Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2070 Views 5 Replies Latest reply: Dec 6, 2013 8:06 AM by corvettenkapitaen RSS
corvettenkapitaen Newcomer 2 posts since
Aug 15, 2013
Currently Being Moderated

Aug 16, 2013 9:38 AM

MWG7 SSL scanner and teamviewer software

I have a problem with the MWG7 SSL scanner and teamviewer software.

Two weeks ago the teamviewer software has worked over the MWG7 proxy without problems. Now it is not working anymore.

 

To solve the problem I have made a connection tracing. Teamviewer first connects with *.teamviewer.com hosts over port 443. This works, because I have put *.teamviewer.com on the SSL tunneled URL list.

After the successfull port 443 connections teamviewer wants to connect to a host with an IP address. Because the IP address is not on the SSL tunneled URL list and the SSL protocol is proprietary, the MWG7 can not handle the SSL protocol and shows the error message 'SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol / HTTP/1.0 500 handshakefailed'. I have put the IP address on the SSL tunneled URL list. Ervery time the teamviewer software is started the software uses a different IP address which is not on the SSL tunneled URL list. The MWG7 closes the connection with a ssl error message 500.

 

I have asked the teamviewer support for a list with all teamviewer IP addresses. They have answered that this is not possible, because the IP addresses change often and there are new IP addresses from time time.

On the teamviewer hompage they say.

Which ports are used by TeamViewer?

In general, TeamViewer will always work if surfing on the Internet is possible. Hence, no firewall configuration is required. As an alternative to port 80 HTTP, port 443 HTTPs is also being checked. In addition, it is also possible to open only port 5938 TCP on the outgoing side. Data traffic should then be able to pass through on this port without any problems.

 

I have disabled the SSL scanner. Without the SSL scanner the teamviewer software is working.

 

How can I configure the SSL scanner so that it won't scan the teamviewer IP connections, but all other SSL traffic?

I know there are McAfee maintained lists (IP ranges) for Citrix, JoinMe WebEx. Will there be a list for teamviewer in the future?

 

Best regards,

Rainer

  • otruniger Newcomer 15 posts since
    Jun 4, 2012
    Currently Being Moderated
    1. Aug 16, 2013 10:13 AM (in response to corvettenkapitaen)
    Re: MWG7 SSL scanner and teamviewer software

    I don't know teamviewer, but many client applications have an option to not resolve hostnames themselves but leave it up to the proxy server. Those applications can be tuned to not request IP-based URLs.

     

    Well, some applications behave nasty and demand those IP-based URLs. In these cases you may use a rule based on user-agent. Not perfect, as smart users know how to trick user-agent strings.

     

    Regards, Othmar

  • asabban McAfee SME 1,357 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Aug 19, 2013 2:50 AM (in response to otruniger)
    Re: MWG7 SSL scanner and teamviewer software

    Hello,

     

    the McAfee maintained lists are build on what the software vendor provides. It would be too much work to manually craft those lists and keep it up to date, especially when there is no way to verify that all IP addresses are included. So its unlikely that we can provide such a list.

     

    Can you provide some more information on what version of TeamViewer you run, and when the problems occur? I just took a Windows 7 host which only is allowed to talk to MWG on Port 9090, went to teamviewer.com and launched "Run Full Version". I chose "Run Only/Personal use". It took a few seconds, but it successfully connected, the TeamViewer software showed a green "Connected (Secure Connection)" message at the bottom.

     

    To validate I also participated a meeting from from the restricted system to another workstation (not behind MWG) and the screen sharing went fine.

