Configure WinRM for HTTPS manually
Configuring for HTTPS involves following steps.
- Check whether WinRM service is running
- Create HTTPS listener
- Add firewall exception
- Validate HTTPS listener
Check whether WinRM service is running
Get-Service WiRM
PS C:\Users\wintel> Get-Service WinRM Status Name DisplayName ------ ---- ----------- Running WinRM Windows Remote Management (WS-Manag...
If the WinRM service is not running, you might need to configure WinRM using winrm quickconfig. When you configure winrm first time, it is configured to use 5985 by default.
check already registered listeners by running following command
PS C:\Users\Administrator> WinRM e winrm/config/listener Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, 172.20.20.1, ::1, fe80::5efe:172.20.20.1%15, fe80::d071:b058:c541:a212%12
Create HTTPS listener
To create a HTTPS listener, you need to have a certificate.
Generate SSL Certificate with one of these options
- CA Authority(e.g:Versign)
- Active Directory Certificate Services
- Self Signed(Not to be used in Production)
- Run the following command to create https listener.
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}
C:\>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="vc01.winadmin.org";CertificateThumbprint="9a20b7dab60933e3ce2ba6fddc02025dcdb83558"}
ResourceCreated
Address = <a href="http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a>
ReferenceParameters
ResourceURI = <a href="http://schemas.microsoft.com/wbem/wsman/1/config/listener">http://schemas.microsoft.com/wbem/wsman/1/config/listener</a>
SelectorSet
Selector: Address = *, Transport = HTTPS
Add firewall exception
You can use command and GUI tool to configure firewall exception.
Via command
# Add a new firewall rule
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
Using Windows Firewall with Advanced Security GUI tool.
Open Windows Firewall with Advanced Security and click New Rule.
Select Port
Specific local ports – Enter 5986
Select Allow the connection
Select the options whatever is required
And give a name and click Finish
Now check the WinRM Listener. The output should be as follows.
C:\>WinRM e winrm/config/listener Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, 172.20.20.2, 192.168.20.2, ::1, fe80::5efe:172.20.20.2%17, fe80::5efe:192.168.20.2%16, fe80::1c21:cbdc:66d9:967%12, fe80::4d34:b19b:402c:ae3a%13 Listener Address = * Transport = HTTPS Port = 5986 Hostname = vc01.winadmin.org Enabled = true URLPrefix = wsman CertificateThumbprint = 9a20b7dab60933e3ce2ba6fddc02025dcdb83558 ListeningOn = 127.0.0.1, 172.20.20.2, 192.168.20.2, ::1, fe80::5efe:172.20.20.2%17, fe80::5efe:192.168.20.2%16, fe80::1c21:cbdc:66d9:967%12, fe80::4d34:b19b:402c:ae3a%13
Verify you can connect to the machine via HTTPS
PS C:\Users\Administrator> Enter-PSSession -Cn vc01.winadmin.org -UseSSL [vc01.winadmin.org]: PS C:\Users\wintel\Documents>
If you give only host name, it will give errors and will not connect.
PS C:\Users\Administrator> Enter-PSSession -Cn vc01 -UseSSL Enter-PSSession : Connecting to remote server vc01 failed with the following error message : The server certificate onthe destination computer (vc01:5986) has the following errors: The SSL certificate contains a common name (CN) that does not match the hostname. For more information, see theabout_Remote_Troubleshooting Help topic. At line:1 char:1 + Enter-PSSession -Cn vc01 -UseSSL + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (vc01:String) [Enter-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
