VNC in the Browser: HMI Remote Access Without a Client

Secure remote maintenance of distributed machines and plants? WZ-IT builds sovereign remote management platforms - central, auditable browser access instead of a VPN client on every laptop.

VNC in the browser means you see and operate the screen of a remote HMI or operator panel directly in a normal browser tab, with no locally installed VNC viewer. Technically, VNC uses the RFB protocol to transmit only pixel rectangles of the screen; a gateway like Apache Guacamole turns that stream into HTML5. Because VNC ships unencrypted, this access must never face the internet directly. It belongs behind a tunneled, auditable path: WireGuard site connectivity plus Guacamole over TLS.

What Is VNC? RFB Protocol and Pixel Transfer

VNC (Virtual Network Computing) is built on the RFB protocol ("Remote Framebuffer"), standardized as RFC 6143. The display model is deliberately simple: the single graphics primitive is "place a rectangle of pixel data at position x,y". A sequence of such rectangles makes a framebuffer update. The server holds the screen state, the client (viewer) requests updates and sends mouse and keyboard input back.

A VNC server listens on TCP port 5900 by default; with multiple displays it uses 5900+N (display :1 = 5901, and so on), analogous to X11 on 6000+N. Because RFB only transfers pixels and knows nothing about the applications behind them, it is independent of the operating system. That is exactly why VNC runs on Windows PCs, Linux servers and embedded HMI panels alike - a key reason for its prevalence in industry.

VNC in the Browser: Apache Guacamole as a Clientless Gateway

Apache Guacamole is an open-source, clientless remote desktop gateway. The current version 1.6.0 (released 2025-06-22) translates VNC, RDP and SSH into the Guacamole protocol, which the browser renders using HTML5 Canvas and WebSockets. The endpoint runs only the browser - no VNC viewer, no plug-in, no Java.

The flow: the technician signs in to the Guacamole web portal, picks the connection to the machine, and Guacamole opens the VNC session on port 5900 server-side. The screen arrives as an HTML5 stream in the tab, and input travels the same way back. Sessions can be recorded and, since version 1.5.0, played back directly in the browser (previously this required the command-line tool guacenc) - useful for audit, troubleshooting and training.

HMI and SCADA Remote Access via VNC (Siemens, B&R, Beckhoff, AVEVA)

VNC is a de facto standard for panel access in machine and plant engineering. Siemens Comfort Panels expose a VNC server on port 5900 through the built-in Sm@rtServer. Operator panels and industrial PCs from B&R and Beckhoff (CE and TwinCAT HMI panels) as well as HMI/SCADA software such as AVEVA also ship with or support VNC access. Through Guacamole the service technician sees the exact panel screen in the browser, as if standing in front of the machine - including operation, where that has been authorized.

This is especially valuable for distributed sites: instead of travelling to each plant or maintaining a VNC client plus VPN on every laptop, one central portal is enough. Multiple sites, service partners and shifts all connect through the same controlled surface.

Why No Client Setup Is Needed

With classic VNC, every service device needs a viewer installed, configured and kept up to date - plus a VPN client for network access. That scales poorly across many technicians, subcontractors and sites and breeds unmanageable shadow IT. The browser-based approach moves the protocol logic to the server: the browser only needs HTTPS. Onboarding a new technician then means create user, assign role, done - and revoking access is a single click instead of a device tour. More on this in remote maintenance without a VPN client.

Security: VNC Is Unencrypted - Never Expose It to the Internet

The key point: the base RFB protocol encrypts nothing. Screen contents, keystrokes and the only weakly protected credentials of classic VNC authentication all travel in clear text. An open port 5900 on the internet is an entry point - automated scanning services find such hosts within minutes.

VNC is secured correctly only through a tunneled path:

• Tunnel the transport: WireGuard site connectivity connects the plant site to the platform with encryption. VNC never leaves the local OT network in clear text.
• Access via a TLS portal: Guacamole is reachable only over HTTPS/TLS, ideally with multi-factor authentication. Port 5900 stays in the internal segment.
• Never expose it directly: no VNC port on the internet, no port forwarding on the plant router.

This matches the logic of IEC 62443 (zones and conduits): remote access terminates on a controlled jump host or access broker in an OT DMZ, not directly on the machine. For many operators, secure, logged remote access is now a regulatory matter too: Germany's NIS2 implementation act (NIS2UmsuCG) entered into force on 2025-12-06; the original BSI registration deadline passed on 2026-03-06, and the BSI granted a grace period until 2026-07-31 because too few entities had registered. This article is general information and not legal advice.

Latency and Performance: VNC Over a WAN

Because VNC transmits only changed pixel rectangles and uses encodings such as Tight or ZRLE for compression, it is very bandwidth-friendly with static HMI screens - ideal for sites on mobile or DSL links. Video, scrolling lists or live trend charts increase the data volume noticeably. In practice, round-trip latency dominates how responsive operation feels: a well-placed gateway near the plant and the direct WireGuard path keep reaction times low, so operation feels fluid. For pure diagnosis and acknowledgement a low frame rate is often enough; for active engineering work it pays to set the encoding deliberately for low latency rather than maximum compression.

VNC or RDP? When to Use Which

Rule of thumb: for viewing an HMI panel or an embedded operator device, VNC is the natural choice. For a full Windows engineering station, RDP is usually more comfortable. Both run through the same Guacamole portal - you choose per connection, not per platform.

In Practice at WZ-IT: Central, Auditable Browser Access

We build remote management platforms where VNC and RDP access is bundled through a single browser portal: WireGuard connects the sites, Guacamole serves access over TLS, and every session is role-based authorized and logged. For ABCO Water Systems in Australia we run exactly this kind of remote access to distributed plants - no individual VPN clients, with a central audit trail.

Want to centralize and secure HMI remote access properly? Book a free initial consultation.