Highlighted
Posted by
Photon

TeamViewer cannot connect to remote computers on tightly locked down network

Hello TeamViewer Community,
 
We are moving our equipment to a new location and the policy at the new location is very strict, especially on our subnets used to produce our media content.  We will only allow access from behind the firewall to known servers.  I have read elsewhere online at https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139 and https://community.teamviewer.com/t5/TeamViewer-12/Manually-allow-teamviewer-on-NG-next-generation-fi... that TeamViewer's solution is to allow access on port 5938 (TCP) to ALL servers worldwide.  That solution does not work for us at that location.
 
I also noticed that you can specify the server(s) to use in Extras->Advanced->Teamviewer Servers.  During our testing, if we put the routing server IP addresses there then it worked - but it still was hung on the keep-alive server.  The master servers work because the client must do a DNS lookup prior to connecting.  Although, not ideal, as we would have to go to all the client machines and make the change; but can we set up the clients to always use the same servers when connecting?  Or if you (TeamViewer (TV)) will not release a list of IP addresses, can you release a list of fqdn for use to put in the firewall?  *.teamviewer does not work in our firewall unless the software actually does a DNS query for the server based on the fqdn.  Since it appears that after connecting to the master server, the TV client receives an IP address and then attempts to connect without first doing a DNS query on the fqdn - the firewall is dropping it.  See https://support.sonicwall.com/kb/sw10756 for more information on how it functions on the firewall.
 
Any help to allow us to still use Teamviewer as our remote access software would be greatly appreciated!
 
Thanks for your assistance,
Bill
---------------------------------------------------------------------------
The following are back & forth responses between TV Support and me, Bill.
--------------------------------------------------------------------------------
Dear Bill,
 
Below Please find below our new public IPs as well as the FQDNs to be sure they are whitelisted:
 
FQDNs: 
 
IPv4: 
185.188.32.1 – 185.188.32.6 via ports TCP/5938, TCP/80, TCP/443
185.188.32.11 – 185.188.32.16 via ports UDP/5938
 
IPv6:
2a0b:b580:0:1::1 - 2a0b:b580:0:1::6 via ports TCP/5938, TCP/80, TCP/443
----------------------------------------------------------------
Dear Support,
 
I have whitelisted the above FQDN and the IP addresses, but we are still not able to connect.
 
I have attached wireshark to monitor the network traffic and this is what happens:
 
1. Open Teamviewer (TV)
2. TV sends a DNS query for master1.teamviewer.com
3. Response from DNS server is 185.188.32.1
4. Connection is established with 185.188.32.1
5. After this connection is established, an additional IP request is attempted to 50.22.136.116
6. This is blocked by the firewall since no DNS query was made for a FQDN to match it with our address objects which are whitelisted.
7. This is requested a few times.
8. A few seconds later a request is made to 50.22.136.101
9. This is blocked by the firewall since no DNS query was made for a FQDN to match it with out address objects which are whitelisted
10. This is requested a few times
11. TV reports an error connecting.
 
As I mentioned in my original request (see below), the SonicWall firewall will process whitelisted objects of the form *.teamviewer.com only if a DNS query is made for the FQDN.  Therefore, even though a reverse-ip query of 50.22.136.116 produces server18308.teamviewer.com, the firewall does not know that it belongs to *.teamviewer.com since there was not a DNS query for server18308.teamviewer.com prior to attempting to connect to the server.
 
As mentioned in my original request, would it be possible to force all of our machines to use the same servers so that we can whitelist those servers?
 
Bill
------------------------------------------------------------------
There is not a way to specify a single server. 
 
If you are seeing the local keep alive servers then those are fine to add to the whitelist.
---------------------------------------------------------------------------
Would it be possible to provide us with the servers with names serverXXXXX.teamviewer.com (eg server18308.teamviewer.com?
 
Thanks,
 
Bill
-----------------------------------------------------------------------
Dear Bill,
There are over 4000+ individual server names that could be included. Only a small handful you would connect to as the ones you are mentioning are the local keep alive servers. 
 
I would look at the logs of the blocks and whitelist the ones you see as that will be easier than the whole list that is not needed.
--------------------------------------------------------
What do other companies do who have similar security policies which specify that they must individually specify servers to which they connect?
 
And, once again as mentioned in the first post, There is an option in the software under "Extras->Advanced->Teamviewer Servers".  What is the purpose of this option if if is not to specify the servers for which to connect?  That seems like the answer for us.
 
Thanks for your help,
 
Bill
---------------------------------------
As of July 6th, 2017 when I posted this topic; no further response from TV Support.
Bill