[Azure]为ARM虚拟机配置Powershell侦听(HTTP和HTTPS)

ARM 234浏览


ARM
虚拟机默认只有
RDP 的远程连接方式,我们可以在机器创建好后,手动为虚拟机配置 Powershell
的侦听。

这里只是使用
Azure ARM 虚拟机进行一个简单的演示,对于Windows Server下面的方法其实是通用的。

 

首先我们创建一台
Windows Server 2012 R2
的虚拟机,可以在防火墙中添加 TCP 5985
TCP5986
端口的放行规则,5985
HTTPListener
的侦听端口,5986
HTTPSListener(启用SSL
的侦听端口。

 

1)
我们先进行HTTP Listener的配置:

登陆虚拟机,打开
Powershell,执行Enable-PSRemoting -Force;

i n RN i n RN Users an 1 e Ena is already set up is already set up Administrator: Windows Powe e-PSRemot1ng -Force to receive requests on this computer. for remote management on this computer.

 

执行成功后,使用 netstat -ano | findstr
查看是否有 5985 端口的侦听:

Users am e netstat o.o.o.o:5985 C: : ] :5985 -ano 1 n str o.o.o.o:o Administrator: Windows PowerShell 5985 LISTENING LISTENING PS

 

接着我们需要在本地需要连接的客户端机器上添加信任,使用管理员权限打开Powershell,执行下面两条命令:

winrmquickconfig

Set-itemwsman:localhostclienttrustedhosts -value
139.219.109.64

注意:上面命令中标黄的部分替换成虚拟机的公网IP地址。

Administrator: Windows PowerSheII PS C: Windows Xsystem32> quickconfig UinRM is not set up to receive requests on 139 .219 .109 .64 this machine . The Following changes must be Start the WinRM service. Set the WinRM service type to make these changes [y/n]? y made : delayed auto start . UinRM has been updated to receive requests . WinRM service type changed successfully. WinRM service started. WSmanFau1t Message ProuiderFauIt WSmanFau1t Message — WinRM Firewall exception will not work since e network connection type to either Domain or Private and try again . one the network connect: Error number: -2144108183 5<80338169 WinRM Firewall exception will not work since one OF the network connection to either Domain or Private and try again. PS C: Windows Xsystem32> wsman : —u alue WinRM Security Conf iguration. types on this machine This command modif ies the reustedHosts list For the WinRM client. The computers in the reustedHos1 send credential information to these computers. Are you sure that you want to modify this list? [N] No [S] Suspend Help (default is y PS C: Windows Xsystem32>

 

配置好之后,使用下面的命令连接到虚拟机的 5985
端口:

Enter-Pssession-ComputerName
139.219.109.64-port 5985 -Authentication Negotiate -Credential
daniel -SessionOption (New-PSSessionOption-SkipCACheck -SkipCNCheck)

Windows PowerSheII PS C: VJsers NDanieIHX> Enter—Pssession 139 .219 .109 .64 —ComputerName Authentication Negotiate —Credential dan ieI —Session Option n -SkipCNCheck [139 .64]: ps C: 5985 ion Opti

 

2)
我们接着配置 HTTPS Listener,在虚拟机中打开 Powershell,使用下面的命令创建一个自签名证书:

New-SelfSignedCertificate-DnsName
dan2012r2.chinanorth.cloudapp.chinacloudapi.cn-CertStoreLocation Cert:LocalMachineMy

注意:上面高亮的部分是这台虚拟机公网
IP
对应的 DNS
名称,如果没有 DNS,直接换成虚拟机的公网
IP
地址就可以了。

Administrator: Windows PowerShell PS C: Users ame New-Se Signe ertl 1 cate -DnsName an2012r2.c 1 nanort . c ou app. c 1 nac ou apl . cn Cert : i neMy Directory: Mi crosoft. PowerSheII. SecurityCertificate: : LocalMachineMy -CertStor eL ocatl on humbpri nt 52FFCIACC8606E8A7750217599742699E42A27A Su bj ect CN=dan2012r2. chi nanorth. cloudapp. chi nacloudapi . cn

 

创建好之后,可以看到下面生成了一个证书指纹(Thumbprint),打开 mmc

Open: Run Type the name of a program, folder, document, or Internet resource, and Windows will open it for pu. mm c This task will be created with administrative privileges.

