Introduction
Window Remote Management (WinRM) is a built-in Windows protocol that enables users to connect remotely to another system and execute commands. It uses the Simple Object Access Protocol (SOAP) to connect to the remote system. By default, WinRM is pre-installed on all new Windows OS versions. However, users must enable the WinRM service and configure the ports for outside traffic.
NSGs
To allow remote connections through WinRM, users need to add specific ports to the inbound list of their Network Security Group (NSG). The required ports are 5985 for HTTP and 5986 for HTTPS. Without any WinRM listener configured by default, the WS-Management protocol ensures that request data cannot be received nor sent.
Quick configuration
To set up the default configuration for remote management, users can enable the WS-Management protocol on the virtual machine or local system with the command “Enable-PSRemoting -force”.
|
1 |
Enable-PSRemoting -force |
Add the Firewalls to Server VM
To add rules for HTTP and HTTPS in the firewall, users can run the following commands:
|
1 2 3 |
#For HTTP netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow |
|
1 2 3 |
#For HTTPS netsh advfirewall firewall add rule name="WinRM-HTTPS" dir=in localport=5986 protocol=TCP action=allow |
Verify Default listener
After configuring the firewall, users can verify the default listener with the command “winrm e winrm/config/listener”. If the output shows that it is configured to HTTP, users need to add a listener for HTTPS later on.
|
1 |
winrm e winrm/config/listener |
Add Self-Signed Certificate
Before adding Listener for the HTTPS, we need to add the self-signed certificate and get its thumbprint. The thumbprint of the certificate will be used to register the Listener in WinRM.
Open Powershell in administrator mode.- Write this command :
|
1 |
$cert = New-SelfSignedCertificate -DnsName "<DNS or IP>" -CertStoreLocation cert:\LocalMachine\My |
Here, DNS: We should DNS name of your virtual machine.
Add HTTPS Listener
Run the below command to add HTTPS listener for WinRM :
|
1 |
winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=`"<DNS_Name or IP>`";CertificateThumbprint=`"$($cert.ThumbPrint)`"}" |
Here, Host name: DNS name for the VM.
Certificate_Thumbprint: the thumbprint for the newly created certificate in previous step.
Validate HTTPS Listener
We can validate the listener for WinRM after adding the HTTPS listener. We can see 2 listener as a new https listener has been added.
Verify HTTPS Connection and execute command remotely
|
1 2 3 4 5 6 7 8 9 |
# create session $username = 'username_vm' $password = 'password_vm' $pso = New-PSSessionOption -SkipCACheck $secpassword = ConvertTo-SecureString $password -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $secpassword) $session = New-PSSession -ComputerName dbjoe1.uksouth.cloudapp.azure.com -UseSSL -SessionOption $pso -Credential $credentials Invoke-Command -Session $session -ScriptBlock {New-Item -ItemType directory -Path C:\TestPackage -force} |
