Powershell Remote Management (1) tells you about a remote management process. Today we will talk about the management of PS in interactive sessions, that is, pssession, pssession is a Windows powershell session. A session can share data and provide interactive conversations. We can create a session for some commands such as invoke-command to remotely execute the job. Of course, we can also use enter-pssession to directly connect to a remote computer and establish a continuous and secure remote conversation to execute all our commands.
Powershell session is divided into three parts: remote connection in the domain environment and remote connection in the WAN/LAN (trusthost mode ), the WAN/LAN remote connection (SSL encryption) can be roughly understood as: when the machine we operate and the remote machine are in the same Active Directory, in this case, you can directly use kerbors (based on FQDN) to powershell, and NTLM transmits identity based on IP addresses. Generally, user creden。 from the current login to the machine are used. When we are in another network environment, or the worker does not have an inbound domain to provide a domain ID, we can use the trusted host and SSL encryption method to provide a session ID to the remote machine.
Powershell establishes remote sessions based on winrm and winrs, and compares them with traditional wmi dcom. WMI relies on DCOM to execute management tasks on remote computers, and the firewall often blocks all incoming DCOM communication, which makes WMI very difficult (if not completely impossible) windows Remote Management (winrm) is a Microsoft implementation of the WS management protocol, which is based on standard soap and is not affected by the firewall, allows hardware and operating systems of different vendors to operate on each other. That is, we use the local winrs (Windows Remote Shell) on the client to connect to the remote winrm (Windows Remote Service) through HTTP or HTTPS to obtain management data based on SOAP (WMI is still used at the underlying layer, but it has already been packaged with soap for communication ). Note that:Both the client and server must install and enable winrm.
Solution One:
Client: Non-Domain environment domain: vm.terry-corp.com (can also be a workgroup, I am using a domain here)
Open powershell on the client and run CD wsman: localhost \ Client to input ls
PS Microsoft. wsman. Management \ wsman: localhost \ Client> ls
(Trustedhosts is empty by default. trustedhosts or SSL must be used when kerbors authentication is not available in a untrusted environment)
# Set-item trustedhosts "IP address or workgroup machine of your machine in the domain"
Here I am executing:
Set-item trustedhosts "192.168.133.67"
View ls
NAME value
---------
Networkdelayms 5000
Urlprefix wsman
Allowunencrypted false
Auth
Defaultports
Trustedhosts 192.168.133.67
Modified successfully!
Server
Enable remote access enable-psremoting-Force
The winrm service will be opened, and the firewall exception of winrm will be added. In WF. msc, you can confirm again whether Windows Remote Management firewall has exceptions for your client.
ClientOpen powershell
Enter-pssession-computername 192.168.133.67-credential vm.terry-corp.com \ Administrator
(You can set your own creden. The domain account I use here)
If it succeeds, the following information is displayed:
[192.168.133.67]: PS c: \ Users \ Administrator \ Documents>
Remember to exit-pssession
Solution Two:
WS-management encrypts all windows powershell content transmitted over the network. Usessl is an additional protection measure that sends data over HTTPS connections instead of HTTP connections.
Therefore, SSL is a more secure and reliable remote management method.
The working principle of SSL is to shake hands after confirming the identity of the client and the server. It also guarantees the data source and is not modified and listened to by the supervisor.
First, you must generate an SSL Certificate
(Subject: I was going to use the ad certificate service to issue a certificate for my machine name, but the machine name of my machine in the domain is suffixed with the DNS name, my client connection uses an IP address, so the CN name and machine name of the certificate are considered inconsistent. the Active Directory Server is usually in an Intranet environment, so if you want to directly use the Active Directory certificate, your DNS must be resolved on the client. so here I am using a self-signed certificate)
You can use sslself.exe1_makecert.exe
Download selfssl http://www.microsoft.com/downloads/...laylang=en
Makecert.exe is available in. NET Framework tools.
Server-side certificate generation
Selfssl:
C: \ Program Files (x86) \ IIS resources \ selfssl> Selfssl.exe/n: Cn = 192.168.133.67/V: 3600/T/Q
(IP is the IP address of the server)
Makecert:
Makecert.exe-pe-n "cn = 192.168.133.67"-eku 1.3.6.1.5.5.7.3.1-SS my-Sr localmachine-sky exchange-r c: \ 1.cer
(1.cerin the C root directory)
Enable inetmgr to remove the binding of the default site to SSL 443
Open MMC (file-> Add/delete snap-in) Find certificate select local computer add find root trust Area
Export the certificate
Copy Client , Import the certificate to the root trust Area
Return to the server again
Open MMC and find the certificate. Copy the fingerprint in the certificate details.
EB 10 24 5d 89 11 4A 57 4C 0C Ba AC 79 B7 3B 3A 05 AA 1B D7
Run cmd.
C: \ Users \ Administrator> Winrm create winrm/config/listener? Address = * + transport = HTTPS @ {hostname = "192.168.133.67"; certificatethumbprint = "Eb 10 24 5d 89 11 4A 57 4C 0C Ba AC 79 B7 3B 3A 05 AA 1B D7 "}
Add HTTPS listeners and certificate fingerprints.
Displayed successfully:
Resourcecreated
Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Referenceparameters
Resourceuri = http://schemas.microsoft.com/wbem/wsman/1/config/listener
Selectorset
Selector: Address = *, transport = https
Run Winrm enumerate winrm/config/listener You can also confirm whether the addition is successfully displayed:
Listener
Address = *
Transport = https
Port = 5986
Hostname = 192.168.133.67
Enabled = true
Urlprefix = wsman
Certificatethumbprint = EB 10 24 5d 89 11 4A 57 4C 0C Ba AC 79 B7 3B 3A 05 AA 1B D7
Listeningon = 127.0.0.1, 192.168.28.128, 192.168.133.67,: 1, fe80: 5efe: 192.168.28.128% 13, fe80: 5efe: 192.168.133.6
7% 12, fe80: 856d: 7551: c80d: B615 % 11, fe80: c576: 2df6: 6d25: 6da6% 10
The SSL certificate has been correctly added.ClientConnect:
Powershell
Enter-pssession-computername 192.168.133.67-credential vm.terry-corp.com \ administrator-usessl
Displayed successfully:
[192.168.133.67]: PS c: \ Users \ Administrator \ Documents>
So far, the two methods of Windows powershell have been clarified with you. If you do not understand them, you can directly contact me through cnblogs. next articleArticleThis section describes how to use URI to connect to a remote winrm service for management. This mainly involves the configuration of IIS and SSL.