     

    What I could see was that there was a single HTTPS attempt by the team viewer software calling ping.teamviewer.com. This was declined by MWG due to handshake failure. It seems TeamViewer then started speaking HTTP, obviously via a service/protocol called DynGate (or similar). Requests such as "GET /din" and "GET /dout" went through the proxy. The access.log shows:

     

    [19/Aug/2013:09:35:39 +0200] "" 10.150.64.132 200 "GET http://176.9.89.131/dout.aspx?s=39424760&p=10000053&client=DynGate&data=ETBrACcA AAAAAAAADQEAAAIAAAAYAAAADAAAABAAAAAJAAAA9L0FjDhqJSMeRfXV9hW/x6NQ+ww+XxXtrVdC HTTP/1.1" "Remote Access" "Minimal Risk" "" 182 411 "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" "" "0" ""

    [19/Aug/2013:09:35:39 +0200] "" 10.150.64.132 200 "GET http://176.9.89.131/din.aspx?s=39424760&id=220980192&client=DynGate&p=10000045 HTTP/1.1" "Remote Access" "Minimal Risk" "application/octet-stream" 331 258 "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" "" "0" ""

    [19/Aug/2013:09:35:39 +0200] "" 10.150.64.132 200 "GET http://176.9.89.131/dout.aspx?s=39424760&p=10000054&client=DynGate&data=ETBrADcA AAAAAAAAEQEAAAIAAAAYAAAADAAAABEAAAAJAAAA+Rq1Fe9xOY8jMJ7UU5gWoCu6SbHWyALvG5cscSHU LKLIf1riuEtgx6KfEA== HTTP/1.1" "Remote Access" "Minimal Risk" "" 182 435 "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" "" "0" ""

    [19/Aug/2013:09:35:39 +0200] "" 10.150.64.132 200 "GET http://176.9.89.131/din.aspx?s=39424760&id=220980192&client=DynGate&p=10000046 HTTP/1.1" "Remote Access" "Minimal Risk" "application/octet-stream" 1472 258 "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" "" "0" ""

    [19/Aug/2013:09:35:40 +0200] "" 10.150.64.132 200 "GET http://176.9.89.131/dout.aspx?s=39424760&p=10000055&client=DynGate&data=ETBrACoA AAAAAAAAEgEAAAIAAAAYAAAADAAAABIAAAAJAAAAiofkcxgbdBcLrhWApKeletMmHyDOt92tfgcfoilx HTTP/1.1" "Remote Access" "Minimal Risk" "" 182 415 "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" "" "0" ""

    [19/Aug/2013:09:35:40 +0200] "" 10.150.64.132 200 "GET http://176.9.89.131/din.aspx?s=39424760&id=220980192&client=DynGate&p=10000047 HTTP/1.1" "Remote Access" "Minimal Risk" "application/octet-stream" 604 258 "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" "" "0" ""

     

    It looks that also the TeamViewer IPs are categorized as "Remote Access". I also noticed that the GET Requests and also the single CONNECT request I saw are showing the User-Agent string "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)", so probably there is a chance to capture such requests by utilizing URL Filter and/or the user-agent string.

     

    Are you running MWG in explicit proxy mode? I assume in transparent mode we won't have a chance to look into the User-Agent since there is no connect request unless MWG has called SSL Scanner to decrypt the session. In this case it would still be interesting if there is a way to get TeamViewer working as shown above by using HTTP. Since it reports that the channel is secure I assume it performs end-to-end through HTTP, so it should be acceptable to use HTTP. The TeamViewer support might be helpful here, because only they know how their tool is supposed to work.

     

    Because I cannot repliace the problem I cannot provide more details, but maybe you get some idea to start.

     

    Best,

    Andre

  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009
    Currently Being Moderated
    3. Aug 19, 2013 3:19 AM (in response to corvettenkapitaen)
    Re: MWG7 SSL scanner and teamviewer software

    After a quick look, Teamviewer behaves as any other P2P protocol. It will try native connections first and in case it can't succeed it will fall back to using web traffic. For me it tried HTTPS which ran into an error, then it moved to http, which worked.

    A quick wireshark shows that it uses a specific useragent (at least on my Mac):

    User-Agent: TeamViewer/1 CFNetwork/596.4.3 Darwin/12.4.0 (x86_64) (MacBookPro10%2C2)

    teamviewer.jpg


    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
  • scottp Newcomer 8 posts since
    Apr 23, 2012
    Currently Being Moderated
    4. Aug 23, 2013 7:37 AM (in response to michael_schneider)
    Re: MWG7 SSL scanner and teamviewer software

    I would agree that a list for Teamviewer would be important.  I would love to see some policy that could grant individual app control access - like "outbound only".

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points