Configuring the Windows-based VMs for WinRM and SSH access
In this part of the Citrix Automation series, let´s configure the Windows-based VMs for WinRM and OpenSSH access.
As the VMs are initially not part of an Active Directory domain, we cannot use a GPO for configuration. It is necessary to configure the Server- and Desktop-Master VMs to accept WinRM and OpenSSH connections so that Ansible and Terraform can be used for further configurations later on.
All further deployments of Windows-VMs will be based on the Master-VMs…
Installing an Windows Server-based Master VM on Azure
We chose a Standard D2sv5-based Azure VM with Windows Server 2022 DataCenter – Azure Edition as OS.
The deployment of the Azure-based VM was straightforward.
The VM allows no RDP or SSH access over the Internet, RDP connections can only be done using the Jumphost VM.
Configuring the VM for WinRM-based Remote Administration
There are two main components of the WinRM service:
the listener and the service.
The listener listens for requests on one or more ports, each listener has its own configuration.
Each service also has its own authentication options and memory settings.
You can download a script for configuring a WinRM service from GitHub.
After logging on to the VM using local administrative credentials, we configure WinRM using PowerShell:
PS C:\_AUTOMATION> winrm quickconfig
...
PS C:\_AUTOMATION> Enable-PSRemoting
...
PS C:\_AUTOMATION> Set-ExecutionPolicy Unrestricted
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
PS C:\_AUTOMATION> .\EnableWinRM.ps1 -Verbose
VERBOSE: Verifying WinRM service.
VERBOSE: PS Remoting is already enabled.
VERBOSE: Setting LocalAccountTOkenFilterPolicy to 1
Self-signed SSL certificate generated; thumbprint: AEFC...A2F2
VERBOSE: Enabling SSL listener.
wxf : http://schemas.xmlsoap.org/ws/2004/09/transfer
a : http://schemas.xmlsoap.org/ws/2004/08/addressing
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
lang : en-US
Address : http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters : ReferenceParameters
VERBOSE: Enabling basic auth support.
VERBOSE: Adding firewall rule to allow WinRM HTTPS.
Ok.
VERBOSE: HTTP: Disabled | HTTPS: Enabled
VERBOSE: PS Remoting has been successfully configured for Ansible.
PS C:\_AUTOMATION>
Let´s check the Win RM listeners:
PS C:\_AUTOMATION> winrm enumerate winrm/config/Listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 172.31.4.16, ::1, fe80::6f37:6df4:39f5:9d17%7
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = TMM-GK-W2K22-NO
Enabled = true
URLPrefix = wsman
CertificateThumbprint = AEFC...A2F2
ListeningOn = 127.0.0.1, 172.31.4.16, ::1, fe80::6f37:6df4:39f5:9d17%7
PS C:\_AUTOMATION>
Get the Service details:
PS C:\_AUTOMATION> winrm get winrm/config/Service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
PS C:\_AUTOMATION> winrm get winrm/config/Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
PS C:\_AUTOMATION>
Let´s try WinRM from another Windows computer in the same Network as the Master VM:
PS C:\_AUTOMATION> $username = "tmm-azadmin"
PS C:\_AUTOMATION> $password = ConvertTo-SecureString -String "xXxXxXxXxXxXxXxXxXxXx" -AsPlainText -Force
PS C:\_AUTOMATION> $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
PS C:\_AUTOMATION>
PS C:\_AUTOMATION> $session_option = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
PS C:\_AUTOMATION> Invoke-Command -ComputerName TMM-GK-W2K22-NO -UseSSL -ScriptBlock { ipconfig } -Credential $cred -SessionOption $session_option
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : reddog.microsoft.com
Link-local IPv6 Address . . . . . : fe80::6f37:6df4:39f5:9d17%7
IPv4 Address. . . . . . . . . . . : 172.31.4.16
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.31.4.1
PS C:\_AUTOMATION>
The successful output of ipconfig proves the correct WinRM configuration on the Master Server VM.
If WinRM is not an option, we can install OpenSSH server on the Master VM.
CAUTION: This is not supported by Microsoft.
Configuring the VM for OpenSSH-based Remote Administration
After logging on to the VM using local administrative credentials, we install OpenSSH using the Chocolatey Package Manager.
At first, we must install Chocolatey using PowerShell:
PS C:\_AUTOMATION> Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Forcing web requests to allow TLS v1.2 (Required for requests to Chocolatey.org) Getting latest version of the Chocolatey package for download. Not using proxy. Getting Chocolatey from https://community.chocolatey.org/api/v2/package/chocolatey/2.3.0. Downloading https://community.chocolatey.org/api/v2/package/chocolatey/2.3.0 to C:\Users\TMM-AZ~1\AppData\Local\Temp\2\chocolatey\chocoInstall\chocolatey.zip
Not using proxy.
