Deny Internet Access for RDP-users but allow just Teamviewer

Hi there!

I just got a feature request of one of our client:
- blocking internet access to users logged on to a terminalserver session
- allow just teamviewer in any circumstance

If I'm not totally wrong the default behavior if using the web portal as authorization point to control internet access is, that if a user logged in to a ts-session is allowed to browse the internet, a second user will be granted internet access as well, even if he is not allowed to at first glance. This is due to the design of terminalservices and web-based user authentication.

Is there a way to limit internet access on a per user base, reverse proxy or anything else, if using terminal services? In any circumstance, teamviewer as a service should be allowed to connect per default.

My first idea was to create a serviceuser for teamviewer in the ActiveDirectory and granting this user internet access via Webfilter-Profiles. Teamviewer then should be executed only in this service-user context.

Any ideas or additional questions to solve this are greatly appreciated.


Thanks in advance,


  • In websites, set a TAG for *

    Create a Filter Action with Allowed Network = the IP of your terminal server.  I suggest using Authentication = None to ensure that you catch everyone.

    Create a special policy and enable only this one policy and only on this Filter Action.

    Create a special filter action for this one policy, with these settings:

    - Block every category

    - Allow websites with the TAG

    You could do a Filter Acton website allow rule with a regular expression as well.

    Ensure that every terminal server user is forced to browse through UTM, using with transparent or standard mode.

  • Hi, Toby, and welcome to the UTM Community!

    If Doug's suggestion didn't resolve your issue, please tell us the reason people should be allowed to use TeamViewer.

    Cheers - Bob
    PS I've moved this thread to the Web Protection forum.