Merge pull request #12363 from breathe/devel

allow ConfigureRemotingForAnsible.ps1 script from public zone
9 years ago · 840cda741d
parent e9fe5f201f fc0801e69b
commit 840cda741d
2 changed files with 33 additions and 19 deletions
--- a/docsite/rst/intro_windows.rst
+++ b/docsite/rst/intro_windows.rst
@ -205,8 +205,13 @@ In order for Ansible to manage your windows machines, you will have to enable Po

 To automate setup of WinRM, you can run `this PowerShell script <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>`_ on the remote machine.

-Admins may wish to modify this setup slightly, for instance to increase the timeframe of
-the certificate.
+The example script accepts a few arguments which Admins may choose to use to modify the default setup slightly, which might be appropriate in some cases.
+
+Pass the -CertValidityDays option to customize the expiration date of the generated certificate.
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -CertValidityDays 100
+
+Pass the -SkipNetworkProfileCheck switch to configure winrm to listen on PUBLIC zone interfaces.  (Without this option, the script will fail if any network interface on device is in PUBLIC zone)
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck

 .. note::
   On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
@ -368,5 +373,3 @@ form of new modules, tweaks to existing modules, documentation, or something els
       Questions? Help? Ideas?  Stop by the list on Google Groups
   `irc.freenode.net <http://irc.freenode.net>`_
       #ansible IRC chat channel
-
-
--- a/examples/scripts/ConfigureRemotingForAnsible.ps1
+++ b/examples/scripts/ConfigureRemotingForAnsible.ps1
@ -7,6 +7,10 @@
 #
 # Set $VerbosePreference = "Continue" before running the script in order to
 # see the output messages.
+# Set $SkipNetworkProfileCheck to skip the network profile check.  Without
+# specifying this the script will only run if the device's interfaces are in
+# DOMAIN or PRIVATE zones.  Provide this switch if you want to enable winrm on
+# a device with an interface in PUBLIC zone.
 #
 # Written by Trond Hindenes <trond@hindenes.com>
 # Updated by Chris Church <cchurch@ansible.com>
@ -19,6 +23,7 @@
 Param (
    [string]$SubjectName = $env:COMPUTERNAME,
    [int]$CertValidityDays = 365,
+    [switch]$SkipNetworkProfileCheck,
    $CreateSelfSignedCert = $true
 )

@ -96,8 +101,14 @@ ElseIf ((Get-Service "WinRM").Status -ne "Running")
 # WinRM should be running; check that we have a PS session config.
 If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
 {
-    Write-Verbose "Enabling PS Remoting."
+  if ($SkipNetworkProfileCheck) {
+    Write-Verbose "Enabling PS Remoting without checking Network profile."
+    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
+  }
+  else {
+    Write-Verbose "Enabling PS Remoting"
    Enable-PSRemoting -Force -ErrorAction Stop
+  }
 }
 Else
 {