We have some 2862's with mobile access that we use to remotely support some industrial PC's using TeamViewer. I'd like to lock the 2862's so they can only be used for TeamViewer. I want to stop people occasionally accessing the internet (typically web browsing) and also stop access to windows updates so the PC's don't restart at awkward times.

Unfortunately TeamViewer keep changing the IP addresses of their servers so I must rely on their TeamViewer.com domain name. TeamViewer uses outbound connections on TCP/UDP Port 5938, TCP on 443 and TCP on 80. The TeamViewer support site says "The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server."

I think I need a rule to block everything, preceded by some rules to permit access to the TeamViewer.com domain. I'm unsure how to permit access to TeamViewer.com for ports 5938, 443 and 80 when I don't know the IP address for the filter.

Any advice?