 

添加 CertificatesComputeraccount):

Consolel File Action View Favorites Console Root Window Help Na me Add or Remove Snap-ins [Console Root] how in this view. You can select snap-ins for this console from those available on your computer and configure the selected set of snagAns. For extensible snap-ins, you can configure which extensions are enabled. Available snap-ins: Selected snap-ins: —console Root Snap-in ActiveX Control Microsoft Cor.. n Authorizaton Manager Microsoft Cor... Certificates Microsoft Cor.. Microsoft Cor.. Services Microsoft Cor... Computer Managem... Microsoft Cor... Device Manager Disk Management Microsoft and... Microsoft Cor... Event Wiener Microsoft Cor... Group Policy Object Microsoft Cor... Microsoft Cor... IP Security Monitor IP Security Pohcy Microsoft Cor.. Link to Web Address Microsoft Cor... Local aackuo Microsoft Cor Description : Edit Extensions... Remove Move up Move Donn The Certficates snap-in allows you to browse the contents of the certificate stores for yourself, a service, or a computer.

Certificates snap-in This snap-in will always manage certificates for C) user account O serv.,ce @ Computer account

 

可以看到刚刚生成的自签名证书:

[Console RootCertificates (Local Computer)PersonalCertificates] File Action zfi] Console Root View Favorites Consolel Window Help Issued To Certificates (Local Computer) Personal Certifi cates Trusted Root Certification Enterprise Trust Intermediate Certification Trusted Publishers Untrusted Certificates Third Party Root Certificati Trusted People Client Authentication Issuel Remote Desktop Certificate Enrollment Requ Runtime_Transport_Store_C Smart Card Trusted Roots Trusted Devices dan2D12r2.chinancrth.cIcudap... Issued 8}' dan2D12r2.chinancrth.cIcudapp.c... Expiration Date 8/2/2018 Actions ifica More Actions 012r2.chir More Actions

 

核对一下证书指纹:

Issued To G] dan2012r2.chinanorth.cIoudap... Issued By dan2012r2.chinanorth.cIoudapp.c... Expiration Di 8/2/2018 General Show: Certificate Details Certification Path <AII > n public key Enhanced Key Usage Subject Alternatve Name 61 Subject Key Identfier Key usage Thumbprint algorithm Thumbprint as 2 f fc la 63 42 a2 cc 86 dan2012r2. chinanorth clouda... RSA (2048 Bits) Client Authentcaton (1.3.6.1. . DNS Name =dan2012r2. chinan d44c2b 1136 ad a58b Digital Signature, Key Encipher.. shal as 2ffc la cc es 75 a? 75 02 17 37 42

 

使用管理员权限打开cmd,执行下面的命令添加 HTTPSListener(替换一下域名或者公网
IP
,以及证书指纹):

winrm createwinrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="dan2012r2.chinanorth.cloudapp.chinacloudapi.cn";CertificateThumbprint="A52FFC1ACC8606E8A7750217599742699E42A27A"}

 

核实一下 HTTPS
的侦听:

netstat-ano | findstr 5986

Users am e netstat o.o.o.o:5986 -ano I n str o.o.o.o:o Administrator: Windows PowerShell 5986 LISTENING LISTENING PS

 

创建成功后,就可以在客户端使用-UseSSL
参数来进行连接了:

Enter-Pssession-ComputerName
139.219.109.64-port 5986 -Authentication Negotiate -Credential
daniel -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck-SkipCNCheck)

Windows PowerSheII S C: VJsers NDanieIHX> Enter—Pssession Authentication Negotiate —Credential ion Option -SkipCRCheck -SkipCNCheck [139 .64]: ps C: —ComputerName 139 .219 .109 .64 dan ieI —UseSSL —SessionOption 5986

 

注:HTTPS
的连接不需要再客户端进行winrm 的任何配置。

 

上面的步骤可以用于解决下面这个问题:

对于经典
Azure 虚拟机,默认虚拟机创建好之后 Powershell
SSL
就配置好了,可以直接访问虚拟机的 5986
端口。如果不小心把 Personal
下的自签名证书删除了该怎么办?

很简单,删除了自签名证书,可以使用管理员权限运行 cmd,执行下面的命令将原来的HTTPS Listener
删除掉:

winrmdelete winrm/config/Listener?Address=*+Transport=HTTPS

 

删除后,再使用上面配置
HTTPS Listener 的方法做一遍就好了。