How can I restrict access for TeamViewer connections from a computer on my network

We utilize team-viewer for IT Support. All IT personnel can remote control any workstation with teamviewer installed.  
We also have engineers who occasionally remote each others computers for assistance.  
I want to only allow our users to be able to remote control only computers on our "WAN/LAN".  
Everything I have found about controlling teamviewer (WhiteList...) connections is for inbound connections to a computer.  
I need to know how to set it up to where they can only control computers withing our WAN.  
i.e. we don't want them to be able remote their home computer and play on the internet all day...

Wondering if this would have to be done at the Cisco firewall router level????
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanCommented:
I do not believe it is possible, because TV uses their own public servers to authenticate with ID and to initiate connection to partner...then it falls back to P2P connection once authentication is established. So if you would block access to TV authentication servers (which you can do, for example, by creating dummy DNS records on your firewall for *, then even your internal LAN-to-LAN TV connections would fail due to lack of authentication.

Theoretically, if you employ Windows firewall and your LAN machines are all on Active Directory, you could create GPO and inject a rule to client's firewalls for TeamViewer.exe application:
- allow access for this app to * servers (I think they are master, master1,, but this would need to be checked)
- and allow access for this app also to all your LAN IP subnets
- block all other connections for this app
You would need to have a scheduled script to regularly check all TeamViewer's public authentication servers FQDN and translate them to IP addresses, then another script to regenerate GPO policy with newer IP addresses, and update GPO with some third script.
This would also block TV connection from outside to your LAN, which I don't know if it's desirable effect.

But that's theory, not even sure if this would work.

I believe it's more Human Resources department job to enforce healthier and more efficient work habits, than an IT expert's job. You could spend thousands of hours to get TV blocked, then users will adopt and switch over to LogMeIn or some other remote application. At one of our customer's their director has announced a policy that he will fire anyone, who will be using office computer for private work or entertainment. Of course, he did not fire anyone yet, but they've had almost ZERO issues, no viruses, not problems over past 5 years, so they even canceled the contract with me as outsourced IT manager, because they do not need me...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BFanguyAuthor Commented:
thank you Andrej.  was hoping it would have been an easy fix.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.