Is there a way to allow TeamViewer access to only a specified IP though the MX? Do to our situation my ability to manage this software and the systems this is on is extremely limited. Was hoping for a way to try and secure it through the network.
Solved! Go to solution.
For situations like this, where a vendor needs remote access to their equipment, we would typically require that they have their own internet connection and firewall. If that isn't possible or feasible, we would isolate all of their equipment in a separate zone from ours and create firewall rules to allow communication between zones as needed. Other times we would piggy-back onto a client network but we always had an isolated L2 VLAN.
YMMV but I think as it stands, you're kind of stuck without rearranging the network.
You're trying to restrict Teamviewer to access only a single device on the LAN? Or from LAN to WAN?
Teamviewer connects on port 5938, but also tunnels via ports 80 & 443. IIRC it is tricky to block Teamviewer without blocking internet access to those clients, I'm curious how others do it.
What is the problem you're trying to solve?
Trying to block WAN to LAN Teamviewer access from all but one remote IP.
I work in the energy industry. Coal cleaning plants, power plants, mines, etc. all have custom built sensor equipment and software that runs each location. I need to allow team viewer access so they can remote in and fix issues with software and diagnose hardware issues but need to limit access from only their IP.
Teamviewer uses hole-punching for it's standard mechanism. Basically everything is outgoing connections. The connection can fall back to port 80 so it will be difficult to block all these connections without blocking other stuff.
There are two options:
And block the "normal" teamviewer by denying connections to DST IP teamviewer.com with the L3 firewall. Note that this will also block access to the teamviewer website.
But from a security standpoint I really don't stand behind any of this. You should think about a VPN solution to allow remote access to machinery.
Ah, okay.
I use Teamviewer in my org, but I control access via Teamviewer itself. All of my clients have Teamviewer Host which is assigned to a management group with easy access. I just make sure all of the management accounts have 2FA. For sensitive devices, I restrict access specific hosts in Teamviewer settings.
Otherwise, I think a more elegant solution would be to set Teamviewer to allow only LAN connections, and use a site-to-site VPN. I'd imagine you have a LOT of remote sites however.
I had understood the situation, the explanation was good enough :). My workarounds are still valid.
From a security standpoint the least you can do is segment that device thoroughly from the rest of the network. If your supplier is willing to take that risk, fine, if their machine gets hacked it's on them. But at least make sure the rest of your network is secure.
For situations like this, where a vendor needs remote access to their equipment, we would typically require that they have their own internet connection and firewall. If that isn't possible or feasible, we would isolate all of their equipment in a separate zone from ours and create firewall rules to allow communication between zones as needed. Other times we would piggy-back onto a client network but we always had an isolated L2 VLAN.
YMMV but I think as it stands, you're kind of stuck without rearranging the network.