WinRM Not listening on all IPs even though configured that way
2,409 views
Skip to first unread message
Justin
Aug 30, 2017, 3:10:45 PM8/30/17
to Ansible Project
I have about 1500 guests under management, most of which are windows. A few guests are not accepting connections from Ansible. Looking at their WinRM configurations they are set to listen on all IPs for the WinRM listener, their windows firewalls have exceptions for 5986, but when I do a netstat they're not actually listening on their base IP. Some are listening to all other IPs except that base IP, other times if there's just a loopback and a base IP they're only showing results in netstat for the loopback. Has anyone seen anything like this?
Example:
PS C:\Users> winrm e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.11.XXX.XXX, 127.0.0.1, ::1
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = true
Enabled = true
URLPrefix = wsman
CertificateThumbprint = CENSORED
ListeningOn = 10.11.XXX.XXX, 127.0.0.1, ::1
Yet when I do a netstat -nao | findstr 5986 I get:
PS C:\Users> netstat -nao | findstr 5986
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING 4
TCP [::]:5986 [::]:0 LISTENING 4
Example:
PS C:\Users> winrm e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.11.XXX.XXX, 127.0.0.1, ::1
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = true
Enabled = true
URLPrefix = wsman
CertificateThumbprint = CENSORED
ListeningOn = 10.11.XXX.XXX, 127.0.0.1, ::1
Yet when I do a netstat -nao | findstr 5986 I get:
PS C:\Users> netstat -nao | findstr 5986
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING 4
TCP [::]:5986 [::]:0 LISTENING 4
Jordan Borean
Aug 30, 2017, 5:02:23 PM8/30/17
to Ansible Project
Networking isn't my forte but my netstat looks like yours on hosts with multiple adapters. I believe 0.0.0.0 in this context means all IP addresses are listening on that port but could be wrong.
Justin
Aug 30, 2017, 8:14:16 PM8/30/17
to ansible...@googlegroups.com
Thanks Jordan. That might indicate a different problem than. On my multiple IP systems I have all IPs show up on netstat with the exception of the base IP. Anyone have a clue about that?
On Wed, Aug 30, 2017 at 5:02 PM, Jordan Borean <jbor...@gmail.com> wrote:
Networking isn't my forte but my netstat looks like yours on hosts with multiple adapters. I believe 0.0.0.0 in this context means all IP addresses are listening on that port but could be wrong.
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/kbzqvuiCSvA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e69dd922-ba82-4ffd-8725-af94b250a6b0%40googlegroups.com.
- Justin
Justin
Aug 30, 2017, 9:00:03 PM8/30/17
to Ansible Project
Ok, so I was able to figure it out thanks to this post: https://social.technet.microsoft.com/Forums/en-US/35ce0818-ce43-4661-bf5b-1b1831fb50e3/powershell-remoting-not-working-on-one-computer?forum=ITCG and this https://www.grimadmin.com/article.php/winrm-connection-issues-http-inc-list
Basically if you've configured IIS to only listen on specific IPs on the system, WinRM can only listen on the IPs IIS listens on because they share the same underlying http.sys. That's a problem for me because I discover my managed list daily, dynamically from their hostnames which are tied to their base IP and multiple services leverage this. These systems need something else running on port 80 on their base IP, and IIS bound to other IPs on the box, therefore they have to be configured that way. Anyone experienced something similar and have a potential solution to propose?
Basically if you've configured IIS to only listen on specific IPs on the system, WinRM can only listen on the IPs IIS listens on because they share the same underlying http.sys. That's a problem for me because I discover my managed list daily, dynamically from their hostnames which are tied to their base IP and multiple services leverage this. These systems need something else running on port 80 on their base IP, and IIS bound to other IPs on the box, therefore they have to be configured that way. Anyone experienced something similar and have a potential solution to propose?
J Hawkesworth
Aug 31, 2017, 5:40:13 AM8/31/17
to Ansible Project
If this is the case, this feels like a windows bug to me. WinRM is intended for administration, so it should really not be tied to the configuration of IIS, which is typically there to provide application services (not administration).
As for a workaround I can only think of lifting the IIS listen configuration and using some kind of network device to protect IIS from receiving traffic it shouldn't. Networking not my area of expertise though.
I have seen some talk of SPNs (user accounts associated with IIS hosts in AD) messing up the ability to connect to WinRM - might be worth investigating if you use SPNs.
Sorry I don't have any better suggestions,
Jon
Jordan Borean
Aug 31, 2017, 4:20:21 PM8/31/17
to Ansible Project
There is an IIS extension that can be used when IIS is intercepting the WinRM traffice https://technet.microsoft.com/en-us/library/dd759166(v=ws.11).aspx. I've never had to deal with this situation before so can't help much further sorry.
Reply all
Reply to author
Forward
0 new messages