VMware Cloud Community
AlbertWT
Virtuoso
Virtuoso

Implementing PS 2.0 in secure environment ?

Hi Everyone,

I'd like to know how do you implement the Powershell 2.0 in a secure data center environment ?

because according to the guide in "PCI Compliance" it is not advisable to enable a remoting service to listen and accept any command from all IP address.

Any kind of help and suggestion would be greatly appreciated.

Thanks.

/* Please feel free to provide any comments or input you may have. */
Tags (2)
Reply
0 Kudos
8 Replies
AndreTheGiant
Immortal
Immortal

Reply
0 Kudos
LucD
Leadership
Leadership

The PCI Compliance is talking about PowerShell Remoting, which you don't really need to work with PowerCLI.

PowerShell Remoting, in short, allows you to run PS scripts remotely on another machine.

For PowerCLI you need to allow the vCenter server to accept connections over port 443 from all PCs where you want to run PowerCLI scripts.

For some specific PowerCLI cmdlets (i.e. Invoke-VMScript) you will also need to allow port 902.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

AlbertWT
Virtuoso
Virtuoso

Many thanks for the quick reply guys,

so in this case the solution is to enable in the remoting in all Windows Server VM to accept the "invoke-item" script only from the VCenter server (single point of management) through port 443 ?

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
LucD
Leadership
Leadership

No that is not needed.

You need to allow port 902 to all Windows Server VM, only if you want to use the Invoke-VMScript (and some other cmdlets that use VIX).

All other PowerCLI cmdlets only need port 443 to the vCenter server, not the Windows Server VMs, and that from all PCs where you want to run PowerCLI scripts.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
AlbertWT
Virtuoso
Virtuoso

Ah OK, is ther any suggestion of how and where I should execute the script / command to allow port 902 in all Windows Server VM in my domain ?

because I believe that by default PowerCLI cmdlets already working even in my laptop.

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
LucD
Leadership
Leadership

Do you have the Windows Firewall running on all Windows Server VMs ?

If yes, you will have to allow port 902 in the FW rules.

That can be done with a GPO.

Have a look at Windows Firewall and IPsec Policy Deployment Step-by-Step Guide


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

AlbertWT
Virtuoso
Virtuoso

Yes i have Symantec End Point Security to take over the windows firewall and that can be configured through the manager console.

Thank you once again for the explanation and guidance Luc.

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
AlbertWT
Virtuoso
Virtuoso

OK, I found the command to enable PS 2.0 to run with specific port in the server wwhere this script runs:

Winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="8888"}
/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos