Appendix A: Prerequisites for Enabling the Integrated Windows Gateway Mode

Table 1. Privlilege Model for IIS Devices only
Usecases Required Level Type Details Purpose
Device and CA communications User account type User User Account Added to Group 1. Domain Admin To ensure seamless WinRM communication from a remote Java process, adding the user to the Domain Admin group is necessary. This grants the required permissions for enabling communication, remote execution,preventing operational failures and maintaining functionality.
2. Remote Management Users Adding the user to the Remote Management Users group is essential for enabling WinRM communication, as it grants the necessary permissions for remote execution and management tasks, ensuring secure and efficient operation.
User permission System Winrm Permissions To enable WinRM communication in a Windows machine, follow the instructions given below:
  1. Enable PSRemoting: Enable-PSRemoting -Force2
  2. Configure WinRM service:

    Set-Service -Name WinRM -StartupType Automatic

    Start-Service -Name WinRM3

  3. Allow WinRM Through Firewall : (if any)

    Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC"

    Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP-DOMAIN"

  4. Permissions for WSMAN

    winrm set winrm/config/service '@{AllowUnencrypted="true"}'

    winrm set winrm/config/service/auth '@{Basic="true"}'

 The WinRM methodology is used to connect Windows machines with the Cloud Connector, using PowerShell scripts and commands for executing actions.
Ports System 5985 HTTP
System 5986 for HTTPS communication (Not Certified Yet)
Fetch CA - Domain execution host Devices part of Domain controllers gets all CA's available in that domain

Command to check : systeminfo | findstr /C:"OS Configuration"
Table 2. Minimum Privilege Model (for IIS and other devices)
Device and CA communications (Other than IIS devices and management) User account service Account Added to Group:
  • Remote Management Users
User permission Winrm Permissions All these steps can be done by executing UserPrivEnablement.ps1 script given. below
Permissions
  1. Enable Auth:
    winrm set winrm/config/service/Auth '@{Basic="true"}'
  2. User group requirements: Should be added to below groups
    1. Remote Management Users
    2. Performance Monitor Users
    3. WinRMRemoteWMIUsers (This Group should be created if not present)
  3. In a CMD Window (run as Administrator) execute
    winrm configSDDL default
    Add the user and configure permissions. Check 'Allow' for Read(Get,Enumerate,Subscribe) and Execute(Invoke)
IIS device communications and other managements User account service Account Added to Group:
  1. Domain Admin
  2. Remote Management Users
User permission Winrm Permissions
Permissions
  1. Enabling PSRemoting:
    Enable-PSRemoting -Force
  2. Configure WinRM service:
    Set-Service -Name WinRM -StartupType Automatic
    Start-Service -Name WinRM
  3. Allow WinRM through Firewall (if any):
    Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC"
    Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP-DOMAIN"
  4. Permissions for WSMAN:
    winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    winrm set winrm/config/service/auth '@{Basic="true"}'
Fetch CA - Command execution host Device type Domain controller Devices that are part of domain controllers gets all CA's available in that domain. Use the command to check the same: 
systeminfo | findstr /C:"OS Configuration
The Device can either be domain controller or the device that responds with the CA templates for the command below: 
winrs -r:localhost -u:<username> -p:<password> powershell . "certutil -config "<CA_Server\CA_Name>" -caTemplates -v"
Sample command:
winrs -r:localhost -u:user1 -p:pass powershell . "certutil -config "TestCAServer.test.com\TestCaServer-001>" -caTemplates -v"
Ports Winrm with HTTP 5985 This port should be enabled and open for communication from CC
Winrm with HTTPS 5986 For HTTPS communication, End Devices should be enabled with HTTPS specific configuration.

