|
|
@ -54,7 +54,8 @@ Param (
|
|
|
|
[switch]$SkipNetworkProfileCheck,
|
|
|
|
[switch]$SkipNetworkProfileCheck,
|
|
|
|
$CreateSelfSignedCert = $true,
|
|
|
|
$CreateSelfSignedCert = $true,
|
|
|
|
[switch]$ForceNewSSLCert,
|
|
|
|
[switch]$ForceNewSSLCert,
|
|
|
|
[switch]$EnableCredSSP
|
|
|
|
[switch]$EnableCredSSP,
|
|
|
|
|
|
|
|
[switch]$GlobalHttpFirewallAccess
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
Function Write-Log
|
|
|
|
Function Write-Log
|
|
|
@ -123,6 +124,60 @@ Function New-LegacySelfSignedCert
|
|
|
|
return $parsed_cert.Thumbprint
|
|
|
|
return $parsed_cert.Thumbprint
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function Enable-GlobalHttpFirewallAccess
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
Write-Verbose "Forcing global HTTP firewall access"
|
|
|
|
|
|
|
|
# this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing
|
|
|
|
|
|
|
|
$fw = New-Object -ComObject HNetCfg.FWPolicy2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# try to find/enable the default rule first
|
|
|
|
|
|
|
|
$add_rule = $false
|
|
|
|
|
|
|
|
$matching_rules = $fw.Rules | ? { $_.Name -eq "Windows Remote Management (HTTP-In)" }
|
|
|
|
|
|
|
|
$rule = $null
|
|
|
|
|
|
|
|
If ($matching_rules) {
|
|
|
|
|
|
|
|
If ($matching_rules -isnot [Array]) {
|
|
|
|
|
|
|
|
Write-Verbose "Editing existing single HTTP firewall rule"
|
|
|
|
|
|
|
|
$rule = $matching_rules
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
Else {
|
|
|
|
|
|
|
|
# try to find one with the All or Public profile first
|
|
|
|
|
|
|
|
Write-Verbose "Found multiple existing HTTP firewall rules..."
|
|
|
|
|
|
|
|
$rule = $matching_rules | % { $_.Profiles -band 4 }[0]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If (-not $rule -or $rule -is [Array]) {
|
|
|
|
|
|
|
|
Write-Verbose "Editing an arbitrary single HTTP firewall rule (multiple existed)"
|
|
|
|
|
|
|
|
# oh well, just pick the first one
|
|
|
|
|
|
|
|
$rule = $matching_rules[0]
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If (-not $rule) {
|
|
|
|
|
|
|
|
Write-Verbose "Creating a new HTTP firewall rule"
|
|
|
|
|
|
|
|
$rule = New-Object -ComObject HNetCfg.FWRule
|
|
|
|
|
|
|
|
$rule.Name = "Windows Remote Management (HTTP-In)"
|
|
|
|
|
|
|
|
$rule.Description = "Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]"
|
|
|
|
|
|
|
|
$add_rule = $true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$rule.Profiles = 0x7FFFFFFF
|
|
|
|
|
|
|
|
$rule.Protocol = 6
|
|
|
|
|
|
|
|
$rule.LocalPorts = 5985
|
|
|
|
|
|
|
|
$rule.RemotePorts = "*"
|
|
|
|
|
|
|
|
$rule.LocalAddresses = "*"
|
|
|
|
|
|
|
|
$rule.RemoteAddresses = "*"
|
|
|
|
|
|
|
|
$rule.Enabled = $true
|
|
|
|
|
|
|
|
$rule.Direction = 1
|
|
|
|
|
|
|
|
$rule.Action = 1
|
|
|
|
|
|
|
|
$rule.Grouping = "Windows Remote Management"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If ($add_rule) {
|
|
|
|
|
|
|
|
$fw.Rules.Add($rule)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Write-Verbose "HTTP firewall rule $($rule.Name) updated"
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# Setup error handling.
|
|
|
|
# Setup error handling.
|
|
|
|
Trap
|
|
|
|
Trap
|
|
|
|
{
|
|
|
|
{
|
|
|
@ -279,6 +334,10 @@ If ($EnableCredSSP)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If ($GlobalHttpFirewallAccess) {
|
|
|
|
|
|
|
|
Enable-GlobalHttpFirewallAccess
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# Configure firewall to allow WinRM HTTPS connections.
|
|
|
|
# Configure firewall to allow WinRM HTTPS connections.
|
|
|
|
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
|
|
|
|
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
|
|
|
|
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
|
|
|
|
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
|
|
|
|