WinRM: Allow Connections From Specific IP/Prefix

This topic contains 2 replies, has 2 voices, and was last updated by  Don Jones 1 year, 1 month ago.

  • Author
  • #68529

    Jason Colotario


    My Goal:

    On this test machine (non-domain), I want to restrict WinRM listener (itself) to only listen for specific client IP addresses or client IP address range. I don't want to attempt to control WinRM traffic via GPO/FW, I want to control WinRM traffic via the listener itself.

    My problem:

    The command I used to create the listener (The IP I used in """ is the IP of the public interface (front net). The resulting listener configuration then contains the public IP as the listener Address as well as the ListenOn address. I appreciate if someone case explain what the "Address" field and "ListenOn" field mean and how I can ensure that WinRM is listening on a specific interface on the target server and listening for specific client (requesting) IP's.

    New-WSManInstance winrm/config/Listener -SelectorSet @{Address="";Transport="HTTPS"} -ValueSet @{HostName='xxxxxxxxxxxx.xxxxxxxxxxx.xxxx';CertificateThumbprint='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'}

    Check listener configuration:

    PS C:\scripts> winrm e winrm/config/listener
    Address =
    Transport = HTTPS
    Port = xxxx
    Hostname = xxxxxxxxxxxx.xxxxxxxxxxx.xxxx
    Enabled = true
    URLPrefix = wsman
    ListeningOn =

    Thanks in advance!


  • #68719

    Don Jones

    That's something you'd have to lock down in the firewall. Or, I suppose, with IP address restrictions at the IIS level. The WinRM configurations tell it which IP addresses to bind to, not which ones to accept connections from.

  • #68721

    Don Jones

    Sorry, scratch "IIS level;" I had a pull server in my head. This'd have to be done at the firewall.

You must be logged in to reply to this topic.