Lab: Configure PowerShell WebAccess for management
Now that I have my Lab configured and set up to accept remoting from my Client machine, I want to set up a small Hyper-V lab onto this Host.
Since my goal is to manage as much as possible through PowerShell, my current setup will run into the following problem: I can remote into my lab host, but due to single-hop remoting, it is not recommended to daisy chain sessions.
In case you DO want this, you can look at the following articles that will give you more insight on multihop remoting. A small insight on what is required:
|
|
What is the goal and what is required?
The goals I have are quite simple:
- PowerShell access to my Host machine
- PowerShell access to my Guest VM’s
- It has to be secure, following Best Practice
In order to obtain these goals I first have to figure out what the best practice is, since I can already access Host machine.
According to a PowerPoint presentation made by Lee Holmes [part of the PowerShell team since v.1] CredSSP should only be used in case of Highly Trusted Servers, because otherwise
‘This opens you up to credential theft, so is disabled by default on both the client and the server’
Ok, so I need another way to get access to my Hosts, which allows access to my Guest VM’s without having to multihop remote or RDP to my Host machine.
In comes PowerShell WebAccess! This allows us to connect to the Host machine as console and through that session I can remote onto my Guest VM’s!
The Code
Getting this all done required 4 steps that can easily be done through PowerShell:
- Install PowerShell WebAccess
- Configure the PowerShell WebAccess Web Application - Gateway
- Configure a restrictive authorization rule
- Use PowerShell WebAccess
Installing PowerShell Web Access
To install PowerShell WebAccess is quite simple, but first let’s check if it’s not already installed or perhaps requires source media:
|
|
In my case this has not been done yet, so we’ll go ahead and install this. Do note that PowerShell WebAccess required IIS as Web Server, so this will also get installed.
|
|
Reboot the machine if required, but normally you should be ready to continue.
Configure the PowerShell WebAccess Web Application - Gateway
Now that we have PowerShell WebAccess installed, we need to configure it for usage. We can do this using
|
|
As the added parameter implies, this will set up a self signed certificate which is recommended for test environments only. The certificate will expire in 90 days after which you should re-assign a new self-signed certificate. When setting up a secure production environment be sure to use a valid certificate signed by a CA.
This command will configure a few things for you:
- Install the PSWA Web Application
- Install the PSWA Application Pool
- Install PSWA within the IIS Default Web Site container
- Automatically configures IIS to run on the default website under https://[servername]/pswa
- Bind a self signed certificate to the PSWA Web Application
In case you want to set up a valid certificate, use the following command
|
|
And configure the certificate through bindings on IIS Manager.
Configure a restrictive authorization rule
Now that we have the Role installed and the Gateway configured, we need to define who is actually allowed to access PowerShell WebAccess on this machine. We can do this by explicitly granting access to users through the following commands. Do note, there is no GUI alternative to add or manage there permissions, PowerShell will be required!
Now in case of a test environment, you won’t to be too picky on who can access your machine, but in case of production you should make sure to configure these settings with care!
|
|
As the command implies, all users, connecting to all computers, are allowed granted access to all configurations.
In case you want to restrict this access a little bit more, you can do this by simply defining the provided parameters with more detail. For my environment I personally restricted the UserName to the local administrator, just because I can 🙂
Use PowerShell WebAccess
Now that everything’s configured, let’s give it a test run!
Open your browser to the server’s name or FQDN
To log in there’s one tiny thing to keep in mind:
In the User name field, be sure to provide it in the format you’ve defined your PswaAuthorizationRule, so in my case CONTOSO-SRV001\administrator instead of simply Administrator.
You have full [secure] access to your Host VM, providing access to all Cmdlets, tab-completion etc. and you can now securely remote onto your Guest VM’s.
Happy scripting! 🙂