Appendix A: Prerequisites for Enabling the Integrated Windows Gateway Mode
Refer to the following models for enabling the Integrated
Windows Gateway mode.
- Privlilege model (For IIS devices)
- Minimum privilege model (CA and Devices other than IIS)
| Usecases | Required | Level | Type | Details | Purpose |
|---|---|---|---|---|---|
| Device and CA communications | User account type | User | User Account | Added to Group 1. Domain Admin | To ensure seamless WinRM communication from a remote Java process, adding the user to the Domain Admin group is necessary. This grants the required permissions for enabling communication, remote execution,preventing operational failures and maintaining functionality. |
| 2. Remote Management Users | Adding the user to the Remote Management Users group is essential for enabling WinRM communication, as it grants the necessary permissions for remote execution and management tasks, ensuring secure and efficient operation. | ||||
| User permission | System | Winrm Permissions | To enable WinRM communication in a Windows machine,
follow the instructions given below: The following steps must be
executed manually:
|
The WinRM methodology is used to connect Windows machines with the Cloud Connector, using PowerShell scripts and commands for executing actions. | |
| Ports | System | 5985 | This port should be enabled and open for communication from CC | ||
| System | 5986 | For HTTPS communication, end devices should be enabled
with HTTPS specific configuration (not certified yet). To enable
HTTPS for a Cloud Connector configuration, add the following
properties in the <CC Installation
Path>/deps/properties/appviewx.properties
file: Note: Once WINRM with HTTPS is enabled for a Cloud Connector, all
communications between the Cloud Connector and any Windows
machine will happen exclusively over HTTPS. To enable HTTPS for a Windows machine, refer the EnableHTTPs.ps1 script below. |
| Usecases | Level | Type | Details |
|---|---|---|---|
| Device and CA communications (Other than IIS devices and management) | User account | service Account | A basic service account to communicate with Windows devices.. |
| User permission | Winrm Permissions | All these steps can be done by executing UserPrivEnablement.ps1 script given below. The
following commands are executed as part of the
UserPrivEnablement.ps1 script.
|
|
| Fetch CA - Command execution host | Device type | Domain controller (Primary) | Devices that are part of domain controllers gets all
CA's available in that domain. Use the command to check the same:
The
Device can either be domain controller or the device that responds
with the CA templates for the command below:
|
| Ports | Winrm with HTTP | 5985 | This port should be enabled and open for communication from CC |
| Winrm with HTTPS | 5986 | For HTTPS communication, end devices should be enabled
with HTTPS specific configuration (not certified yet). To enable
HTTPS for a Cloud Connector configuration, add the following
properties in the <CC Installation
Path>/deps/properties/appviewx.properties
file: Note: Once WINRM with HTTPS is enabled for a Cloud Connector, all
communications between the Cloud Connector and any Windows
machine will happen exclusively over HTTPS. To enable HTTPS for a Windows machine, refer the EnableHTTPs.ps1 script below. |
Script:
UserPrivEnablement.ps1
# Get the username at runtime
$user = Read-Host "Enter the username"
# 1. Enable Authentication for WinRM
winrm set winrm/config/service/Auth '@{Basic="true"}'
# 2. Add the user to required local groups
net localgroup "Remote Management Users" /add $user
net localgroup "Performance Monitor Users" /add $user
# Check if "WinRMRemoteWMIUsers__" exists, if not create it
$groupName = "WinRMRemoteWMIUsers__"
$groupExists = Get-LocalGroup -Name $groupName -ErrorAction SilentlyContinue
if (-not $groupExists) {
New-LocalGroup -Name $groupName -Description "WinRM Remote WMI Users"
}
# Add the user to the "WinRMRemoteWMIUsers__" group
Add-LocalGroupMember -Group $groupName -Member $user
# 3. Execute the 'winrm configSDDL default' command to configure permissions
Invoke-Expression -Command "cmd /c 'winrm configSDDL default'"
# Set permissions for the user (e.g., Read and Execute)
# Note: You would typically do this in the "winrm configSDDL default" command manually or via script
# to allow Read (Get, Enumerate, Subscribe) and Execute (Invoke) for the specific user, but this may require elevated permissions.
# 4. Update Group Policy
gpupdate /force
Write-Host "User account setup complete. Please check the permissions in the WinRM configuration if needed."Script:
EnableHTTPs.ps1
# Prompt user for the certificate thumbprint
$newCertThumbprint = Read-Host "Enter the new certificate thumbprint"
# Keep asking for the IP address until it is not empty
$ip = ""
while (-not $ip) {
$ip = Read-Host "Enter the IP address (this cannot be empty)"
if (-not $ip) {
Write-Host "IP address cannot be empty. Please enter a valid IP address."
}
}
$port = "5986" # Default port is always 5986
$ipport = $ip+":"+$port # Combine IP and port into one variable
$hostname = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
# Show the existing certificate thumbprint associated with the WinRM HTTPS listener
$currentBinding = netsh http show sslcert ipport=$ipport
if ($currentBinding -like "*Certificate Hash*") {
$currentCertThumbprint = ($currentBinding | Select-String -Pattern "Certificate Hash" | ForEach-Object { $_.Line.Split(':')[1].Trim() })
Write-Host "Current certificate thumbprint: $currentCertThumbprint"
} else {
Write-Host "No existing certificate bound to port: $port"
}
# Disassociate the existing certificate if a thumbprint is found
if ($currentCertThumbprint) {
netsh http delete sslcert ipport=$ipport
# Verify deletion
$postDeleteBinding = netsh http show sslcert ipport=$ipport
if ($postDeleteBinding -like "*The system cannot find the file specified*") {
Write-Host "Successfully removed the certificate binding from port $port"
} else {
Write-Host "Failed to remove the certificate binding. Exiting."
exit 1
}
} else {
Write-Host "No certificate found to disassociate."
}
# Delete the existing WinRM HTTPS listener
Write-Host "Deleting the existing WinRM HTTPS listener..."
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
# Add the new thumbprint to the WinRM config
Write-Host "Setting the new certificate thumbprint in WinRM configuration..."
winrm set winrm/config/service "@{CertificateThumbprint=`"$newCertThumbprint`"}"
# Create a new listener and associate the new certificate with the specified port
Write-Host "Creating a new listener and binding the new certificate to port $port..."
$appId = [guid]::NewGuid().ToString() # Generate a random app GUID
netsh http add sslcert ipport=$ipport certhash=$newCertThumbprint appid="{$appId}"
# Create the new listener using WinRM
New-Item -Path WSMan:\Localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint $newCertThumbprint -HostName $hostname -Force
# Verify the new binding
$finalBinding = netsh http show sslcert ipport=$ipport
if ($finalBinding -like "*Certificate Hash*") {
Write-Host "New certificate bound to port $port successfully."
} else {
Write-Host "Failed to associate the new certificate."
exit 1
}