cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

What is WinRM & How Do You Configure It?

Level 12

IT pros now have the added responsibilities of having to know how to troubleshoot performance issues in apps and servers that are hosted remotely, in addition to monitoring and managing servers and apps that are hosted locally. This is where tools like Windows Remote Management (WinRM) come handy because it allows you to remotely manage, monitor, and troubleshoot applications and Windows server performance.

                   

WinRM is based on Web Services Management (WS-Management) which uses Simple Object Access Protocol (SOAP) requests to communicate with remote and local hosts, multi-vendor server hardware, operating systems, and applications. If you are predominately using a Windows environment, then WinRM will provide you remote management capabilities to do the following:

  • Communicate with remote hosts using a port that is always open by firewalls and client machines on a network.
  • Quickly start working in a cloud environment and remotely configure WinRM on EC2, Azure, etc. and monitor the performance of apps in such environments.
  • Ensure smoother execution and configuration for monitoring and managing apps and servers hosted remotely.

        

Configuring WinRM

For those who rely on PowerShell scripts to monitor applications running in remote hosts, you will first need to configure WinRM. But, this isn’t as easy as it sounds. This process is error prone, tedious, and time consuming, especially when you have a really large environment. In order to get started, you will need to enable Windows firewall on the server you want to configure WinRM. Here is a link to a blog that explains step-by-step how to configure WinRM on every computer or server. Key steps include:

WinRM.png

           

Alternative: Automate WinRM Configuration

Unfortunately, manual methods can take up too much of your time, especially if you have multiple apps and servers. With automated WinRM configuration, remotely executing PowerShell scripts can be achieved in minutes. SolarWinds Free Tool, Remote Execution Enabler for PowerShell, helps you configure WinRM on all your servers in a few minutes.

  • Configure WinRM on local and remote servers.
  • Bulk configuration across multiple hosts.
  • Automatically generate and distribute certificates for encrypted remote PowerShell execution.

          

Download the free tool here.

            

How do you manage your servers and apps that are hosted remotely? Is it using an automated platform, PowerShell scripts, or manual processes? Whatever the case, drop a line in the comments section.

11 Comments
Level 20

Does it require the windows firewall to work though?  If the firewall is disabled does winRM work?

Level 14

I had a similar question... Why would the WIndows Firewall need to be enabled in order for WinRM to work on the managed servers? It seems like the opposite would be true.  Sorry, a bit confused.... 

MVP
MVP

"create listeners to start accepting requests from any IP address"...hmm, I see audit going nuts over this.

Level 15

This sounds intriguing as right now we do everything via powershell scripts.  I do wonder as was mentioned already about the level of trusted security and what loopholes this opens up.  Too many times, we are giving tools but they forget about the needs for security.  We need to ensure that tools that are developed start with security over functionality and then add the functionality.

Level 15

ecklerwr1‌ and mr.e‌ - yes, Windows Firewall is an unfortunate requirement to setup WinRM

Jfrazier‌ - you do not have to accept messages from any IP address. That probably could have been explained a bit better. You have the option to do any IP through a wildcard (*), or you can name specific trusted hosts as well.

jkump‌ - again, a little beyond what was covered in this article, but you can also setup a certificate for encrypted communications using HTTPS

You can also see some examples for WinRM configuration in the AppInsight for Exchange and IIS Manual Configuration Steps in the SAM Admin Guide

-ZackM

Loop1 Systems: SolarWinds Training and Professional Services

Level 20

Thanks Zack I was afraid of that... we disable most windows firewalls although this may change soon with some of MS starting to require it for some things.

MVP
MVP

What about port assignments ?  For servers on the intranet not as crucial but those in a DMZ, security likes to have ports locked down to as few as possible, 

Level 15

I *think* it's TCP 47001, 5985 (HTTP) and 5986 (HTTPS)

Level 21

I personally think the Windows Firewall is one of the worst implementations of a firewall I have ever had to work with so I generally avoid it whenever possible.

When it comes to remote management of Windows systems there are plenty of agent based applications out there that give you some pretty awesome capabilities; what would be the argument for using WinRM over a 3rd party application suite specifically designed for this type of thing?  If you are needing to do fair amount or more of remote administration it seems like you could pretty easily make a case for purchasing and implementing one of these solutions. 

Level 15

It does seem counter intuitive that you have to turn the firewall service on in order to disable the zones of the firewall.  Or you have to turn on the firewall service to allow a remote access application to connect to the local machine. 

MVP
MVP

This was answered below but worth mentioning again in case others don't read further down - you can lock it down to only receive from specific IP addresses.