Background.

As shown in the screenshot below, FortiGate has an application signature 'Chrome.Remote.Desktop' for the Chrome Remote Desktop application, when applied in the application control profile it can be used to block all outbound remote control connections from the application.

However, inbound remote control connections may not be blocked so users from external networks are still able to access internal machines. In this case, the application traffic analysis should be performed as below to identify if other applications need to be blocked.  

Application Traffic Analysis.

When the application is installed, Windows has two instances of the process 'remoteing_host.exe' running. These can be found in the Windows Task Manager. Each process has a TCP connection to a Google server, and those servers' IP addresses can be found in the Resource Monitor. Refer to the below screenshots. 

SSL Handshake Analysis.

Perform packet capture on the firewall filtering the two server IP addresses. In the TLS client hello message, the 'Server Name Indication extension' (SNI) section may contain server names such as 'www.googleapis.com' and 'instantmessaging-pa.googleapis.com' (highlighted in the below screenshots in Wireshark).

SNI is also the field in packets that gets inspected by firewall SSL inspection to determine which domain or application the traffic is associated with.

Block the 'Google.Messaging' application.

In the FortiGate forwarding traffic logs, the application 'Google.Services' and 'Google.Messaging' can be found with the Google servers' IP addresses as the destinations. Blocking 'Google.Messaging' in the application control profile ensures the Google Remote Desktop application is completely blocked from external connections.