Allow TeamViewer for single remote IP

SOLVED
TimBisel
Getting noticed

Allow TeamViewer for single remote IP

Is there a way to allow TeamViewer access to only a specified IP though the MX? Do to our situation my ability to manage this software and the systems this is on is extremely limited. Was hoping for a way to try and secure it through the network.

1 ACCEPTED SOLUTION
kordm
Getting noticed

For situations like this, where a vendor needs remote access to their equipment, we would typically require that they have their own internet connection and firewall. If that isn't possible or feasible, we would isolate all of their equipment in a separate zone from ours and create firewall rules to allow communication between zones as needed. Other times we would piggy-back onto a client network but we always had an isolated L2 VLAN.

 

YMMV but I think as it stands, you're kind of stuck without rearranging the network.

View solution in original post

7 REPLIES 7
kordm
Getting noticed

You're trying to restrict Teamviewer to access only a single device on the LAN? Or from LAN to WAN?

 

Teamviewer connects on port 5938, but also tunnels via ports 80 & 443. IIRC it is tricky to block Teamviewer without blocking internet access to those clients, I'm curious how others do it.

 

What is the problem you're trying to solve?

TimBisel
Getting noticed

Trying to block WAN to LAN Teamviewer access from all but one remote IP.

 

I work in the energy industry. Coal cleaning plants, power plants, mines, etc. all have custom built sensor equipment and software that runs each location. I need to allow team viewer access so they can remote in and fix issues with software and diagnose hardware issues but need to limit access from only their IP.

Teamviewer uses hole-punching for it's standard mechanism. Basically everything is outgoing connections. The connection can fall back to port 80 so it will be difficult to block all these connections without blocking other stuff.

 

 

There are two options:

 

  • You can configure black and whitelisting in the teamviewer instance running on your senser equipment. See this link: https://community.teamviewer.com/t5/Knowledge-Base/How-can-I-restrict-access-for-TeamViewer-connecti...
    But it's not IP-address based, it's TeamviewerID based. That might be an option.
  • Another solution would be to only use teamviewers "LAN-based" option. To do that you could setup port forwarding like this:

    port_forwarding.PNGAnd block the "normal" teamviewer by denying connections to DST IP teamviewer.com with the L3 firewall. Note that this will also block access to the teamviewer website.

But from a security standpoint I really don't stand behind any of this. You should think about a VPN solution to allow remote access to machinery.

 

kordm
Getting noticed

Ah, okay.

 

I use Teamviewer in my org, but I control access via Teamviewer itself. All of my clients have Teamviewer Host which is assigned to a management group with easy access. I just make sure all of the management accounts have 2FA. For sensitive devices, I restrict access specific hosts in Teamviewer settings.

 

Otherwise, I think a more elegant solution would be to set Teamviewer to allow only LAN connections, and use a site-to-site VPN. I'd imagine you have a LOT of remote sites however.

TimBisel
Getting noticed

Sorry, good ideas everyone but I didn't explain good enough. The Team viewer instances are used only by the company who designed and made the hardware, we internally use Bomgar for remote support. This is where out issues start to come in because we need to secure the rest of the network from the window we opened to allow remote connection to the control computers to manage the custom equipment for the site.

I had understood the situation, the explanation was good enough :). My workarounds are still valid.

 

From a security standpoint the least you can do is segment that device thoroughly from the rest of the network. If your supplier is willing to take that risk, fine, if their machine gets hacked it's on them. But at least make sure the rest of your network is secure.

kordm
Getting noticed

For situations like this, where a vendor needs remote access to their equipment, we would typically require that they have their own internet connection and firewall. If that isn't possible or feasible, we would isolate all of their equipment in a separate zone from ours and create firewall rules to allow communication between zones as needed. Other times we would piggy-back onto a client network but we always had an isolated L2 VLAN.

 

YMMV but I think as it stands, you're kind of stuck without rearranging the network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels