The end user can operate a WSMan client from behind a web proxy for remote management, that is, the client machine connects to the internet through a web proxy server. All HTTP traffic between the client machine and the internet must pass through the proxy server.
Communication between WSMan client and server must remain secure to avoid eavesdropping by proxy, so WSMan proxy support is only over HTTPS, setting proxy information is not valid when the HTTP transport is specified. WSMan implements its own failover mechanism, WSMan client stack caches the result of the Winhttp auto-detection process per session for performance reasons.
In this blog, we illustrate the scenario of using WSMan client via web proxy for remote management.
1) On server machine
In the following example, we use either “quickconfig” to create a HTTPS listener and explicitly open port 5986, or set EnableCompatibilityHttpsListener to True to create a HTTPS listener and explicitly open port 443, We also make sure the server side allows Basic authentication
2) On client machine
After setting up the server side, end user can operate a WSMan client from behind a web proxy for remote management, please note most winrm-related PS cmdlets contain a SessionOption parameter which allows the proxy info to be specified
In the above example we create a WSMan Session option hashtable which can be passed into WSMan cmdlets such as Get-WSManInstance. That session option takes the following parameters and values related to proxy info:
ProxyAuthentication: This parameter takes a set of authentication methods the user can select from, Specifying the authentication method to use at the proxy. The available options should be as follows:
Negotiate Use Negotiate authentication (Either Kerberos or NTLM) for establishing a remote connection.
Basic Use basic authentication for establishing a remote connection
Digest Use Digest authentication for establishing a remote connection
required if ProxyAuthentication is Basic or Digest, opional if ProxyAuthentication is Negotiate as it can use the implicit logon credential
cannot be specified if ProxyAuthentication is not specfied
ProxyNoProxyServer: Do not use a proxy server. All host names will be resolved locally