ARM 110浏览

RDP 的远程连接方式,我们可以在机器创建好后,手动为虚拟机配置 Powershell

Azure ARM 虚拟机进行一个简单的演示,对于Windows Server下面的方法其实是通用的。


Windows Server 2012 R2
的虚拟机,可以在防火墙中添加 TCP 5985


我们先进行HTTP Listener的配置:

Powershell,执行Enable-PSRemoting -Force;

i n RN i n RN Users an 1 e Ena is already set up is already set up Administrator: Windows Powe e-PSRemot1ng -Force to receive requests on this computer. for remote management on this computer.


执行成功后,使用 netstat -ano | findstr
查看是否有 5985 端口的侦听:

Users am e netstat o.o.o.o:5985 C: : ] :5985 -ano 1 n str o.o.o.o:o Administrator: Windows PowerShell 5985 LISTENING LISTENING PS




Set-itemwsman:localhostclienttrustedhosts -value


Administrator: Windows PowerSheII PS C: Windows Xsystem32> quickconfig UinRM is not set up to receive requests on 139 .219 .109 .64 this machine . The Following changes must be Start the WinRM service. Set the WinRM service type to make these changes [y/n]? y made : delayed auto start . UinRM has been updated to receive requests . WinRM service type changed successfully. WinRM service started. WSmanFau1t Message ProuiderFauIt WSmanFau1t Message — WinRM Firewall exception will not work since e network connection type to either Domain or Private and try again . one the network connect: Error number: -2144108183 5<80338169 WinRM Firewall exception will not work since one OF the network connection to either Domain or Private and try again. PS C: Windows Xsystem32> wsman : —u alue WinRM Security Conf iguration. types on this machine This command modif ies the reustedHosts list For the WinRM client. The computers in the reustedHos1 send credential information to these computers. Are you sure that you want to modify this list? [N] No [S] Suspend Help (default is y PS C: Windows Xsystem32>


配置好之后,使用下面的命令连接到虚拟机的 5985

Enter-Pssession-ComputerName 5985 -Authentication Negotiate -Credential
daniel -SessionOption (New-PSSessionOption-SkipCACheck -SkipCNCheck)

Windows PowerSheII PS C: VJsers NDanieIHX> Enter—Pssession 139 .219 .109 .64 —ComputerName Authentication Negotiate —Credential dan ieI —Session Option n -SkipCNCheck [139 .64]: ps C: 5985 ion Opti


我们接着配置 HTTPS Listener,在虚拟机中打开 Powershell,使用下面的命令创建一个自签名证书:

dan2012r2.chinanorth.cloudapp.chinacloudapi.cn-CertStoreLocation Cert:LocalMachineMy

对应的 DNS
名称,如果没有 DNS,直接换成虚拟机的公网

Administrator: Windows PowerShell PS C: Users ame New-Se Signe ertl 1 cate -DnsName an2012r2.c 1 nanort . c ou app. c 1 nac ou apl . cn Cert : i neMy Directory: Mi crosoft. PowerSheII. SecurityCertificate: : LocalMachineMy -CertStor eL ocatl on humbpri nt 52FFCIACC8606E8A7750217599742699E42A27A Su bj ect CN=dan2012r2. chi nanorth. cloudapp. chi nacloudapi . cn


创建好之后,可以看到下面生成了一个证书指纹(Thumbprint),打开 mmc

Open: Run Type the name of a program, folder, document, or Internet resource, and Windows will open it for pu. mm c This task will be created with administrative privileges.


添加 CertificatesComputeraccount):

Consolel File Action View Favorites Console Root Window Help Na me Add or Remove Snap-ins [Console Root] how in this view. You can select snap-ins for this console from those available on your computer and configure the selected set of snagAns. For extensible snap-ins, you can configure which extensions are enabled. Available snap-ins: Selected snap-ins: —console Root Snap-in ActiveX Control Microsoft Cor.. n Authorizaton Manager Microsoft Cor... Certificates Microsoft Cor.. Microsoft Cor.. Services Microsoft Cor... Computer Managem... Microsoft Cor... Device Manager Disk Management Microsoft and... Microsoft Cor... Event Wiener Microsoft Cor... Group Policy Object Microsoft Cor... Microsoft Cor... IP Security Monitor IP Security Pohcy Microsoft Cor.. Link to Web Address Microsoft Cor... Local aackuo Microsoft Cor Description : Edit Extensions... Remove Move up Move Donn The Certficates snap-in allows you to browse the contents of the certificate stores for yourself, a service, or a computer.

Certificates snap-in This snap-in will always manage certificates for C) user account O serv.,ce @ Computer account



[Console RootCertificates (Local Computer)PersonalCertificates] File Action zfi] Console Root View Favorites Consolel Window Help Issued To Certificates (Local Computer) Personal Certifi cates Trusted Root Certification Enterprise Trust Intermediate Certification Trusted Publishers Untrusted Certificates Third Party Root Certificati Trusted People Client Authentication Issuel Remote Desktop Certificate Enrollment Requ Runtime_Transport_Store_C Smart Card Trusted Roots Trusted Devices dan2D12r2.chinancrth.cIcudap... Issued 8}' dan2D12r2.chinancrth.cIcudapp.c... Expiration Date 8/2/2018 Actions ifica More Actions 012r2.chir More Actions



Issued To G] dan2012r2.chinanorth.cIoudap... Issued By dan2012r2.chinanorth.cIoudapp.c... Expiration Di 8/2/2018 General Show: Certificate Details Certification Path <AII > n public key Enhanced Key Usage Subject Alternatve Name 61 Subject Key Identfier Key usage Thumbprint algorithm Thumbprint as 2 f fc la 63 42 a2 cc 86 dan2012r2. chinanorth clouda... RSA (2048 Bits) Client Authentcaton ( . DNS Name =dan2012r2. chinan d44c2b 1136 ad a58b Digital Signature, Key Encipher.. shal as 2ffc la cc es 75 a? 75 02 17 37 42


使用管理员权限打开cmd,执行下面的命令添加 HTTPSListener(替换一下域名或者公网

winrm createwinrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="dan2012r2.chinanorth.cloudapp.chinacloudapi.cn";CertificateThumbprint="A52FFC1ACC8606E8A7750217599742699E42A27A"}


核实一下 HTTPS

netstat-ano | findstr 5986

Users am e netstat o.o.o.o:5986 -ano I n str o.o.o.o:o Administrator: Windows PowerShell 5986 LISTENING LISTENING PS



Enter-Pssession-ComputerName 5986 -Authentication Negotiate -Credential
daniel -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck-SkipCNCheck)

Windows PowerSheII S C: VJsers NDanieIHX> Enter—Pssession Authentication Negotiate —Credential ion Option -SkipCRCheck -SkipCNCheck [139 .64]: ps C: —ComputerName 139 .219 .109 .64 dan ieI —UseSSL —SessionOption 5986


的连接不需要再客户端进行winrm 的任何配置。



Azure 虚拟机,默认虚拟机创建好之后 Powershell
就配置好了,可以直接访问虚拟机的 5986
端口。如果不小心把 Personal

很简单,删除了自签名证书,可以使用管理员权限运行 cmd,执行下面的命令将原来的HTTPS Listener

winrmdelete winrm/config/Listener?Address=*+Transport=HTTPS


HTTPS Listener 的方法做一遍就好了。