Powershell – How to establish remote PowerShell session to a public IP address of an Azure vm

azurepowershell

I am trying to get a remote PowerShell session to a Windows Server 2016 deployed on Azure via its public IP address (initially I was trying to configure Server management tools gateway, however I can't get it working even between two identical, freshly deployed servers).

I have two servers (target 10.0.0.4 and source 10.0.0.5) connected to the same subnet and I can connect from the source to the target on local network (10.0.0.0):

PS C:\> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.0.0.4" -Concatenate -Force
PS C:\> Enter-PSSession -ComputerName 10.0.0.4 -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[10.0.0.4]: PS C:\Users\techraf\Documents> exit

If I however try to use the target's public IP address the connection gets refused:

PS C:\> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "13.85.78.151" -Concatenate -Force
PS C:\> Enter-PSSession -ComputerName 13.85.78.151 -Credential (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession : Connecting to remote server 13.85.78.151 failed with the following error message : WinRM cannot
complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the
network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 13.85.78.151 -Credential (Get-Credentia ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (13.85.78.151:String) [Enter-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Prior to trying I have:

  • created an inbound rule in the NSG for TCP ports 5985 and 5986 (for the whole internet)
  • disabled (completely, for a test) Windows firewall on the target system

I also checked the target ports with nmap from the source machine, and while 5985 is open, 5986 is closed (including connection on 10.0.0.0 network).

Is there anything else required to make it work?

Best Answer

Which mode do you use when you deploy the VMs? If it is ASM (Azure service management), then please try to deploy the two VMs in different cloud services.

I've tested this in ARM (Azure resource manager), WinRM works when I only open the TCP port 5985.

•disabled (completely, for a test) Windows firewall on the target system

How did you disable the firewall? Please do not stop the services, which may cause unexpected firewall behavior. We need to turn off the firewall with GUI.

I also checked the target ports with nmap from the source machine, and while 5985 is open, 5986 is closed (including connection on 10.0.0.0 network).

You need to perform a network capture on the target server to find detailed process of this communication.

  1. If the target server doesn't receive the request from client, then NSG or some external firewalls are blocking this connection.
  2. If the target server receives the request and it doesn't send back a response, then we need to check if the WinRM service receives the request by checking the event log.
  3. If there is nothing logged in the event log, it means that something on the target server is blocking the connection. Otherwise, WinRM service should log the reason why it drops the request.
Related Topic