I've got a Squid server (v. 3.5.x) configured that way, that only some "banking sites" are allowed to be tunneled (spliced) - the rest of SSL sites are bumped. That works OK. I thought that it prevents me from illegal tunneling-out by users. However recently I've realized that TeamViewer is still able to establish connection over my Squid. Moreover user's PC are totally blocked on my firewall - they only have access to the web via Squid-proxy (their browsers are proxy aware). Of course I can block out teamviewer.com domain by ACL - and that works. But I'm wondering if there is any way to prevent such tunnel-connection in future. (I mean another - mainly malicious software) I've captured some details using Etherreal and it looks like Teamviewer app does a normal http GET request to the TeamViewer's ASP script http://master13.teamviewer.com/din.aspx?s=00000000&id=0&client=DynGate&rnd=144452645&p=10000001 TeamViewer's server response is an application/octet-stream , but it contains an ID which is presumably used later in client's POST request. See: http://dev.3d.pl/tmp/teamv.png (screenshot from Ethereal) and TCP the stream http://dev.3d.pl/tmp/teamv.txt My question is - does the TeamViewer tunnel traffic differ in any way from normal http binary content transmission (eg. youtube or radio streaming) ? Can we somehow detect that this kind of transmission is probably a tunnel traffic? Sorry if my post is a bit chaotic, but I'm kinda confused now , how it works. Please note - I'm not talking only about TeamViewer itself but in general about HTTP-tunneled traffic. Maybe an ICAP server could be useful here? but how do I know what to look for? (how should ACLs/rules look like) or you want to tell me, that the only possible way is continuous observation what's new "on market" and adding new rules? many thanks for explanation! Markus _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
