How exactly does a remote program like Team Viewer work?

TeamViewer, LogMeIn and any other program that allows a zero config remote desktop session uses a third-party server.

For example, LogMeIn is a program similar to TeamViewer where you are able to remotely login to a computer outside of the network that you're currently on. You will notice that there are no external configurations required for this type of remote session. This is due to the fact that the software that you installed on the remote machine (the LogMeIn client) initiates an outgoing request to the LogMeIn servers. Since this client initiated the request, no port forwarding on the Firewall is required.

On your computer, outside of the network of the LogMeIn computer, can access this computer remotely through LogMeIn's website. This website accepts the initiated request from the remote computer and keeps the connection alive to listen for a remote session request.

When you run TeamViewer, you are assigned an ID on their broker server. You make a connection to a Teamviewer ID, and TeamViewer passes the connection down through the TeamViewer client's established tunnel to the destination and you then you are prompted for password and then the connection establishes afterwards.

Teamviewer uses port 80 to make a connection to a central server. If the connection is made, you get a unique ID, and the server knows you're online. All communication can happen over port 80 if other ports are blocked.

Teamviewer does allow you to connect directly to an IP-address. You have to set this in the options, to allow incoming LAN connections. This works for local networks, and probably for WAN networks as well, but then you have to get portforwarding working, to get port 80 to connect to the right computer behind the router/firewall. That makes things difficult for most people, and unmanageble for most of the rest, so then we use the Teamviewer ID method.

I don't know if this means that all traffic goes via the teamviewer servers, but it might. (And as it registers all clicks and keypresses, that probably means that they could - in theory - and since we know about PRISM etc probably in reality as well - know about all your logins and secret keys.)

This is what the company says in their Security Statement:

When establishing a session, TeamViewer determines the optimal type of connection. After the handshake through our master servers, a direct connection via UDP or TCP is established in 70% of all cases (even behind standard gateways, NATs and firewalls). The rest of the connections are routed through our highly redundant router network via TCP or https-tunnelling. You do not have to open any ports in order to work with TeamViewer!

As later described in the paragraph "Encryption and Authentication," not even we, as the operators of the routing servers, can read the encrypted data traffic

So:

• 1) as others have suggested, the initial connection from both clients is client-initiated and goes through port 80 so it has no problems with NAT or firewalls, can go through a web proxy, etc. After this, everything is set up and both clients need to be connected to each other, then:
• 2.1) probably uses UPnP or NAT hole punching to be able to do an actual connection between the two clients, or
• 2.2) if not possible it will route the traffic through their servers, which will be slower and could be spied on (however they state that the data is encrypted end to end, in that case that would not be a problem)