PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
I just got a feature request of one of our client:- blocking internet access to users logged on to a terminalserver session- allow just teamviewer in any circumstance
If I'm not totally wrong the default behavior if using the web portal as authorization point to control internet access is, that if a user logged in to a ts-session is allowed to browse the internet, a second user will be granted internet access as well, even if he is not allowed to at first glance. This is due to the design of terminalservices and web-based user authentication.Is there a way to limit internet access on a per user base, reverse proxy or anything else, if using terminal services? In any circumstance, teamviewer as a service should be allowed to connect per default.
My first idea was to create a serviceuser for teamviewer in the ActiveDirectory and granting this user internet access via Webfilter-Profiles. Teamviewer then should be executed only in this service-user context.
Any ideas or additional questions to solve this are greatly appreciated.
Thanks in advance,
In websites, set a TAG for *.teamviewer.com
Create a Filter Action with Allowed Network = the IP of your terminal server. I suggest using Authentication = None to ensure that you catch everyone.
Create a special policy and enable only this one policy and only on this Filter Action.
Create a special filter action for this one policy, with these settings:
- Block every category
- Allow websites with the TAG
You could do a Filter Acton website allow rule with a regular expression as well.
Ensure that every terminal server user is forced to browse through UTM, using with transparent or standard mode.
Hi, Toby, and welcome to the UTM Community!
If Doug's suggestion didn't resolve your issue, please tell us the reason people should be allowed to use TeamViewer.
Cheers - BobPS I've moved this thread to the Web Protection forum.