How to block Google Chrome Remote Desktop

Question

What rule or NAT should be used to prevent computers on the network from being remotely accessed via Chrome Remote Desktop? 
 It is suggested ( https://support.google.com/chrome/a/answer/2799701?hl=en ) to "black hole" chromoting-host.talkgadget.google.com . 
 How can this be done?

sachingurung · Answer

Hi, 
 If the requirement can be fulfilled by blocking the FQDN host.talkgadget.google.com then, go to the filter action > Websites> block these websites; add the host here. 
 Thanks

sachingurung · Answer

Hi Jeff, 
 Try this, create a DNS group1 with FQDN chromoting-host.talkgadget.google.com and another DNS group2 with FQDN chromoting-oauth.talkgadget.google.com and chromoting-client.talkgadget.google.com. 
 Configure a DNAT policy - DNS group1 -> Any -> External (Address) : non-existant IP address. 
 This configuration will map the traffic on an non-existing blackhole IP address. 
 Next, go to Network Services> DNS> Request Routing, configure a new DNS request route for chromoting-oauth.talkgadget.google.com and chromoting-client.talkgadget.google.com. PFA screenshot: 
 
 Add one more firewall rule ANY-ANY- DNS group2 : drop. 
 Hope that helps

Billybob · Answer

Unknown said: 
 It is suggested ( https://support.google.com/chrome/a/answer/2799701?hl=en ) to "black hole" chromoting-host.talkgadget.google.com . 
 How can this be done? 
 I have no experience with google remote desktop but from their help page https://support.google.com/chrome/answer/1649523?hl=en You need port 443 (which you can't block unless you are using ssl proxy), inbound and outbound UDP access (which you should be blocking by default) and TCP 5222 (XMPP) which should also be blocked by default. 
 Also, if you are using BAlfson best DNS practices, https://community.sophos.com/products/unified-threat-management/w/utm-wiki/2.dns-best-practice your clients shouldn't have direct access to external DNS servers. So blackholing the DNS request by defining defining a fake IP address for chromoting-host.talkgadget.google.com would block the request ( https://support.google.com/chrome/a/answer/2799701?hl=en )