Teamviewer, literals?
Dick Visser
visser at terena.org
Tue Jan 29 18:07:35 CET 2013
Hi guys
I'm working on a Windows 2008R2 server that will run IPv6-only.
The network that this server is in, has ACLs to block all outgoing
connections by default.
Only specific destinations (DNS, NTP, etc) are permitted.
For external connectivity to various web resources (software updates,
CRLs, OCSP), I use a filtering proxy server (tinyproxy) that
whitelists about a dozen domains.
There's two things that I really like about this proxy. One is that it
is easy to restrict access to content that is impractical to restrict
by IP ACLs (such as big CDNs with volatile IP ranges). The other one
is that the proxy acts as an IPv6-IPv4 gateway. Two birds with one
stone. This seems to work great.
One of the applications on the server has a customised Teamviewer
binary included.
This is remote control software that basically phones home over HTTP,
so that support people can do their stuff.
Teamviewer is clever enough to use the system wide proxy settings, and
I can see in the proxy logs that it connects to various domains
(masterXX.teamviewer.com, pingXX.teamviewer.com). All of those host
names are IPv4 only, so this already demonstrates the use of the proxy
:-)
After adding this regex to the proxy:
^(master|ping)[0-9]+\.teamviewer\.com$
this parts worked. I was then very disappointed to see that the
program would now do HTTP requests for literal IPv4 adresses:
CONNECT Jan 29 17:35:44 [15096]: Request (file descriptor 6): GET
http://178.255.154.11/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=20373024&p=10000002
HTTP/1.1
CONNECT Jan 29 17:35:44 [15099]: Request (file descriptor 6): GET
http://178.255.154.11/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=20373024&p=10000001
HTTP/1.1
CONNECT Jan 29 17:36:45 [15097]: Request (file descriptor 6): GET
http://92.51.171.94/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=23026525&p=10000001
HTTP/1.1
CONNECT Jan 29 17:36:45 [15149]: Request (file descriptor 6): GET
http://92.51.171.94/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=23026525&p=10000002
HTTP/1.1
CONNECT Jan 29 17:36:47 [15098]: Request (file descriptor 6): GET
http://87.106.211.200/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=174313527&p=10000001
HTTP/1.1
CONNECT Jan 29 17:36:47 [15100]: Request (file descriptor 6): GET
http://87.106.211.200/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=174313527&p=10000002
HTTP/1.1
CONNECT Jan 29 17:41:48 [15098]: Request (file descriptor 6): GET
http://89.41.60.86/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=128400200&p=10000002
HTTP/1.1
CONNECT Jan 29 17:41:48 [15149]: Request (file descriptor 6): GET
http://89.41.60.86/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=128400200&p=10000001
HTTP/1.1
CONNECT Jan 29 17:41:50 [15099]: Request (file descriptor 6): GET
http://176.9.89.131/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=38039953&p=10000002
HTTP/1.1
CONNECT Jan 29 17:41:50 [15100]: Request (file descriptor 6): GET
http://176.9.89.131/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=38039953&p=10000001
HTTP/1.1
CONNECT Jan 29 17:46:51 [15096]: Request (file descriptor 6): GET
http://37.252.227.4/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=258992450&p=10000001
HTTP/1.1
:(
The only way to get things working, was by allowing this lame URL regex:
^([0-9]+\.)([0-9]+\.)([0-9]+\.)([0-9]+)$
which of course totally defeats the purpose of a filtering proxy...
Just asking around here - has anyone ever successfully used Teamviewer
on an IPv6-only system?
If not, I guess I'll be herassing Teamviewer to stop using literals in
their software...
Thanks
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
More information about the ipv6-ops
mailing list