Using TeamViewer, a user can initiate a remote connection to another host using TeamViewer's partner ID or can allow a remote host to connect to the local host.

To allow incoming Teamviewer connections only:

In Application Control, three Application Signatures are defined for TeamViewer:

• TeamViewer: This signature indicates an attempt to access TeamViewer.
• TeamViewer_CallReceive: This signature indicates an attempt to receive a remote connection on TeamViewer.
• TeamViewer_CallRequest: This signature indicates an attempt to connect to a partner ID on TeamViewer.
  

For this scenario, all categories are blocked in Application Control.

Under Application Control -> Application and Filter Overrides, only defining the signature TeamViewer_CallReceive to 'allow' (or 'monitor') will not permit the TeamViewer client to connect and will result in the following error:

The TeamViewer signature must also be configured to allow connection to TeamViewer servers.

However, after configuring the signatures TeamViewer to 'allow' (or 'monitor') and TeamViewer_CallReceive to 'allow' (or 'monitor') under Application Control -> Application and Filter Overrides, it will be possible to receive TeamViewer connections from a remote host, but it will also be possible to initiate a remote connection to a TeamViewer's partner ID.

Therefore, the TeamViewer_CallRequest signature must explicitly be blocked.

Below is the Application Control -> Application and Filter Overrides configuration to only allow incoming TeamViewer connections:

Below is the Application Control configuration in the CLI.

config application list

    edit "TeamViewer_Incoming"

        set other-application-log enable
        set enforce-default-app-port enable
        set unknown-application-action block
        set unknown-application-log enable
            config entries

                edit 1

                    set application 39632
                    set action pass

                next
                edit 2

                    set application 39630

                next
                edit 3

                    set application 15921
                    set action pass

                next
                edit 4

                    set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32 33

                next

            end

    next

end 

Note: The same logic can be applied to allow only connection to a TeamViewer's partner ID by configuring TeamViewer_CallRequest to 'allow' (or 'monitor') and TeamViewer_CallReceive to 'block'.

To allow outbound TeamViewer connections only (from LAN to WAN):

Configure the 'Application and Filter Overrides' section under the Application Control profile as shown below.