References > Aliases > PowerShell 2.0 Remoting Configuration

PowerShell 2.0 Remoting Configuration

To get PowerShell remoting working we need to configure Remoting Client and Remoting Server. In this document Remoting Client is a SAM box (including additional pollers if there are any); The Remoting Server is any target node, which we are going to monitor with the use of the PowerShell monitor configured to execute scripts remotely via WinRM. As an example, we will discuss the remoting configuration procedure against Windows Server 2008 R2.

Note: Some commands (or steps) may be different if Windows Server 2003 is used.

Configuration of the Remoting Server

To turn your computer in to a Remoting Server that is accessible from other machines, the prerequisites for Remoting Server need to be in place:

  • SSL Certificate: This is required if we are going to secure our WinRM connection.
  • Listener: Inside WinRM, a listener needs to be set up that listens on the network port Windows PowerShell the Remoting Server uses to communicate.
  • Firewall Exception: A firewall exception is needed that allows outside requests to reach the WinRM service;
  • WinRM Service: This service receives requests from other computers and needs to be running.

Create a Self-signed Certificate

You will need an SSL certificate to use a secure WinRM connection. WinRM HTTPS requires a local computer Server Authentication Certificate with a CN matching the IP address that is not expired or revoked to be installed.

There are two well-known tools available to create self-signed certificates; MakeCert.exe and SelfSSL.exe. MakeCert.exe is for testing purposes only and comes with Visual Studio. SelfSSL.exe is a part of the Internet Information Services (IIS) 6.0 Resource Kit Tools. SelfSSL.exe  will be used in this example. The following commands should be executed on  the Remoting Server computer. This is the target node to be used with the SAM PowerShell monitor.

  1. Download Internet Information Services (IIS) 6.0 Resource Kit and start setup:
  1. Choose the Custom Setup option:
  1. Select only the SelfSSL.exe tool (if you have no need for the additional components):
  1. Open a Command Prompt as an administrator from the Start menu, (right-click):
  1. Change the current location on SelfSSL install path. Typically the path is “C:\Program Files (x86)\IIS Resources\SelfSSL”:
  1. Enter the following command to create a self-signed certificate. Replace the parameters with actual values, as explained below. Note: Ignore the following possible error message: Error opening metabase: 0x80040154.” This indicates that IIS 6.0 compatibility mode may not be installed.

    selfssl.exe /N:CN=<Local Server IP Address> /V:<Certificate time to live in days> /P:<WinRM listener port> /T /Q

  • <Local Server IP Address> - This is the IP address of the Remoting Server node. Use the IP address and not the computer name. SAM uses this IP address when the probes are run;
  • <Certificate time to live in days> - This is the time interval, in days, for which the certificate remains valid;
  • <WinRM listener port> - This is the port on which the HTTPS listener will be created. The default value for the WinRM HTTPS listener port is 5986;
  • /T - This option adds the self-signed certificate to the Trusted Root Certificates list;
  • /Q - Quiet mode. This will prevent you from be prompted when SSL settings are overwritten.

  • For example: selfssl.exe /N:CN=192.168.0.198 /V:3600 /P:5986 /T /Q

  1. Verify that certificate was created properly. Start the Management Console (MMC.exe):

  2. Add the Certificates snap-in and verify that the recently created self-signed certificate is listed in both the “Personal” and “Trusted Root Certificate Authorities” storages.
  1. Follow the red steps in the graphic, 1 through 4, to select the Certificates: snap-in
  1. Once complete, you should have the following:
  1. Verify that the certificate is in Personal storage:
  1. Verify that the certificate is in Trusted Root Certificate Authorities storage:
  1. Open the created certificate by double-clicking it.
  2. On the Details page, select and copy the Thumbprint field value:
  1. Copy the values highlighted above to the clipboard. These copied values will be used in creating a Listener in the following section.

Create a WinRM HTTPS Listener

Create the Windows Remote Management Listener and bind it to the certificate using the following steps:

  1. Open a Command Prompt as an administrator from the Start menu, (right-click):
  1. The following command should be executed on the Remoting Server computer. This is the target node which will be used with the SAM PowerShell monitor. It is also the computer where the self-signed certificate was created in the previous section.
  2. Enter the following command with the parameters replaced with actual values, as explained below:

  3. winrm create winrm/config/Listener?Address=<IP Address used to bind listener>+Transport=HTTPS @{Hostname=”<The name or IP of your remoting server>”;CertificateThumbprint=”<Paste from the previous step and remove the spaces>”;Port=”<Port number>”}

  • <IP Address used to bind listener> - To bind the certificate to the Listener, specify the Remoting Server's local IP address. You can use the wildcard, (*), symbol to allow listening on all available local addresses;
  • <The name or IP of your remoting server> - The Remoting Server's node name or IP address;
  • <Paste from the previous step and remove the spaces> - Paste the self-signed certificate thumbprint created in steps 13-14 of the previous section;
  • <Port number> - This is the port number for the Listener. You can specify the default WinRM HTTPS port of 5986.

For example:

winrm create winrm/config/Listener?Address=IP:192.168.0.171+Transport=HTTPS @{Hostname="192.168.0.198";CertificateThumbprint="6aa47ed7356fb0f1e3b434850a7bb51ed40b0d3a";Port="5986"}

Once the command has been successfully executed, the output will look similar to the following illustration:

Adding a Firewall Exception

The following steps will create a in-bound exception for the Windows firewall using WinRM HTTPS port 5986.

  1. Open a Command Prompt as an administrator from the Start menu, (right-click):
  1. Enter the following command with the parameters replaced with actual values, as explained below:
    netsh advfirewall firewall add rule name="<Rule name>" protocol=TCP dir=in localport=<Port number> action=allow

  • <Rule name> - This is the name of the rule shown in the Windows Firewall under Advanced Security > Inbound Rules;
  • <Port number> - This is the port number in use for the Listener that was created in the previous section.

For example:

netsh advfirewall firewall add rule name="WinRM via HTTPS - Open Port 5986" protocol=TCP dir=in localport=5986 action=allow