Teamviewer. Is the exception "Teamviewer Remote Access Work around Teamviewer SSL handshake Bug" still required ?

Big_Buck over 4 years ago

Is the exception "Teamviewer Remote Access Work around Teamviewer SSL handshake Bug" still required ?

But more importantly, is the Teamviewer SSL handshake bug still there ?

The exception used to be this:

^([A-Za-z0-9.-]*\.)?tvcdn\.de/?

^([A-Za-z0-9.-]*\.)?teamviewer\.com/?

But in v18, the exception cannot be edited and is missing ^([A-Za-z0-9.-]*\.)?tvcdn\.de/?

Paul Jr

Parents

0 Michael Dunn over 4 years ago

Hi Paul,

The out of box exception for Teamviewer was added in XG 17.1 and always was only teamviewer.com. The UTM has a similar exception.

From what I can tell, there are several posts on the internet about people annoyed teamviewer started using tvcdn and that they need to punch more holes through their proxy. But not one of them mentions Sophos or XG, and there are no Sophos community threads on it. So I do not think that there ever was a SSL handshake bug on the XG for tvcdn.de.

There was a bug for Teamviewer, which was fixed in 17.5 MR6 (https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/104977/xg-is-blocking-teamviewer).

I suspect that you might have added the tvcdn.de yourself.

From v18 forward, we want Sophos to manage the out-of-box exceptions and not have them modified by customers. That allow us to add/remove things without changing anything a customer configured, and similarly protects us from a customer removing something from an exception.

The way the upgrade should have worked is if you had modified the Teamviewer exception before upgrade, during upgrade it should have made a copy of your modified version with a variant on the name, and then recreated the out-of-box exception to the Sophos standard one.

Are you sure that there was a tvdn.de before the upgrade? In v18 have you made sure you don't have two exceptions for Teamviewer (your modified and our readonly)?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni over 4 years ago in reply to Michael Dunn

Another interesting point: Teamviewer has an own Port, which TV tries first: TCP-/UDP-Port 5938

If this port fails, it will fallback to 443.

So if you are concern, you could put 5938 with a non scan SSLx Rule and let the traffic happen.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 LuCar Toni over 4 years ago in reply to Michael Dunn

Another interesting point: Teamviewer has an own Port, which TV tries first: TCP-/UDP-Port 5938

If this port fails, it will fallback to 443.

So if you are concern, you could put 5938 with a non scan SSLx Rule and let the traffic happen.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data