Windows Admin Center WinRM not working over VPN

sysadmin_glns 1 Reputation point
2020-09-25T20:11:12.847+00:00

Hello all, I use Windows Admin Center often to manage my server (OS: Hyper-V Server) and workstations (Windows 10 PCs), and I have WinRM configured for all of them.

However, when I switch to VPN, I can access all my workstations fine, except my server, which returns a WinRM error:

WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer.

I am puzzled as to why WinRM access to the workstations works over VPN, but not the server.

In Powershell, Test-NetConnection to the server over ports 5985 and 5986 works without VPN;
however when the VPN is turned on TcpTest works on 5986 but fails for 5985.

Test-NetConnection to the workstations over ports 5985 and 5986 works with and without VPN!

Now I'm not sure what to do with this information. Any pointers in the right direction would be appreciated!

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,364 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
442 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jenny Yan-MSFT 9,336 Reputation points
    2020-09-28T08:01:27.667+00:00

    Hi,

    1. Please verify the status of port 5985 when enabling VPN on the problematic server and check if it is occupied by other process.
      netstat -ano | findstr "<port>"
      tasklist /svc /FI "PID eq xxxx"

    Reference link:
    https://cordero.me/netstat-and-finding-processes-apps/
    https://morgantechspace.com/2015/01/get-process-name-from-pid-using-command-prompt.html
    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    2.Kindly check the firewall settings on the problematic server and compare between with and without VPN to see if any differences.

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments No comments

  2. Jeffrey Ozanne 0 Reputation points
    2024-10-04T06:01:01.58+00:00

    This is because the VPN server is using a Public interface for incoming connections.

    Another problem is that the WinRM preconfigured rules of 'Windows Remote Management (HTTP-In)' scope for Remote IP Addresses only allows Local Subnet while the VPN connection comes in over the Internet, so the connection is blocked.

    The way I was able to solve it and allow only connections within my network was to manually set an IP address that matches the local network. For example, you can use these private IPs as a starting point: 192.168.0.0/24, 172.16.0.0/16, or 10.0.0.0/8 for ipv4 and/or FC00::/7 or FD00::/7 for ipv6. This would be done on the Public rules for the HTTP and HTTPS rules for WinRM. If you want to disallow all direct connections from the internet (Without the VPN), even if somehow someone forwards the port on your router manually or by using UPnP, you can keep Windows Firewall from accepting connections from your router. As an example, if your router IP is 192.168.1.1, you could allow 192.168.1.2/24 in the scope. On a sidenote, Windows does this with SMB port 445 as well. So, if you're trying to access file shares on your server or getting NetBIOS through VPN with a lmhosts file that your VPN client computer grabs from your server, that won't work by default.

    Edit: It looks like there's an easier way to allow NetBIOS, mDNS, and LLMNR broadcasts through the VPN. You find the corresponding Incoming Public firewall rules and add the scope route for your private network to each of them.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.