How To Use WSMan Proxy Support
The end user can operate a WSMan client from behind a web proxy for remote management, that is, the client machine connects to the internet through a web proxy server. All HTTP traffic between the client machine and the internet must pass through the proxy server.
Communication between WSMan client and server must remain secure to avoid eavesdropping by proxy, so WSMan proxy support is only over HTTPS, setting proxy information is not valid when the HTTP transport is specified. WSMan implements its own failover mechanism, WSMan client stack caches the result of the Winhttp auto-detection process per session for performance reasons.
In this blog, we illustrate the scenario of using WSMan client via web proxy for remote management.
1) On server machine
In the following example, we use either “quickconfig” to create a HTTPS listener and explicitly open port 5986, or set EnableCompatibilityHttpsListener to True to create a HTTPS listener and explicitly open port 443, We also make sure the server side allows Basic authentication
PS D:\Windows\system32> Set-WSManQuickConfig -UseSSL
WinRM Quick Configuration
Running the Set-WSManQuickConfig command has significant security implications, as it enables remote ……………………………….
PS D:\Windows\system32> netsh advfirewall firewall add rule name="Port 5986" dir=in action=allow protocol=TCP localport=5986
Ok.
PS D:\Windows\system32> Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpsListener $true
PS D:\Windows\system32> netsh advfirewall firewall add rule name="Port 443" dir=in action=allow protocol=TCP localport=443
Ok.
PS D:\Windows\system32> Set-Item WSMan:\localhost\Service\Auth\Basic $true
PS D:\Windows\system32>
2) On client machine
After setting up the server side, end user can operate a WSMan client from behind a web proxy for remote management, please note most winrm-related PS cmdlets contain a SessionOption parameter which allows the proxy info to be specified
PS D:\Windows\system32> $remoteCred = Get-Credential Administrator
PS D:\Windows\system32> $proxyCred = Get-Credential domain\user
PS D:\Windows\system32> $SessionOption=New-WSManSessionOption -ProxyAuthentication Negotiate -ProxyAccessType ProxyIEConfig -ProxyCredential $proxyCred
PS D:\Windows\system32> Get-WSManInstance -ConnectionURI https://machineFQDN:443/wsman -ResourceURI winrm/config -SessionOption $SessionOption -Authentication Basic -Credential $remoteCred
cfg : https://schemas.microsoft.com/wbem/wsman/1/config
lang : en-US
MaxEnvelopeSizekb : 150
MaxTimeoutms : 60000
MaxBatchItems : 32000
……………………………
In the above example we create a WSMan Session option hashtable which can be passed into WSMan cmdlets such as Get-WSManInstance. That session option takes the following parameters and values related to proxy info:
ProxyAuthentication: This parameter takes a set of authentication methods the user can select from, Specifying the authentication method to use at the proxy. The available options should be as follows:
Negotiate Use Negotiate authentication (Either Kerberos or NTLM) for establishing a remote connection.
Basic Use basic authentication for establishing a remote connection
Digest Use Digest authentication for establishing a remote connection
ProxyCredential:
required if ProxyAuthentication is Basic or Digest, opional if ProxyAuthentication is Negotiate as it can use the implicit logon credential
cannot be specified if ProxyAuthentication is not specfied
ProxyAccessType
ProxyIEConfig
ProxyWinHttpConfig
ProxyAutoDetect
ProxyNoProxyServer: Do not use a proxy server. All host names will be resolved locally
Comments
- Anonymous
August 05, 2010
Hi, Does WMI .NET API support web proxy? There is a case as following.
- I have some servers on public network which is outside of our internal network.
- I can access these servers by a web proxy.
- I have a tool which developed with WMI .NET API. This tool setup WMI connection to servers, it copy a program to the servers and lunch the program in these servers. (Means that deploy some softwares to servers remotely) The issue is that the web proxy is there, so I can not connect to the servers with WMI API. So my question is that, does WMI API support web proxy? And which class or method I should to call....