WinRM: Allow Connections From Specific IP/Prefix

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 2 months, 1 week ago.

  • Author
    Posts
  • #68529
    Profile photo of Jason Colotario
    Jason Colotario
    Participant

    Hello,

    My Goal:

    On this test machine (non-domain), I want to restrict WinRM listener (itself) to only listen for specific client IP addresses or client IP address range. I don't want to attempt to control WinRM traffic via GPO/FW, I want to control WinRM traffic via the listener itself.

    My problem:

    The command I used to create the listener (The IP I used in ""IP:xxx.xxx.xxx.xxxx" is the IP of the public interface (front net). The resulting listener configuration then contains the public IP as the listener Address as well as the ListenOn address. I appreciate if someone case explain what the "Address" field and "ListenOn" field mean and how I can ensure that WinRM is listening on a specific interface on the target server and listening for specific client (requesting) IP's.

    New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:xxx.xxx.xxx.xxxx";Transport="HTTPS"} -ValueSet @{HostName='xxxxxxxxxxxx.xxxxxxxxxxx.xxxx';CertificateThumbprint='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'}

    Check listener configuration:

    PS C:\scripts> winrm e winrm/config/listener
    Listener
    Address = IP:xxx.xxx.xxx.xxxx
    Transport = HTTPS
    Port = xxxx
    Hostname = xxxxxxxxxxxx.xxxxxxxxxxx.xxxx
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    ListeningOn = xxx.xxx.xxx.xxxx

    Thanks in advance!

    Jason

  • #68719
    Profile photo of Don Jones
    Don Jones
    Keymaster

    That's something you'd have to lock down in the firewall. Or, I suppose, with IP address restrictions at the IIS level. The WinRM configurations tell it which IP addresses to bind to, not which ones to accept connections from.

  • #68721
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Sorry, scratch "IIS level;" I had a pull server in my head. This'd have to be done at the firewall.

You must be logged in to reply to this topic.