This article applies to:

• WF - All Versions
• WFR - All Versions

Question:

• How do I block Teamviewer software on the web filter?

Procedure:

Web Filter is a TCP based filter, so it is only able to block TCP packets. The filter can block navigation to the teamviewer.com website since the connection is made over TCP. However, the Teamviewer client also uses UDP. Any UDP based application is out of scope of the filter's design.

To block applications that use UDP traffic you can control application installation via user policies, or block the UDP packets from the application on the firewall. Another option is to combine Web Filter with other Trustwave products which are capable of filtering UDP traffic.

Diagnosing UDP Ports To Block:

The procedure below is a suggested starting point to help you determine the ports in use. You may need to experiment to use the procedure in your network environment.

• Run Wireshark on a workstation that has a connection to teamviewer.  This workstation should be inside your network.
• Have the connecting host from outside of the network provide their IP address (they can determine this by navigating to whatismyip.com). You can use the IP address as a filter in Wireshark to see only the traffic to this IP using the following filter: 
  
      ip.addr==[external address] && udp
  
  For example:
  
       ip.addr==203.0.113.1 && udp
  
• If the connection is local, use the internal IP to filter.
• You should be able to deduce from the output which packets are generated by Teamviewer. On the packet details pane you will see an entry similar to:
   
  User Datagram Protocol, Src Port: mapper-ws-ethd (3986), Dst Port:56869 (56869)
   
• Blocking the non-ephemeral port at the firewall should stop the teamviewer traffic. However, if teamviewer changes the UDP port, you will need to run the same test and continue this process until no connections are established.  

Notes:

You can use this same procedure to try stopping connections from other UDP based applications.