How To Use WSMan Proxy Support

  • Article

The end user can operate a WSMan client from behind a web proxy for remote management, that is, the client machine connects to the internet through a web proxy server. All HTTP traffic between the client machine and the internet must pass through the proxy server.

 

Communication between WSMan client and server must remain secure to avoid eavesdropping by proxy, so WSMan proxy support is only over HTTPS, setting proxy information is not valid when the HTTP transport is specified. WSMan implements its own failover mechanism, WSMan client stack caches the result of the Winhttp auto-detection process per session for performance reasons.

 

In this blog, we illustrate the scenario of using WSMan client via web proxy for remote management.

 

1) On server machine

In the following example, we use either “quickconfig” to create a HTTPS listener and explicitly open port 5986, or set EnableCompatibilityHttpsListener to True to create a HTTPS listener and explicitly open port 443, We also make sure the server side allows Basic authentication

PS D:\Windows\system32> Set-WSManQuickConfig -UseSSL

WinRM Quick Configuration

Running the Set-WSManQuickConfig command has significant security implications, as it enables remote ……………………………….

PS D:\Windows\system32> netsh advfirewall firewall add rule name="Port 5986" dir=in action=allow protocol=TCP localport=5986

Ok.

PS D:\Windows\system32> Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpsListener $true

PS D:\Windows\system32> netsh advfirewall firewall add rule name="Port 443" dir=in action=allow protocol=TCP localport=443

Ok.

PS D:\Windows\system32> Set-Item WSMan:\localhost\Service\Auth\Basic $true

PS D:\Windows\system32>

 

 

2) On client machine

After setting up the server side, end user can operate a WSMan client from behind a web proxy for remote management, please note most winrm-related PS cmdlets contain a SessionOption parameter which allows the proxy info to be specified

PS D:\Windows\system32> $remoteCred = Get-Credential Administrator

PS D:\Windows\system32> $proxyCred = Get-Credential domain\user

PS D:\Windows\system32> $SessionOption=New-WSManSessionOption -ProxyAuthentication Negotiate -ProxyAccessType ProxyIEConfig -ProxyCredential $proxyCred

PS D:\Windows\system32> Get-WSManInstance -ConnectionURI https://machineFQDN:443/wsman -ResourceURI winrm/config -SessionOption $SessionOption -Authentication Basic -Credential $remoteCred

cfg : https://schemas.microsoft.com/wbem/wsman/1/config

lang : en-US

MaxEnvelopeSizekb : 150

MaxTimeoutms : 60000

MaxBatchItems : 32000

……………………………

 

In the above example we create a WSMan Session option hashtable which can be passed into WSMan cmdlets such as Get-WSManInstance. That session option takes the following parameters and values related to proxy info:

 

ProxyAuthentication: This parameter takes a set of authentication methods the user can select from, Specifying the authentication method to use at the proxy. The available options should be as follows:

                Negotiate Use Negotiate authentication (Either Kerberos or NTLM) for establishing a remote connection.

                Basic Use basic authentication for establishing a remote connection

                Digest Use Digest authentication for establishing a remote connection

ProxyCredential:

      required if ProxyAuthentication is Basic or Digest, opional if ProxyAuthentication is Negotiate as it can use the implicit logon credential

                cannot be specified if ProxyAuthentication is not specfied

ProxyAccessType

                ProxyIEConfig

                ProxyWinHttpConfig

                ProxyAutoDetect

                ProxyNoProxyServer: Do not use a proxy server. All host names will be resolved locally