Please refer EnableHTTPs.ps1 script below.
Script: UserPrivEnablement.ps1
# Get the username at runtime
$user = Read-Host "Enter the username"

# 1. Enable Authentication for WinRM
winrm set winrm/config/service/Auth '@{Basic="true"}'

# 2. Add the user to required local groups
net localgroup "Remote Management Users" /add $user
net localgroup "Performance Monitor Users" /add $user

# Check if "WinRMRemoteWMIUsers__" exists, if not create it
$groupName = "WinRMRemoteWMIUsers__"
$groupExists = Get-LocalGroup -Name $groupName -ErrorAction SilentlyContinue

if (-not $groupExists) {
    New-LocalGroup -Name $groupName -Description "WinRM Remote WMI Users"
}

# Add the user to the "WinRMRemoteWMIUsers__" group
Add-LocalGroupMember -Group $groupName -Member $user

# 3. Execute the 'winrm configSDDL default' command to configure permissions
Invoke-Expression -Command "cmd /c 'winrm configSDDL default'"

# Set permissions for the user (e.g., Read and Execute)
# Note: You would typically do this in the "winrm configSDDL default" command manually or via script 
# to allow Read (Get, Enumerate, Subscribe) and Execute (Invoke) for the specific user, but this may require elevated permissions.

# 4. Update Group Policy
gpupdate /force

Write-Host "User account setup complete. Please check the permissions in the WinRM configuration if needed."
Script: EnableHTTPs.ps1
# Prompt user for the certificate thumbprint
$newCertThumbprint = Read-Host "Enter the new certificate thumbprint"

# Keep asking for the IP address until it is not empty
$ip = ""
while (-not $ip) {
    $ip = Read-Host "Enter the IP address (this cannot be empty)"
    if (-not $ip) {
        Write-Host "IP address cannot be empty. Please enter a valid IP address."
    }
}

$port = "5986"  # Default port is always 5986
$ipport = $ip+":"+$port  # Combine IP and port into one variable
$hostname = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname

# Show the existing certificate thumbprint associated with the WinRM HTTPS listener
$currentBinding = netsh http show sslcert ipport=$ipport

if ($currentBinding -like "*Certificate Hash*") {
    $currentCertThumbprint = ($currentBinding | Select-String -Pattern "Certificate Hash" | ForEach-Object { $_.Line.Split(':')[1].Trim() })
    Write-Host "Current certificate thumbprint: $currentCertThumbprint"
} else {
    Write-Host "No existing certificate bound to port: $port"
}

# Disassociate the existing certificate if a thumbprint is found
if ($currentCertThumbprint) {
    netsh http delete sslcert ipport=$ipport
    
    # Verify deletion
    $postDeleteBinding = netsh http show sslcert ipport=$ipport
    if ($postDeleteBinding -like "*The system cannot find the file specified*") {
        Write-Host "Successfully removed the certificate binding from port $port"
    } else {
        Write-Host "Failed to remove the certificate binding. Exiting."
        exit 1
    }
} else {
    Write-Host "No certificate found to disassociate."
}

# Delete the existing WinRM HTTPS listener
Write-Host "Deleting the existing WinRM HTTPS listener..."
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

# Add the new thumbprint to the WinRM config
Write-Host "Setting the new certificate thumbprint in WinRM configuration..."
winrm set winrm/config/service "@{CertificateThumbprint=`"$newCertThumbprint`"}"

# Create a new listener and associate the new certificate with the specified port
Write-Host "Creating a new listener and binding the new certificate to port $port..."
$appId = [guid]::NewGuid().ToString()  # Generate a random app GUID
netsh http add sslcert ipport=$ipport certhash=$newCertThumbprint appid="{$appId}"

# Create the new listener using WinRM
New-Item -Path WSMan:\Localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint $newCertThumbprint -HostName $hostname -Force

# Verify the new binding
$finalBinding = netsh http show sslcert ipport=$ipport
if ($finalBinding -like "*Certificate Hash*") {
    Write-Host "New certificate bound to port $port successfully."
} else {
    Write-Host "Failed to associate the new certificate."
    exit 1
}