Set-DscLocalConfigurationManager and Proxy awareness

Welcome Forums DSC (Desired State Configuration) Set-DscLocalConfigurationManager and Proxy awareness

This topic contains 19 replies, has 6 voices, and was last updated by

 
Participant
7 months, 3 weeks ago.

  • Author
    Posts
  • #95164

    Participant
    Points: 0
    Rank: Member

    Hi All,
    I've been messing around with trying to get “Set-DscLocalConfigurationManager” to play nice behind a proxy server. My conclusion up until now it that this cmdlet is not proxy aware, but wanted to reach out to this community to see if anyone else ever got this to work?

    Here's my test setup:

      Member1: Windows 2016 Member server
      DC01: Windows 2016 DC, DNS
      Edge01: Proxy server, DNS, (Optional NAT)

    Member1 is the server that needs to get the DSC configuration. Member1 has proxy configuration set in IE and configured with “Netsh winhttp”. I verified that Internet connectivity works using IE, running Windows update and “Invoke-WebRequest”. When running “Set-DscLocalConfigurationManager” it fails in this setup with the error message:

    “Registration of the Dsc Agent with the server https://we-agentservice-prod-1.azure-automation.net/accounts/(guid) failed. The underlying error is: Failed to register Dsc Agent with AgentId 29A9E37B-1D35-11E8-9669-00155D7CD013 with the server https://we-agentservice-prod-1.azure-automation.net/accounts/(guid)/Nodes(AgentId='29A9E37B-1D35-11E8-9669-00155D7CD013')”

    * I replaced the guid with (GUID)

    When I use the same setup and place this machine outside of the network so that it can directly connect to Azure, or enable NAT on the proxy the registration succeeds immediately, hence my conclusion that the cmdlet is not proxy aware.

    Anyone have any ideas? Is there a way to tell PowerShell in general or this specific cmdlet, “Use this proxy”?

  • #95182

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    Those communications are currently CIM running over WS-MAN, so the operating system's underlying proxy awareness doesn't come into play.

    Have you looked at https://blogs.msdn.microsoft.com/wmi/2009/06/08/how-to-use-wsman-proxy-support/ ?

    • #95230

      Participant
      Points: 0
      Rank: Member

      Hi Don,

      Well, that confirms my suspicion. I did some network traces and the connection does not even try to use the proxy as you mentioned. That's a bit unfortunate because I could not find that requirement on the Azure DCS doc pages anywhere. I'll take a look at the blog you suggested!

      Just to be clear, before I go down this route, can this be made to work with a proxy, or is it a big no, no?

  • #95236

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    It should, yeah.

    • #95238

      Participant
      Points: 0
      Rank: Member

      Hope is good 🙂

      So what I got until now is this

      $CIMSessionOption = New-CimSessionOption -ProxyType InternetExplorer
      $Session = New-CimSession -SessionOption $CIMSessionOption

      But that gives an error:

      "New-CimSession : The WinRM client cannot process the request. Setting proxy information is not valid when the HTTP transport is specified. Remove the proxy information or change the transport and try the request again."

      Can you give a hint on how to change the transport? I've tried -Usessl but that doens't seem to work either.

  • #95239

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    Yeah, that was described in that article I linked. You can't use a proxy over HTTP. So the remote end needs to have an HTTPS listener, and you do need to specify -UseSSL. It's all in "Secrets of PowerShell Remoting," since Remoting also uses WS-MAN under the hood. The HTTPS listener will need a trusted (not self-signed) SSL certificate.

    • #95242

      Participant
      Points: 0
      Rank: Member

      Hmmm so since this is Azure DSC related, I guess that's a no go, or is there a way to let Azure play nice on this?

  • #95245

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    No, Azure offers an HTTPS endpoint. But you'd need to either find that in your account or contact their support if it's not obvious. It might need to be explicitly set up, for example. I'm not a huge Azure expert.

    • #95247

      Participant
      Points: 0
      Rank: Member

      Well I've got a premier support case running at the moment, I'll promise to let you know once they have provided me with an answer. Perhaps I'll even create a blog post around it.

      I'll start digging in the secrets book you mentioned. Just so I can get this local thing up and running.

      ps: bought your "The DCS Book", Forever edition a couple of weeks ago. Good stuff, got me up and running really quick. Thanks for publishing that!

  • #95271

    Participant
    Points: 0
    Rank: Member

    The issue here is that LCM itself is not proxy aware. We are working on this but don't have a firm ETA as of yet. Until then the only other option would be to allow traffic to the Azure datacenter IP whitelist.
    https://www.microsoft.com/en-us/download/details.aspx?id=41653

    • #95319

      Participant
      Points: 0
      Rank: Member

      Hi Michael,

      Thanks for the clarification, appreciate the openness. I will add the information you provided in the design and send the information back to the premier support folks at Microsoft. For the time being, where the situation arises where the IP address cannot be whitelisted we could always just use runbooks to update and manage the LCM locally, instead of having a Azure pull server.
      PS, Would it be okay if I mentioned your statement in the case?

