Join Log in
Score:0
Geert van Horrik avatar Server

WinRM connectivity issues with workgroup and vlan subnet

ar flag
Geert van Horrik

Situation:

  1. 1 server (Windows Server 2022) (192.168.15.5)
  2. 1 client (Windows 11) (192.168.5.5)
  3. Unifi network setup where both machines are on a different VLAN (subnet)

On the server:

  1. Run Winrm quickconfig
  2. Run Enable-PSRemoting
  3. Run Get-NetFirewallRule -Name 'WINRM*' | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress Any (to make sure other subnet should be able to connect)

On the client:

  1. Run Winrm quickconfig
  2. Run Enable-PSRemoting
  3. Run Set-Item WSMan:\localhost\Client\TrustedHosts –Value "192.168.15.5"

When running test-wsman [server ip], sometimes it works, sometimes it doesn't:

Call 1 (seems to be good):

PS C:\WINDOWS\system32> test-wsman 192.168.15.5


wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

Call 2 (done a few seconds later):

PS C:\WINDOWS\system32> test-wsman 192.168.15.5
test-wsman : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="WO
RKSTATION"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. </f:Message></f:WSManFault>
At line:1 char:1
+ test-wsman 192.168.15.5
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (192.168.15.5:String) [Test-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

Same results when doing Test-NetConnection 192.168.15.5 -p 5985 (sometimes it works, sometimes it doesn't).

Server WinRM config:

Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = true
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true

A few observations:

  1. SMB or RDP connections to the server work without any issues
  2. Unifi firewall has been configured correctly
  3. Windows Server firewall should have been configured correctly (otherwise I would be amazing that "sometimes" the requests work)
  4. netstat -aon on the server shows it's listening correctly on the right port (5985)

Any idea what could be the case and why WinRM / Remote PowerShell is not working reliably?

Could it be Unifi having issues to reliably handle traffic over VLAN (but then why is RDP working flawlessly)?

865
1 + 2
joeqwerty avatar
cv flag
joeqwerty
Run a packet capture on the server and then run your test until it fails. Then analyze the capture to see if the traffic is getting to the server. Troubleshoot based on those results.
2
Reply
cn flag
Greg Askew
Also Windows firewall logging works.
1
Reply
Score:1
Geert van Horrik avatar Server
ar flag
Geert van Horrik

Thanks to the comments, it was possible to some further investigation. The Windows firewall was not blocking anything.

Ultimately it was Unifi blocking consecutive requests with the signature:

ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement

Via Unifi, you can view this via System logs => Threats

Here one can suppress this threat for specific machines inside the network.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.