Scala Media Players

Page tree
Skip to end of metadata
Go to start of metadata


TightVNC Incoming Traffic Rule - Network Must Be Private

Scala Media Player Windows® images dated after June 2, 2020 adhere to the Windows firewall network connection rule for TightVNC so that TightVNC connections are permitted only on private networks. If the network that your player uses is public and you want to set up a TightVNC connection, you will need to change the network connection from public to private. 

If you are allowing your player to run on a public network, we recommend that you use a reverse VNC connection to remotely access your player. For more information about setting up a reverse VNC connection, see Reverse-VNC on this page.

Changing the TightVNC Incoming Traffic Rule

While the TightVNC incoming traffic rule can be changed to permit connections on all network profiles, we advise that you avoid untrusted, public networks.

CommandDescription
netsh advfirewall firewall set rule name="TightVNC" new profile=anyPermits all network connection profiles.
netsh advfirewall firewall set rule name="TightVNC" new profile=privatePermits private network connection profiles only.
netsh advfirewall show rule name="TightVNC"Use to verify the current setting for TightVNC.

Setting a Player's Network to Private

There are four different ways that you can set a player's network as private:

  • Using the Windows user interface
  • Using WIndows PowerShell
  • Using the Registry Editor
  • By editing the local security policy

Step-by-step instructions for each of the four options are provided below.

Setting a Player's Network to Private Using the Windows User Interface

To use the Windows GUI to change the network connection, click the network dialog that appears at the bottom, left of the screen next to the task bar.

The Ethernet page appears.

Click the Network name to access the Network profile.

Select the Private radio button under the Network Profile heading.

Setting a Player's Network to Private Using Windows PowerShell

To view the current status of your network connection using the Windows PowerShell, use the following command:

Get-NetConnectionProfile

To change the connection status of your network connection to private using Windows PowerShell, use the following command:

Set-NetConnectionProfile -Name "[network name]" -NetworkCategory Private

Setting a Player's Network to Private Using by Editing the Registry (REGEDIT)

  1. Open the registry editor.
  2. Navigate to HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.
  3. Select the profile and change the Category from 0 (public) to 1 (private).

Setting a Player's Network to Private by Editing the Local Security Policy/GPEDIT.MSC or SecPol.MSC

  1. To change the connection status using the Local Security Policy, find the Local Security Policy application on your Windows machine.
  2. Click the Network List Manager Policies folder under the Security Settings panel on the left side of the dialog.
  3. Click the name of the network, in the Network List Manager Policies pane, on the right side of the dialog.

    The network Properties dialog appears.
  4. In the Location Type section, click the Private radio button.
  5. Click the Apply button and then the OK button.
    The new network Location Type is saved.

Reverse-VNC

A reverse-VNC connection is when the remote VNC server service will call back to a listening VNC-Viewer that has been configured to be in Remote-Connection-Listening mode.

Use Reverse-VNC to connect to players when:

  • The Windows Firewall does not permit incoming connections 
  • Players that receive their IPv4 addresses via DHCP or are behind an external Firewall/Network Address Translation (FW-NAT)

Use a Content Manager maintenance job to send commands to a remote player which will initiate a Reverse-VNC connection.

For networks where there can be a need for the Network Administrators to have multiple simultaneous sessions, it is possible to configure several listening VNC-Viewers on any given administrative workstation with each VNC-Viewer listening for remote connections on its own unique TCP-Port.  

In addition, NAT-TCP-redirection/Port-Forwarding can be utilized so that reverse VNC Content Manager maintenance jobs can be targeted to listening VNC-Viewer on multiple Admin-PC’s.

Example

The following example assumes a basic internal private IPv4 network of the 192.168.x.x, 254 internal addresses, range--such as: TCP port 55123,  for Jim's Workstation with IP#: 192.168.1.123, 55124, where the ### is the last octet of the Support/Admin PC and the VNC Viewer is launched at OS-Startup in "Listen Mode" on TCP-Port 5500.

Reverse VNC NAT-TCP-Port redirection rule:

Jim is going to need a static internal IP#, e.g.: 192.168.1.123, allocated and a rVNC FW-NAT TCP-port redirection/forwarding rule:

public.ip.wan.interface::55123  --> 192.168.1.123:5500

With a DNS CNAME & "separate interface alias" on the Router Public interface for this type of access--such as "reverse-vnc.customer-network.com."

reverse-vnc.customer-network.com:55123 -> 192.168.1.123:5500

Scala Enterprise Content Manager, player maintenance job for Reverse-VNC requests to a network operations center administrative workstation. For example, name the maintenance job:

ReversePlayerVNC55123-JimAtExton 

Which contains the RunCommand:

"C:\Program Files\TightVNC\tvnserver.exe -controlservice -connectreverse-vnc.customer-network.com:55123" ; Don'tWaitForCompletion .

Example Uses of OpenSSH for Security Tunneling Remote Connections

An SSH-client such as PuTTY, the Microsoft OpenSSH client, or the SSH client in Mac OS or Linux, etc. can be employed to securely access your Scala Media Player over public, untrusted networks.
Utilities and protocols such as secure copy (SCP), VNC, and RDP can be tunneled within an established SSH-connection.
To tunnel a "VNC" remote session within an SSH connection from the Administrative PC Workstation using PuTTY use the following command:

putty -ssh scala@ cm-svr-ip.addr.or.plyr-fdqn:5900

This will permit a VNC client to remotely connect to the remote Player device by addressing "localhost:59169" on the administrative workstation.
Use the following variation with the Microsoft OpenSSH client:

ssh scala@plyr-ip.addr.or.plyr-fqdn -p 22022 -L 59169:plyr-ip.addr.or.plyr-fqdn:5900

To establish a "Remote Desktop Protocol Connection":


ssh scala@plyr-ip.addr.or.plyr-fqdn -p 22022 -L 33169:plyr-ip.addr.or.plyr-fqdn:3389

This will permit a Remote Desktop client to establish a secure remote viewing session the Player device by connecting to "localhost:33169" on the Administrative PC.



Related Topics:



  • No labels