I’m looking at a permanent install of a Windows machine that runs a few digital signs. I want to achieve remote access and file upload to the Windows box, as well as accessing the internal web server of the displays on the same LAN. This LAN will be attached to a corporate network, but I would prefer if it did not have access to the internet. I’ll have to work with the IT department to get this happening, of course, but I’m hoping to go in prepped with potential solutions. Could anyone tell me if these ideas will work, or what I’m missing?
- VPN tunnel. This would be whichever VPN that their IT supports. Would I be able to simply install the client on the windows box and my machine, and then on my machine connect to the VPN, use TeamViewer in LAN mode for control of the Windows box, and web browser for control of displays? I’m assuming their IT would set up the upstream switch to only pass that VPN connection, so that the Windows box does not see the internet, and I cannot see their internal network.
- Some kind of IPMI/PiKVM solution- This would be a second computer, attached to the corporate network, but not to the signage LAN. It would just be a KVM for the Windows box. I would then dial into that via its webserver, and control the Windows machine. The control for the displays would be accessed via browser on the Windows machine. I like this solution, as it keeps the networks separate, but I think that uploading files will be a challenge.
- Or is there a better way?
Ask the IT department.
I would hope that they would be willing to help you out, instead of you punching security holes in their network.
Because otherwise it’s you putting an entry point inside their network that could then change digital signage or even escape the private network, which they would have very limited visibility or control over.Get them to make sure the network is isolated, and have them provide a VPN that has access to that network.
Ideally certificate based authentication.Use some sort of VNC or even just windows Remote Desktop to connect to the windows machine. The displays are just web browser accessed
I’ll absolutely be asking the IT department- I was just hoping to come to them with a potential solution, rather than a problem.
What I would do in this scenario is give the Windows machine two network interfaces, and have the second interface connected to a little static network with just the signs and the Windows machine on it (i.e. no internet access). Then, you can access the Windows machine through TeamViewer or whatever. It’ll have access to the internet but the signs won’t be directly visible from the internet. And if someone from the internet is accessing your internal network to tamper with the signs via the Windows machine then you have bigger problems than them tampering with the signs.
Is it possible to keep the Windows machine off the internet as well, while still allowing TeamViewer access?
Why do you want to keep it off the internet, though? That’s going to make things more complex both in the setup and in the day-to-day operation. The example you listed of being difficult to upload files is one example. The only reason I can think of to do it that way would be for security but I’m not sure how much actual security benefit it would carry.
How about this? You could do the two-interface solution like I described, but have the internet-facing interface disabled most of the time – could be disabled in Windows settings, so someone has to have physical access to the machine in order to reenable it when you want to update the sign. Or, it could be disabled at the switch / router level: Just disable the port for that machine, and reenable it temporarily any time you need remote access to the machine to do something, but in the steady state leave it on its own little disconnected network with only the machine and the signs, and no internet access anywhere.
Keeping it off the internet is just a security measure- as well as avoiding windows updates. It looks pretty crummy having a Microsoft dialog box splashed all over your lovely signage.
I’m thinking your second option would be ideal. I just thought there might be a way to tunnel through the VPN over the internet, without actually letting the machine see the internet. Thanks very much for your help!
Aaah, got it. Right, depending on the version of Windows, keeping it off the internet permanently might make it less prone to doing random stuff. To me it’s highly unlikely that keeping it off the internet will increase security; there will be machines that are way more attractive targets for evildoers (because of the people on them doing stuff) and evil deeds that are way more dangerous than changing the signage. But if you just want to keep its configuration simple so the signs don’t mess up then that kind of makes sense to me.
I think I misunderstood your setup a little; I thought the signs were their own hardware with their own IP addresses. If they’re just screens of the windows machines it’s a little simpler. You actually can set it up so that machine can see the LAN but never the internet, just by setting it with a static IP configuration with no gateway set. Then you have to go VPN to some other machine on its network, and then hop from there to the local-LAN-only machine that’s hooked to the signs.
I actually forgot until just right now, but one time when I had this problem, I set up a Chromebox which was set to display a web page in full-screen mode, and used an extension which auto refreshed the page every few minutes, and then set up the web page to look exactly how I wanted it to (I used a Google Docs static export of a spreadsheet page, so I could automatically gather the right data from formulas and then futz around with the spacing and sizing and etc until it looked the way I wanted it to). You could do a similar thing, with a page that was served from some other place on your LAN. Then, the signage machine itself would never need to be accessed remotely or have any access to the internet; you could just unset the gateway, and periodically or automatically update the page that was getting served from the other machine without needing to touch the signage machine.
Anyway good luck, hope all this gives you some ideas. Probably your IT department will have specific ideas how they want to set it up anyway, but going into it with things a little thought through might help yes.
Heh, the first Lemmy post I saw after checking your message: https://lemmy.today/post/4080156
I may have been a little unclear- but you got the idea about the setup. It’s actually both- the displays area their own hardware with their own IP, which I access for scheduling power and what not - but the image comes from the Windows machine.
Thanks again- I really like your idea about the main machine not having a gateway set. I’ll propose that to them- Although if that requires another machine on that network, local to the signage, it starts to look like a PiKVM might be a simpler option.