Setup Remoting on non domain joined machines

Not so unique situation here. Have a jump box (Client) in the DMZ with a VPN client installed from which I want administer machines on a domain and some standalone servers using PSRemoting

The first stumbling block I came across was the Public Connection my VPN tunnel was stuck on. Command below was the easiest way to set to Private

Get-NetAdapter -Name “Ethernet 2” | Get-NetConnectionProfile

The server you intend on connecting to needs to have a certificate installed, it can be from your own internal CA which is what I did. The powershell way:

PS Cert:\LocalMachine\My> $enrollresult = ( Get-Certificate -Template Machine -Url ldap:///cn=CAName -DnsName CAServer.FQDN -CertStoreLocation Cert:\LocalMachine\My )

To enable PSRemoting you need to run

Enable-PSRemoting

You can append the -Force option, it does bypass you answering all the questions you are going to probably say yes to anyway. Personally I only used it when automating the setup.

to test you can use the Test-WSMan cmdlet

Test-WSMan -ComputerName Server01.FQDN # Without SSL 
Test-WSMan -ComputerName Server01.FQDN -UseSSL # With SSL 

At this point you have PSRemoting working over an HTTP connection, as the above test will show, using the default port (5985). To enable SSL you run

winrm quickconfig -transport:https
New-NetFirewallRule -DisplayName “PSRemoting” -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow

The New-NetFirewallRule seems to be needed on my DMZ machines that are not Domain Joined. May or may not be an anomaly, needs more testing. The firewall rule seems to be needed in all cases. I am not changing the rule to allow clear text from locations other than the Local IP Subnet, and may actually block that at a later stage. You can of course do this via GPO for domain joined machines.

On the client end you will need to add the non Domain Joined servers to the Allowed hosts

winrm s winrm/config/client ‘@{TrustedHosts=”ServerFQDN“}’

I had to do it for a bunch of servers so I did it with a quick bit of PS, you can add as many servers into $computers as you need, I ended up with 83.

$computers = “Server01.FQDN“,”Server02.FQDN“,”Server03.FQDN“,”Server04.FQDN
foreach ( $computer in $computers ) { winrm s winrm/config/client ‘@{TrustedHosts=”$computer”}’ }

If your client is domain joined you won’t need this, but I am on a different domain to the servers.

From here you should be able to connect using

New-PSSession -ComputerName Server01.FQDN -Credential (Get-Credential) -UseSSL

As I am unable to connect to the CA I have to add -SessionOption (New-PSSessionOption -SkipRevocationCheck ) to skip CRL validation.

I put together a nasty little function to simplify connections and to stop ending up with mutiple sessions on a server

Updates
2016-07-21

Added powershell method for certificate enrollment
Changed firewall requirement