/20/2011 - 12:29
User Badges:
  • Silver, 250 points or more

Kind of an old thread but if your hardware allows it you might wan to consider installing a CSC module on your ASA, the CSC will allow you to block a particular category that involves all these remote controll programs:


Category Group: Internet Security

Category Type: Remote Access Program

Definition: Sites that provide tools for remotely monitoring and controlling computers


http://www.cisco.com/en/US/products/ps6823/index.html


http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html#wp1065979


HTH.


Raga

Sundeep Dsouza Wed, 12/21/2011 - 22:05
User Badges:

Hi Luis,


I dont think CSC can inspect HTTPS traffic, I did a little bit of reading on it and came across that CSC cant inspect https. However as Marvin pointed out, Ironport WSA can. I have also tried it with Microsofts TMG and it is very effective.

mirober2 Thu, 12/22/2011 - 06:05
User Badges:
  • Cisco Employee,

Hi Sundeep,


The CSC module can filter HTTPS traffic in the latest version (6.6.1125.0).


-Mike

Marvin Rhoads Tue, 12/20/2011 - 12:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

The Cisco Ironport WSA (web proxy device) can do this also.

alain Fremont Thu, 12/22/2011 - 09:25
User Badges:

anyway, my purpose would be to detect any resident exe which could connect by itself and open a backdoor from inside to outside

Since port 80 is widely available for internet access, does IDS (AIM-SSM) able to get this info ?

raga.fusionet Thu, 12/22/2011 - 09:29
User Badges:
  • Silver, 250 points or more

Alain,


If you are looking for a way to block the actual .exe on the user's machine what you really need is a Host IPS.


Regards.

szamin125 Tue, 01/03/2012 - 04:26
User Badges:

Hi Guys,


i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...


is there any update ...any solution?.



Regards

Sher

szamin125 Tue, 01/03/2012 - 04:28
User Badges:

Hi Guys,


i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...


is there any update ...any solution?.



Regards

Sher

saitelhadj1 Wed, 11/30/2016 - 04:30
User Badges:

Hello, 

Actually I blocked the TeamViewer on WSA by blocking the applications for presentation/conferencing also the 5938 port is blocked on firewall but the application still able to connect. 



Ramraj Sivagnan... Sat, 07/28/2012 - 13:00
User Badges:
  • Silver, 250 points or more

Hi Bro

TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall. TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.


So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):


regex TV-RGX “\.teamviewer\.com”

regex DG-RGX “\.dyngate\.com”


class-map type regex match-any TV-CLS

match regex DG-RGX

match regex TV-RGX


policy-map type inspect dns TV-PLC

parameters

message-length maximum 512

match domain-name regex class TV-CLS

drop


policy-map global_policy

class inspection_default

inspect dns TV-PLC


service-policy global_policy global




P/S: If you think this comment is useful, please do rate them nicely :-)

Actions

This Discussion