How To Use WSMan Proxy Support


The end user can operate a WSMan client from behind a web proxy for remote management, that is, the client machine connects to the internet through a web proxy server. All HTTP traffic between the client machine and the internet must pass through the proxy server.


 


Communication between WSMan client and server must remain secure to avoid eavesdropping by proxy, so WSMan proxy support is only over HTTPS, setting proxy information is not valid when the HTTP transport is specified. WSMan implements its own failover mechanism, WSMan client stack caches the result of the Winhttp auto-detection process per session for performance reasons.


 


In this blog, we illustrate the scenario of using WSMan client via web proxy for remote management.


 


1) On server machine


In the following example, we use either “quickconfig” to create a HTTPS listener and explicitly open port 5986, or set EnableCompatibilityHttpsListener to True to create a HTTPS listener and explicitly open port 443, We also make sure the server side allows Basic authentication



PS D:\Windows\system32> Set-WSManQuickConfig -UseSSL


WinRM Quick Configuration


Running the Set-WSManQuickConfig command has significant security implications, as it enables remote ……………………………….


PS D:\Windows\system32> netsh advfirewall firewall add rule name=”Port 5986″ dir=in action=allow protocol=TCP localport=5986


Ok.


PS D:\Windows\system32> Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpsListener $true


PS D:\Windows\system32> netsh advfirewall firewall add rule name=”Port 443″ dir=in action=allow protocol=TCP localport=443


Ok.


PS D:\Windows\system32> Set-Item WSMan:\localhost\Service\Auth\Basic $true


PS D:\Windows\system32>


 


 


2) On client machine


After setting up the server side, end user can operate a WSMan client from behind a web proxy for remote management, please note most winrm-related PS cmdlets contain a SessionOption parameter which allows the proxy info to be specified



PS D:\Windows\system32> $remoteCred = Get-Credential Administrator


PS D:\Windows\system32> $proxyCred = Get-Credential domain\user


PS D:\Windows\system32> $SessionOption=New-WSManSessionOption -ProxyAuthentication Negotiate -ProxyAccessType ProxyIEConfig -ProxyCredential $proxyCred


PS D:\Windows\system32> Get-WSManInstance -ConnectionURI https://machineFQDN:443/wsman -ResourceURI winrm/config -SessionOption $SessionOption -Authentication Basic -Credential $remoteCred


cfg                 : http://schemas.microsoft.com/wbem/wsman/1/config


lang                : en-US


MaxEnvelopeSizekb   : 150


MaxTimeoutms        : 60000


MaxBatchItems       : 32000


……………………………


 


In the above example we create a WSMan Session option hashtable which can be passed into WSMan cmdlets such as Get-WSManInstance. That session option takes the following parameters and values related to proxy info:


 


ProxyAuthentication: This parameter takes a set of authentication methods the user can select from, Specifying the authentication method to use at the proxy. The available options should be as follows:


                Negotiate           Use Negotiate authentication (Either Kerberos or NTLM) for establishing a remote connection.


                Basic                      Use basic authentication for establishing a remote connection


                Digest                   Use Digest authentication for establishing a remote connection


ProxyCredential:


      required if ProxyAuthentication is Basic or Digest, opional if ProxyAuthentication is Negotiate as it can use the implicit logon credential


                cannot be specified if ProxyAuthentication is not specfied


ProxyAccessType            


                ProxyIEConfig


                ProxyWinHttpConfig


                ProxyAutoDetect


                ProxyNoProxyServer: Do not use a proxy server. All host names will be resolved locally

Comments (1)

  1. Hi, Does WMI .NET API support web proxy?   There is a case as following.

    1. I have some servers on public network which is outside of our internal network.

    2. I can access these servers by a web proxy.

    3. I have a tool which developed with WMI .NET API. This tool setup WMI connection to servers, it copy a program to the servers and lunch the program in these servers. (Means that deploy some softwares to servers remotely)

    The issue is that the web proxy is there, so I can not connect to the servers with WMI API. So my question is that,  does WMI API support web proxy? And which class or method I should to call….