System Ochestrator, PowerShell remoting, WMI and Firewall Ports

System Center Orchestrator runbook can run PowerShell Script and WMI query to manage remote computer.

PowerShell Remoting depends on Windows Remote Management (WinRM), which is Microsoft’s implementation of the WS-Management (WS-Man) protocol. The protocol relies on HTTP or HTTPS and uses the TCP ports 5985 and 5986, respectively. WS-Management encrypts all PowerShell communication even if you only work with HTTP. However, this kind of encryption is vulnerable to man-in-the middle attacks. I therefore recommended using HTTPS instead of HTTP in insecure networks.

Query WMI is one of the system activities in the runbook which requires the remote computer start Windows “Management Instrumentation” service and Windows firewall allow “Windows Management Instrumentation (WMI-In)”.

In my working environment I have hundreds of servers need to be managed but some of them could not be remote managed. So first thing first is to generate the list of computers that are not ready for PowerShell remoting and WMI. Since I am using SCCM to manage my servers. I use PowerShell script to go through each member in the device collection group and test it’s ready for Windows Remote Management and WMI.


$SCCMSRV = "SCCMSRV1"
$GroupId = "P0100011" # ID for server device collection
$ColQuery = "select * from sms_cm_res_coll_"+$GroupId
$CollectionMembers = gwmi -computername $SCCMSRV -namespace root\sms\site_p05 -Query $ColQuery |sort Name
foreach($Comp in $collectionmembers){
Try
{
Invoke-Command -ComputerName $Comp.name -ScriptBlock {Get-ChildItem "C:\Program Files"} -ErrorAction Stop
echo $Comp.name
}
Catch
{
Add-Content WinRMUnavailable-Computers.txt $Comp.name
}

Try
{
Get-WmiObject Win32_OperatingSystem -ComputerName $Comp.name
echo $Comp.name
}
Catch
{
Add-Content WMIUnavailable-Computers.txt $Comp.name
}
}

It will create 2 txt files with the list of servers are not ready for remote PowerShell or WMI.

Next step is to enable them.
If the server is not enabled for remote PowerShell, check if the Windows Remote Management (WS-Management) is running.


Test-wsman
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 2.0

If the service is running, but still not ready for remote PowerShell, run “winrm quickconfig” to enable WinRM listener.


PS C:\Users\admadmin> winrm quickconfig
WinRM already is set up to receive requests on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Enable the WinRM firewall exception.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
WinRM firewall exception enabled.

Here is the result when it is ready for remote PowerShell.


PS C:\Users\admadmin> winrm quickconfig
WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
PS C:\Users\admadmin>

Here are requirements for PowerShell remoting (WinRM)
• Create a Windows firewall exception for the WinRM service on TCP port 5985 and 5986
• Allow the WinRM service to automatically listen for HTTP requests; Create a WinRM listener by command “winrm quickconfig”
• Set the WinRM Service to start automatically

If you have a lot of computers need to configure, check this article. WinRM QuickConfig, HowTo Enable via GPO or Remotely on All Servers https://www.pcwdld.com/winrm-quickconfig-remotely-configure-and-enable

Here are the requirements on the remote computer to allow WMI.
• Windows “Management Instrumentation” service Startup Type is set to Automatic.
• In Firewall settings, click on the “Advanced settings” link. For the Inbound Rules, ensure “Windows Management Instrumentation (WMI-In)” is Enabled and Allowed for the Profile called Domain.

You can also check this article for details. https://community.ipswitch.com/s/article/Requirements-for-Remote-WMI-Access

In my working environment, servers are in different subnet and security zones, I opened below ports to make Ochestrator remote management work.
TCP 5985 and 5986 is WinRM 2.0 (windows remote management)
TCP 445 which is SMB (Server Message Block)
TCP 139 (NetBios, RPC, Named Pipes)
TCP 135 (RPC)
UDP 137 (RPC/NP)
UDP 138 (RPC/NP)

So, Application wise:
WinRM 2.0
SMB
NetBios
RPC
Named Pipes

Leave a Reply

Your email address will not be published. Required fields are marked *