I am trying to get a remote PowerShell session to a Windows Server 2016 deployed on Azure via its public IP address (initially I was trying to configure Server management tools gateway, however I can't get it working even between two identical, freshly deployed servers).
I have two servers (target 10.0.0.4 and source 10.0.0.5) connected to the same subnet and I can connect from the source to the target on local network (10.0.0.0):
PS C:\> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.0.0.4" -Concatenate -Force
PS C:\> Enter-PSSession -ComputerName 10.0.0.4 -Credential (Get-Credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[10.0.0.4]: PS C:\Users\techraf\Documents> exit
If I however try to use the target's public IP address the connection gets refused:
PS C:\> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "13.85.78.151" -Concatenate -Force
PS C:\> Enter-PSSession -ComputerName 13.85.78.151 -Credential (Get-Credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession : Connecting to remote server 13.85.78.151 failed with the following error message : WinRM cannot
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the
network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 13.85.78.151 -Credential (Get-Credentia ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (13.85.78.151:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Prior to trying I have:
- created an inbound rule in the NSG for TCP ports 5985 and 5986 (for the whole internet)
- disabled (completely, for a test) Windows firewall on the target system
I also checked the target ports with nmap from the source machine, and while 5985 is open, 5986 is closed (including connection on 10.0.0.0 network).
Is there anything else required to make it work?
Which mode do you use when you deploy the VMs? If it is ASM (Azure service management), then please try to deploy the two VMs in different cloud services.
I've tested this in ARM (Azure resource manager), WinRM works when I only open the TCP port 5985.
How did you disable the firewall? Please do not stop the services, which may cause unexpected firewall behavior. We need to turn off the firewall with GUI.
You need to perform a network capture on the target server to find detailed process of this communication.