- Check whether the WinRM service is running
- Create the HTTPS listener
- Add a firewall exception
- Validate the HTTPS listener
- Verify you can connect to the machine via HTTPS
Check whether WinRM service is running
WinRM is installed by default in all supported Windows machines.Ensure that service is in running state in services.
Get-Service -Name winrm
Status Name DisplayName ------ ---- ----------- Running winrm Windows Remote Management
Create HTTPS listener
By default when you run winrm quickconfig command WinRM is only configured for HTTP (port 5985). You can check already registered listeners by running following command:WinRM e winrm/config/listener
WinRM e winrm/config/listener Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1, fe80::8d60:91fb:e11f:d27c%12To enable HTTPS for WinRM, you need to open port 5986 and add HTTPS listener on the target machine. Before doing that, you will first need to create a self-signed certificate and get its thumbprint. To create a self signed certificate you can use either the makecert command or a New-SelfSignedCertificate powershell commandlet.
New-SelfSignedCertificate -DnsName "YOUR_DNS_NAME" -CertStoreLocation Cert:\LocalMachine\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject 542DAFF8F021FC3D1EF3678543D89ACFE10A1ADB CN=YOUR_DNS_NAMECopy the thumbprint to the clipboard and run the following command.
This command will register the HTTPS listener in WinRM:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="YOUR_DNS_NAME"; CertificateThumbprint="COPIED_CERTIFICATE_THUMBPRINT"}'
Add firewall exception
Add an exception to your firewall to allow inbound port 5986 traffic at the target machine.
Validate HTTPS listener
You can verify the listener you added by running the same command you used above:WinRM e winrm/config/listener
This will show the new HTTP listener now along with previous HTTPS listener.
Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1, fe80::8d60:91fb:e11f:d27c%12 Listener Address = * Transport = HTTPS Port = 5986 Hostname = YOUR_DNS_NAME Enabled = true URLPrefix = wsman CertificateThumbprint = 542DAFF8F021FC3D1EF3678543D89ACFE10A1ADB ListeningOn = xx.xx.xx.xx, 127.0.0.1, ::1
Verify you can connect to the machine via HTTPS
You are done with your WinRM configuration and now you need to verify if you can connect using HTTPS.Run the following commands in PowerShell window as Administrator:
$hostName="YOUR_DNS_NAME" $winrmPort = "5986" # Get the credentials of the machine $cred = Get-Credential # Connect to the machine $soptions = New-PSSessionOption -SkipCACheck Enter-PSSession -ComputerName $hostName -Port $winrmPort -Credential $cred -SessionOption $soptions -UseSSL
No comments:
Post a Comment