Teamviewer, literals?

Ted Mittelstaedt tedm at ipinc.net
Wed Jan 30 20:36:27 CET 2013


We use teamviewer but the way I understand that it works is it
phones home to the teamviewer server, and the remote user's copy
of it phones home to the teamviewer server, and the teamviewer server
then does the magic to connect the 2 phones together.

Thus couldn't you just allow outbound access to the teamviewer server
and be done with it?

Ted

On 1/29/2013 9:07 AM, Dick Visser wrote:
> Hi guys
>
> I'm working on a Windows 2008R2 server that will run IPv6-only.
> The network that this server is in, has ACLs to block all outgoing
> connections by default.
> Only specific destinations (DNS, NTP, etc) are permitted.
> For external connectivity to various web resources (software updates,
> CRLs, OCSP), I use a filtering proxy server (tinyproxy) that
> whitelists about a dozen domains.
>
> There's two things that I really like about this proxy. One is that it
> is easy to restrict access to content that is impractical to restrict
> by IP ACLs (such as big CDNs with volatile IP ranges). The other one
> is that the proxy acts as an IPv6-IPv4 gateway. Two birds with one
> stone. This seems to work great.
>
> One of the applications on the server has a customised Teamviewer
> binary included.
> This is remote control software that basically phones home over HTTP,
> so that support people can do their stuff.
>
> Teamviewer is clever enough to use the system wide proxy settings, and
> I can see in the proxy logs that it connects to various domains
> (masterXX.teamviewer.com, pingXX.teamviewer.com). All of those host
> names are IPv4 only, so this already demonstrates the use of the proxy
> :-)
> After adding this regex to the proxy:
>
> ^(master|ping)[0-9]+\.teamviewer\.com$
>
> this parts worked. I was then very disappointed to see that the
> program would now do HTTP requests for literal IPv4 adresses:
>
> CONNECT   Jan 29 17:35:44 [15096]: Request (file descriptor 6): GET
> http://178.255.154.11/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=20373024&p=10000002
> HTTP/1.1
> CONNECT   Jan 29 17:35:44 [15099]: Request (file descriptor 6): GET
> http://178.255.154.11/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=20373024&p=10000001
> HTTP/1.1
> CONNECT   Jan 29 17:36:45 [15097]: Request (file descriptor 6): GET
> http://92.51.171.94/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=23026525&p=10000001
> HTTP/1.1
> CONNECT   Jan 29 17:36:45 [15149]: Request (file descriptor 6): GET
> http://92.51.171.94/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=23026525&p=10000002
> HTTP/1.1
> CONNECT   Jan 29 17:36:47 [15098]: Request (file descriptor 6): GET
> http://87.106.211.200/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=174313527&p=10000001
> HTTP/1.1
> CONNECT   Jan 29 17:36:47 [15100]: Request (file descriptor 6): GET
> http://87.106.211.200/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=174313527&p=10000002
> HTTP/1.1
> CONNECT   Jan 29 17:41:48 [15098]: Request (file descriptor 6): GET
> http://89.41.60.86/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=128400200&p=10000002
> HTTP/1.1
> CONNECT   Jan 29 17:41:48 [15149]: Request (file descriptor 6): GET
> http://89.41.60.86/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=128400200&p=10000001
> HTTP/1.1
> CONNECT   Jan 29 17:41:50 [15099]: Request (file descriptor 6): GET
> http://176.9.89.131/din.aspx?s=00000000&id=1234567890&client=DynGate&rnd=38039953&p=10000002
> HTTP/1.1
> CONNECT   Jan 29 17:41:50 [15100]: Request (file descriptor 6): GET
> http://176.9.89.131/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=38039953&p=10000001
> HTTP/1.1
> CONNECT   Jan 29 17:46:51 [15096]: Request (file descriptor 6): GET
> http://37.252.227.4/din.aspx?s=00000000&m=fast&id=1234567890&client=DynGate&rnd=258992450&p=10000001
> HTTP/1.1
>
> :(
>
> The only way to get things working, was by allowing this lame URL regex:
>
> ^([0-9]+\.)([0-9]+\.)([0-9]+\.)([0-9]+)$
>
> which of course totally defeats the purpose of a filtering proxy...
>
>
> Just asking around here - has anyone ever successfully used Teamviewer
> on an IPv6-only system?
> If not, I guess I'll be herassing Teamviewer to stop using literals in
> their software...
>
>
> Thanks
>
>
>




More information about the ipv6-ops mailing list