Excellent answer! That fixed it for me- Thank you!

It turned out that this powercli command for some reason was using the default OS user proxy settings from the reg key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ -> ProxyEnable [=1]

I had wrote the script before we had a security change (and the script worked then) where certain PCs were internet restricted with the proxy enabled and pointing to a non-existent proxy server to kill internet access for security reasons. So when I ran the script now after some changes, it stopped working.

What is interesting is when the command fails I can connect to a vCenter server just fine with the command connect-viserver [servername], I can run all kinds of commands like update-tools on Guests etc without issue. It doesn't yet make logical sense why just invoke-vmscript doesn't work while the other commands do. The invoke-vmscript must have something in it that tries to connect to something that is the not the vCenter server and that is using the local proxy and is therefore failing.

Also, I noticed that even after changing the reg key, the command still failed until I opened IE and closed it. Not sure if coincidental but seemed to be the case.

Thanks again!

I poked around a bit and it seems to basically work like this:

1. The cmdlet uses the existing PowerCLI connection to vCenter, telling it to run the command on the VM.

2. vCenter connects to the respective ESXi host and tells it to run the command, but does not receive the output to give back to the client.

3. Instead the client waits for vCenter to give him the "it's done" signal, and then the client connects to the ESXi host to grab the actual raw output being returned from the command.

4. PowerCLI displays that output on your console.

This means your command actually has been executed, even though PowerCLI spilled the error of not being able to connect just to grab the output. I suppose that request is being done with a generic .NET web request method that use the system's proxy setting.

Here you can see an example of such a request from the client directly to the host (I ran the "whoami" command btw). It's really nothing but a very basic SSL'd HTTP request with a token and the response being nothing but the command's output:

I think this is a very odd way to handle Invoke-VMScript. It's not clear that the command has actually been executed and the host is being accessed by its IP in the HTTP host header instead of it's DNS name (with which the host is registered in vCenter and on which the SSL certificate is bound), meaning the client won't actually validate the SSL certificate presented as a browser would (and the SSL request is without SNI as well).

Old thread problem still exists

My target VM is Windows Server 2012R2 - thus PowerShell or BAT scripts

MKGuy wrote...

the host is being accessed by its IP in the HTTP host header instead of it's DNS name (with which the host is registered in vCenter and on which the SSL certificate is bound), meaning the client won't actually validate the SSL certificate presented as a browser would (and the SSL request is without SNI as well).

This explains why Invoke-VMScript does not work my NAT'd environments.

Scripts are being executed on the VM but the Invoke-VMScript returns an error

VERBOSE: 10/19/2017 11:04:38 AM Invoke-VMScript Started execution

VERBOSE: Performing the operation "Invoke-VMScript" on target "xyz"

VERBOSE: 10/19/2017 11:04:38 AM Invoke-VMScript Finished execution

FullyQualifiedErrorId : Client20_VmGuestServiceImpl_DownloadFileFromGuest_DownloadError

My development offices access our vCenter data center via VPN .

To prevent address conflicts between our office, traffic between our development offices and data centers is NAT'd

The native vCenter data center DNS is vcenter1.mydomain.com 10.11.100.7

The NAT'd development DNS entry is vcenter1.mydomain.com 10.15.100.7

The ESX hosts addresses follow the same pattern host1.mydomain.com 10.15.10.153 vs 10.11.10.153

So far, everything in PowerCLI works fine other than Invoke-VMScript.

Using RunAsync as a work around might be an option, but I need the results of the script output.

Can Invoke-VMScript be changed to reconnect to the host using the host DNS name instead of IP ?

Or is there a configuration option I missed to return host DNS vs host IP.

My environment :

Windows 10

VCenter 6.5

VMware ESXi, 6.5.0, 5969303

PowerCLI 6.5.3 as of yesterday ( also tried 6.5.1 and 2)

Did you already try with my Invoke-VMScriptPlus function?

Hello LucD,

I failed to mention my target VM is Windows Server 2012R2.

I reviewed your Invoke-VMScriptPlus and it appears to be Linux specific

Thanks,

Kevin

Yes, it is I'm afraid.

But this gave me an idea to expand my function towards Win guest OS as well.

I'll be looking into that