2y ago

Remote access to lan, isolated from the internet?

I'm looking at a permanent install of a Windows machine that runs a few digital signs. I want to achieve remote access and file upload to the Windows box, as well as accessing the internal web server of the displays on the same LAN. This LAN will be attached to a corporate network, but I would prefer if it did not have access to the internet. I'll have to work with the IT department to get this happening, of course, but I'm hoping to go in prepped with potential solutions. Could anyone tell me if these ideas will work, or what I'm missing?

VPN tunnel. This would be whichever VPN that their IT supports. Would I be able to simply install the client on the windows box and my machine, and then on my machine connect to the VPN, use TeamViewer in LAN mode for control of the Windows box, and web browser for control of displays? I'm assuming their IT would set up the upstream switch to only pass that VPN connection, so that the Windows box does not see the internet, and I cannot see their internal network.
Some kind of IPMI/PiKVM solution- This would be a second computer, attached to the corporate network, but not to the signage LAN. It would just be a KVM for the Windows box. I would then dial into that via its webserver, and control the Windows machine. The control for the displays would be accessed via browser on the Windows machine. I like this solution, as it keeps the networks separate, but I think that uploading files will be a challenge.
Or is there a better way?

9 comments

What I would do in this scenario is give the Windows machine two network interfaces, and have the second interface connected to a little static network with just the signs and the Windows machine on it (i.e. no internet access). Then, you can access the Windows machine through TeamViewer or whatever. It'll have access to the internet but the signs won't be directly visible from the internet. And if someone from the internet is accessing your internal network to tamper with the signs via the Windows machine then you have bigger problems than them tampering with the signs.
- Is it possible to keep the Windows machine off the internet as well, while still allowing TeamViewer access?
  
  Why do you want to keep it off the internet, though? That's going to make things more complex both in the setup and in the day-to-day operation. The example you listed of being difficult to upload files is one example. The only reason I can think of to do it that way would be for security but I'm not sure how much actual security benefit it would carry.
  How about this? You could do the two-interface solution like I described, but have the internet-facing interface disabled most of the time -- could be disabled in Windows settings, so someone has to have physical access to the machine in order to reenable it when you want to update the sign. Or, it could be disabled at the switch / router level: Just disable the port for that machine, and reenable it temporarily any time you need remote access to the machine to do something, but in the steady state leave it on its own little disconnected network with only the machine and the signs, and no internet access anywhere.
Ask the IT department.
I would hope that they would be willing to help you out, instead of you punching security holes in their network.
Because otherwise it's you putting an entry point inside their network that could then change digital signage or even escape the private network, which they would have very limited visibility or control over.
Get them to make sure the network is isolated, and have them provide a VPN that has access to that network.
Ideally certificate based authentication.
Use some sort of VNC or even just windows Remote Desktop to connect to the windows machine. The displays are just web browser accessed
- I'll absolutely be asking the IT department- I was just hoping to come to them with a potential solution, rather than a problem.

9 comments