We help IT Professionals succeed at work.

Application Control in TMG 2010

ociadmin
ociadmin used Ask the Experts™
on
Hello Experts,

I am new to TMG and was just wondering how to setup application control in TMG 2010.  Specifically, I would like to block most of remote control software like Webex, GoToMyPC, Teamviewer, etc.  Is this possible on TMG ???

Regards.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Most things are possible. You would need to access the site/service, track the protocols/ip addresses used then put deny access rules in place above any more open allow access rules. As each service is different there is not a generic 'catch all' setting. However, there are a large range of existing Category sets and Types pre-poulated in TMG that you can choose from and add to the TO: section of the deny rule but these are not necessarily going to cover every eventauality.

Author

Commented:
Hi Keith,

Thanks for your prompt reply.  Please correct me if I'm wrong... what I understand from TMG and your above comment is that to block the actually application itself we have to find the ports they use and block those ports.

I understand that pre-defined category sets will only block websites that fall under that particular category, not the application itself.  Am I correct in saying this ?

Regards.
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Yes - spot on. It is the protocol and ports along with header and content information.
Once you have identified thee - and it can be a painful exercise, then you can vreate a filter or a simple rule based on the results.

Many of systems Administrator using TMG 2010 and some times you need to block some sites ,application and ports due to security or policy issue.


In this article we need to know how we block / unblock the teamviewer using TMG 2010.


First of all we need to know how is the teamviewer work and what port its used for working?


1- TeamViewer use TCP 5938 port.
2- TeamViewer uses the follwing sites :
http://dyngate.com 
http://teamviewer.com 



Now we need to know how we can  block / unblock the teamviewer using TMG 2010.
 
 Block Teamviewer Using TMG 2010


Note: by defualt the eamviewer is blocked in TMG.


1- You need to add a rule which blocks port 5938 from Internal to External.


open forefront TMG console ==> right click on firewall Policy ==> New ==> Access Rule ==>
write the name of the rule as example Blocking Teamviewer ==> Deny ==> Choose Selected protocol ==>
then you must add new protocol TCP and put inside it port  5938 Direction OutBound ==> from Internal to External or as your topology in you network.




2- You need to add  another one which blocks HTTP / DNS / HTTPS from Internal to a URL set which contains http://*.teamviewer.com andhttp://*.dyngate.com).


you need now to add the following HTTP URL set inside any rule and make it deny:
http://*.dyngate.com/*
http://*.teamviewer.com/*


and now go to any client and try to start the teamviewer it should be Failed :).


 UnBlock Teamviewer Using TMG 2010


now we need to unblock the teamviewer so we need only to allow all the steps that i mentioned in the block teamviewer.


if you need any further help dont hesitate to contact us and we will answer you.

For other remote services you can do that  in the  same way
http://engrimawi.blogspot.com/2011/04/block-teamviewer-in-tmg-2010-unblock.html
Keith AlabasterEnterprise Architect
Top Expert 2008
Commented:
That is the right concept, yes. Unfortunately a number of applications don't use just a single port and quite a few others use https and port 443 to connect in which case you have a problem. Unless you turn on https inspection - which is not always a good idea for legal reasons - TMG cannot see the content of what passes up the tunnel so whilst Teamviewer uses a helpful non-web protocol, this will need to be supplemented with your own detective work.

Author

Commented:
Very helpful replies, it is crystal clear now.