I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections.
So that users can't connect to their work PCs with TV (circumventing domain authentication) but at the same time could connect to clients PCs to help fix problems.
Is it at all possible?
It's impossible to block in traditional firewall. You'll need some kind of packet-analyzer.
Or you could create a GPO that sets the following registry-key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version6\Security_AcceptIncoming REG_DWORD=0
This disables incoming connections.
You could try to disable incoming connections on the ports Teamviewer uses. I'm sure TV uses the following ports;
and maybe also
or maybe you can do something with the url TV uses for connection.
dont know if you need those urls for outgoing connections but you can test that.
In most cases, the network paths that applications use are asymmetrical; that is, you can block the appropriate port on incoming traffic to prevent incoming connections, but allow traffic on that port to leave to permit outgoing ones.
If you're working with Windows computers that are on a domain, you can use Active Directory Group Policies to configure the Windows Firewall on those computers to block the appropriate incoming ports.
However, in the specific case of TeamViewer, they provide a client program that a user can run which connects to TeamViewer's servers and routes incoming connections along that path; thus, an incoming firewall wouldn't be sufficient. You would also need to set up a rule (either with Windows Firewall or elsewhere on your network) to block traffic going to teamviewer.com, but then your users wouldn't be able to use the tool themselves.
In short, I don't think it'll be easy to block the TeamViewer application from accepting incoming connections, while still allowing it to start outgoing ones. What I would do in this situation is to install Wireshark on a client computer and profile the network traffic involved in both an incoming connection with the client listening, and in an outgoing connection to work on a different computer. It's possible there'll be some types of traffic that appear on only the incoming connection, which you can then block with the Windows Firewall to prevent those connections from working.