WinRM: Allow Connections From Specific IP/Prefix

Welcome Forums General PowerShell Q&A WinRM: Allow Connections From Specific IP/Prefix

Viewing 2 reply threads
  • Author
    Posts
    • #68529
      Participant
      Topics: 18
      Replies: 28
      Points: 61
      Rank: Member

      Hello,

      My Goal:

      On this test machine (non-domain), I want to restrict WinRM listener (itself) to only listen for specific client IP addresses or client IP address range. I don’t want to attempt to control WinRM traffic via GPO/FW, I want to control WinRM traffic via the listener itself.

      My problem:

      The command I used to create the listener (The IP I used in “”IP:xxx.xxx.xxx.xxxx” is the IP of the public interface (front net). The resulting listener configuration then contains the public IP as the listener Address as well as the ListenOn address. I appreciate if someone case explain what the “Address” field and “ListenOn” field mean and how I can ensure that WinRM is listening on a specific interface on the target server and listening for specific client (requesting) IP’s.

      New-WSManInstance winrm/config/Listener -SelectorSet @{Address=”IP:xxx.xxx.xxx.xxxx”;Transport=”HTTPS”} -ValueSet @{HostName=’xxxxxxxxxxxx.xxxxxxxxxxx.xxxx’;CertificateThumbprint=’XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’}

      Check listener configuration:

      PS C:\scripts> winrm e winrm/config/listener
      Listener
      Address = IP:xxx.xxx.xxx.xxxx
      Transport = HTTPS
      Port = xxxx
      Hostname = xxxxxxxxxxxx.xxxxxxxxxxx.xxxx
      Enabled = true
      URLPrefix = wsman
      CertificateThumbprint = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      ListeningOn = xxx.xxx.xxx.xxxx

      Thanks in advance!

      Jason

    • #68719
      Keymaster
      Topics: 18
      Replies: 4872
      Points: 1,903
      Helping HandTeam Member
      Rank: Community Hero

      That’s something you’d have to lock down in the firewall. Or, I suppose, with IP address restrictions at the IIS level. The WinRM configurations tell it which IP addresses to bind to, not which ones to accept connections from.

    • #68721
      Keymaster
      Topics: 18
      Replies: 4872
      Points: 1,903
      Helping HandTeam Member
      Rank: Community Hero

      Sorry, scratch “IIS level;” I had a pull server in my head. This’d have to be done at the firewall.

Viewing 2 reply threads
  • The topic ‘WinRM: Allow Connections From Specific IP/Prefix’ is closed to new replies.