    • #95337

      Participant
      Points: 0
      Rank: Member

      Yes, anything that I can do to help. They can add me to the case Email, etc. No worries.

    • #95445

      Participant
      Points: 0
      Rank: Member

      Cool, thanks! Will add your name to the case.

    • #95526

      Participant
      Points: 0
      Rank: Member

      As recommended by the case engineer I've added an entry into uservoice.

      https://feedback.azure.com/forums/246290-automation/suggestions/33579367-lcm-dsc-proxy-awareness

  • #95597

    Participant
    Points: 37
    Rank: Member

    A potential (dirty) workaround for this is to use WCCP to force traffic through your proxy even for non proxy-aware systems like the LCM.

    It's worth checking whether you can do this if needed, although I'd avoid it as much as possible.

    Here's a link with a nice technical description of the concepts and an implementation (but not tested with DSC): https://thejimmahknows.com/proxy-wccp-cisco-asa-squid-3-4/

    • #95609

      Participant
      Points: 0
      Rank: Member

      I can understand the “dirty” part behind it. Problem I'm facing is that it would have to run on our medical device, meaning that ever additional piece of software would have to be verified before release. Powershell has already undergone such a rigorous validation. Hopefully with the uservoice entry it will be changed in the near future. I would still have the direct connect option to azure available, but that implies having different conversations with my customers.

    • #95784

      Participant
      Points: 37
      Rank: Member

      Just to avoid confusion, WCCP is at the network level so no config required on the node itself, so not on medical device.
      But I get what you mean.
      I would not bet on 'the near future' though, although it may depend on what you have in mind.

  • #96441

    Participant
    Points: 0
    Rank: Member

    I ran into this issue myself there connecting my sandbox servers to Azure due to a requirement by the security team. There is a workaround, Set up the internet explorer proxy on the local system account. You will need to setup the proxy I use the following code and reg files to setup my proxy with psexec.exe which can execute as local system which might be frowned on by your security team.

    $regkey = @'
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
    "DefaultConnectionSettings"=EXPORT YOUR OWN PROXY SETTINGS to a reg file after setting up your proxy on your user account!.
    '@
    
    $ProxyKeys = @'
    @echo off
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t reg_dword /d 00000001 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t reg_sz /d "yourproxyserver.com:80" /f
    regedit /s c:\source\proxy\proxy.reg
    powershell.exe -file c:\source\proxy\proxy.ps1
    exit 0
    '@
    
    #force the proxy settings to reload so we can avoid a reboot
    $proxyRefresh = @'
    function refresh-system() {
    $signature = @"
    [DllImport("wininet.dll", SetLastError = true, CharSet=CharSet.Auto)]
    public static extern bool InternetSetOption(IntPtr hInternet, int dwOption, IntPtr lpBuffer, int dwBufferLength);
    "@
    
        $INTERNET_OPTION_SETTINGS_CHANGED   = 39
        $INTERNET_OPTION_REFRESH            = 37
        $type = Add-Type -MemberDefinition $signature -Name wininet -Namespace pinvoke -PassThru
        $a = $type::InternetSetOption(0, $INTERNET_OPTION_SETTINGS_CHANGED, 0, 0)
        $b = $type::InternetSetOption(0, $INTERNET_OPTION_REFRESH, 0, 0)
        return $a -and $b
    }
    refresh-system
    '@
    
    
    new-item -path c:\source\proxy -type Directory -force
    $proxyrefresh | Out-file -filepath c:\source\proxy\proxy.ps1 -Encoding ASCII 
    $proxyKeys | Out-file -filepath c:\source\proxy\proxy.bat -Encoding ASCII
    $regkey | Out-File -filepath c:\source\proxy\proxy.reg -Encoding ASCII
    #psexec.exe -accepteula -s cmd.exe "/c c:\source\proxy\proxy.bat"
    
    $Process = Start-Process -FilePath psexec.exe -ArgumentList "-accepteula -s cmd.exe /c c:\source\proxy\proxy.bat" -Wait -PassThru -NoNewWindow -Verbose
    Write-Output "ExitCode: $($Process.ExitCode)"
    If ($Process.ExitCode -ne 0) {
        Throw "Proxy setup failed"
        exit 1
    }
    
    
  • #97181

    Participant
    Points: 1
    Rank: Member

    Workaround:
    Open IExplorer with PSexec.exe and configure the proxy
    This way you can setup the proxy as well

  • #97325

    Participant
    Points: 0
    Rank: Member

    Also, your security team can review the datacenter IP ranges for Azure and approve that as a whitelist for network traffic, whether that apply to routes in general for encrypted traffic or traffic to/from your SSL/TLS forward proxy, rather than allowing traffic openly to the Internet.
    https://www.microsoft.com/en-us/download/details.aspx?id=41653

The topic ‘Set-DscLocalConfigurationManager and Proxy awareness’ is closed to new replies.