Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to block Teamviewer,Logmein,GotoMyPC etc?

Hello Everyone,

I am trying to block Teamviewer in our network using Cisco ASA. I blocked port 5938 but it dynamically connected to on port 443 which is https. I even tried blocking via the regex way but could not stop the connection.

My conclusion, since it falls back to https blocking it from the firewall becomes all the more difficult as it wont do https inspection. I guess IPS also will fail to inspect https.

Other option would be through Microsoft GPO, but this would be my last option. Is there an alternate solution to accomplish this task?

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Sundeep,

As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.

The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).

Hope that helps.

-Mike

12 REPLIES
Cisco Employee

How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Sundeep,

As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.

The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).

Hope that helps.

-Mike

Community Member

How to block Teamviewer,Logmein,GotoMyPC etc?

I have just the same topic to solve.

For now, I am using a squid proxy to filter specific dstdomains, such as  .teamviewer.com or by means of RegEx acls

But I am expecting to solve it across ASA with IDS/IPS signatures

Do you jnow if it is possible ?

Thanks

Alain

How to block Teamviewer,Logmein,GotoMyPC etc?

Kind of an old thread but if your hardware allows it you might wan to consider installing a CSC module on your ASA, the CSC will allow you to block a particular category that involves all these remote controll programs:

Category Group: Internet Security

Category Type: Remote Access Program

Definition: Sites that provide tools for remotely monitoring and controlling computers

http://www.cisco.com/en/US/products/ps6823/index.html

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html#wp1065979

HTH.

Raga

Community Member

How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Luis,

I dont think CSC can inspect HTTPS traffic, I did a little bit of reading on it and came across that CSC cant inspect https. However as Marvin pointed out, Ironport WSA can. I have also tried it with Microsofts TMG and it is very effective.

Cisco Employee

How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Sundeep,

The CSC module can filter HTTPS traffic in the latest version (6.6.1125.0).

-Mike

Hall of Fame Super Silver

How to block Teamviewer,Logmein,GotoMyPC etc?

The Cisco Ironport WSA (web proxy device) can do this also.

Community Member

How to block Teamviewer,Logmein,GotoMyPC etc?

anyway, my purpose would be to detect any resident exe which could connect by itself and open a backdoor from inside to outside

Since port 80 is widely available for internet access, does IDS (AIM-SSM) able to get this info ?

How to block Teamviewer,Logmein,GotoMyPC etc?

Alain,

If you are looking for a way to block the actual .exe on the user's machine what you really need is a Host IPS.

Regards.

Community Member

How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Guys,

i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...

is there any update ...any solution?.

Regards

Sher

Community Member

Re: How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Guys,

i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...

is there any update ...any solution?.

Regards

Sher

Community Member

Hello, 

Hello, 

Actually I blocked the TeamViewer on WSA by blocking the applications for presentation/conferencing also the 5938 port is blocked on firewall but the application still able to connect. 

How to block Teamviewer,Logmein,GotoMyPC etc?

Hi Bro

TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall. TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.

So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):

regex TV-RGX “\.teamviewer\.com”

regex DG-RGX “\.dyngate\.com”

class-map type regex match-any TV-CLS

match regex DG-RGX

match regex TV-RGX

policy-map type inspect dns TV-PLC

parameters

message-length maximum 512

match domain-name regex class TV-CLS

drop

policy-map global_policy

class inspection_default

inspect dns TV-PLC

service-policy global_policy global

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
47886
Views
0
Helpful
12
Replies
CreatePlease to create content