Deny Internet Access for RDP-users but allow just Teamviewer

Question

Hi there! 
 I just got a feature request of one of our client: - blocking internet access to users logged on to a terminalserver session - allow just teamviewer in any circumstance 
 If I'm not totally wrong the default behavior if using the web portal as authorization point to control internet access is, that if a user logged in to a ts-session is allowed to browse the internet, a second user will be granted internet access as well, even if he is not allowed to at first glance. This is due to the design of terminalservices and web-based user authentication. Is there a way to limit internet access on a per user base, reverse proxy or anything else, if using terminal services? In any circumstance, teamviewer as a service should be allowed to connect per default. 
 My first idea was to create a serviceuser for teamviewer in the ActiveDirectory and granting this user internet access via Webfilter-Profiles. Teamviewer then should be executed only in this service-user context. 
 Any ideas or additional questions to solve this are greatly appreciated. 
 
 Thanks in advance, 
 toby

DouglasFoster · Answer

In websites, set a TAG for *.teamviewer.com 
 Create a Filter Action with Allowed Network = the IP of your terminal server. I suggest using Authentication = None to ensure that you catch everyone. 
 Create a special policy and enable only this one policy and only on this Filter Action. 
 Create a special filter action for this one policy, with these settings: 
 - Block every category 
 - Allow websites with the TAG 
 You could do a Filter Acton website allow rule with a regular expression as well. 
 Ensure that every terminal server user is forced to browse through UTM, using with transparent or standard mode.