Extracting C:\Users\TMM-AZ~1\AppData\Local\Temp\2\chocolatey\chocoInstall\chocolatey.zip to C:\Users\TMM-AZ~1\AppData\Local\Temp\2\chocolatey\chocoInstall
Installing Chocolatey on the local machine
Creating ChocolateyInstall as an environment variable (targeting 'Machine')
Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'
WARNING: It's very likely you will need to close and reopen your shell
before you can use choco.
Restricting write permissions to Administrators
We are setting up the Chocolatey package repository.
...
Chocolatey CLI (choco.exe) is now ready.
Ensuring Chocolatey commands are on the path
Ensuring chocolatey.nupkg is in the lib folder
PS C:\_AUTOMATION> choco --version
2.3.0
PS C:\_AUTOMATION> choco install --package-parameters=/SSHServerFeature openssh
Chocolatey v2.3.0
Installing the following packages:
openssh
By installing, you accept licenses for the packages.
Downloading package from source 'https://community.chocolatey.org/api/v2/'
Progress: Downloading openssh 8.0.0.1... 100%
...
Probing for possible conflicts with SSHD server to be configured on port 22 ...
Hashes for internal source match
C:\Program Files\OpenSSH-Win64
C:\Program Files\OpenSSH-Win64\FixHostFilePermissions.ps1
C:\Program Files\OpenSSH-Win64\FixUserFilePermissions.ps1
C:\Program Files\OpenSSH-Win64\install-sshd.ps1
C:\Program Files\OpenSSH-Win64\libcrypto.dll
C:\Program Files\OpenSSH-Win64\openssh-events.man
C:\Program Files\OpenSSH-Win64\OpenSSHUtils.psd1
C:\Program Files\OpenSSH-Win64\OpenSSHUtils.psm1
C:\Program Files\OpenSSH-Win64\scp.exe
C:\Program Files\OpenSSH-Win64\sftp-server.exe
C:\Program Files\OpenSSH-Win64\sftp.exe
C:\Program Files\OpenSSH-Win64\ssh-add.exe
C:\Program Files\OpenSSH-Win64\ssh-agent.exe
C:\Program Files\OpenSSH-Win64\ssh-keygen.exe
C:\Program Files\OpenSSH-Win64\ssh-keyscan.exe
C:\Program Files\OpenSSH-Win64\ssh-shellhost.exe
C:\Program Files\OpenSSH-Win64\ssh.exe
C:\Program Files\OpenSSH-Win64\sshd.exe
C:\Program Files\OpenSSH-Win64\sshd_config_default
C:\Program Files\OpenSSH-Win64\uninstall-sshd.ps1
C:\Program Files\OpenSSH-Win64\Set-SSHDefaultShell.ps1
PATH environment variable does not have C:\Program Files\OpenSSH-Win64 in it. Adding...
Ensuring all ssh key and configuration files have correct permissions for all users
[*] C:\ProgramData\ssh\sshd_config
Inheritance is removed from 'C:\ProgramData\ssh\sshd_config'.
'NT AUTHORITY\Authenticated Users' has no more access to 'C:\ProgramData\ssh\sshd_config'.
Repaired permissions.
Starting SSHD...
WARNING: Waiting for service 'SSHD (sshd)' to start...
NEW VERSIONS OF SSH EXES:
FileName FileVersion
-------- -----------
C:\Program Files\OpenSSH-Win64\scp.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\sftp-server.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\sftp.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\ssh-add.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\ssh-agent.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\ssh-keygen.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\ssh-keyscan.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\ssh-shellhost.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\ssh.exe 8.0.0.0
C:\Program Files\OpenSSH-Win64\sshd.exe 8.0.0.0
WARNING: You must start a new prompt, or use the command 'refreshenv' (provided by your chocolatey install) to re-read the environment for the tools to be available in this shell session.
Environment Vars (like PATH) have changed. Close/reopen your shell to
see the changes (or in powershell/cmd.exe just type `refreshenv`).
The install of openssh was successful.
Deployed to 'C:\Users\tmm-azadmin\AppData\Local\Temp\chocolatey\OpenSSHTemp'
Chocolatey installed 1/1 packages.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
PS C:\_AUTOMATION>
OpenSSH server is now installed and ready to accept SSH-based connections for Remote Administration.
Our Master VM is now ready for configuration using Terraform and Ansible.
In the next part, we will run the first important Ansible Playbooks on the Windows Server-VMs:
- Joining the Virtual Machines to an Active Directory Domain
- Deploying and Configuring the Citrix Cloud Connector software on the Domain-joined VMs