Fortinet black logo

Administration Guide

WinRM Device Profile Requirements and Setup

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:246310
Download PDF

WinRM Device Profile Requirements and Setup

Requirements:

  • WinRM service must be enabled on endpoints.

  • The WinRM HTTP port(s) (5986 or 5985 (insecure)) must be enabled and available through the firewall to the FortiNAC App. server. HTTPS (5986) is strongly encouraged for security purposes.

  • NTLM Authentication with domain credentials authorized to run powershell commands get-wmiobject, get-itemproperty, get-service, get-process, convertto-json, and read the registry.

  • Minimum Windows Management Framework (WMF) version: 3.0

Supported Windows Versions:

Windows Server 2008 R2 SP1 - With WMF 3.0 Windows 10 (All versions)
Windows 7 SP1 - With WMF 3.0 Windows Server 2016
Windows 8.1 Windows Server 2019
Windows Server 2012 R2

Endpoint Setup Instructions

If desired, the configuration of domain endpoints to support WinRM can be done through these steps. They are required to configure a secure HTTPS connection from FortiNAC to endpoints using WinRM. The following settings should be the result:

  • WinRM Listener on port 5986 with transport HTTPS
  • Certificate enrollment resulting in a certificate on the endpoint with hostname as subject (e.g. CN=hostname.example.com) and "Server Authentication" key usage.
  • Inbound Windows Firewall rule for port 5986
  • Windows Remote Management service enabled.
Note

If you want to fore go security, you can use alternate steps to configure and use HTTP while allowing unencrypted content. However, this is not recommended for security reasons.

  1. Open Windows PowerShell or a command prompt. Run the following command to determine if you already have WinRM over HTTPS configured:

    winrm enumerate winrm/config/listener

    If you see a listener on port 5986 with Transport = HTTPS, WinRM over HTTPS is already configured and no further steps are necessary.

  2. If WinRM over HTTPS is not already configured, run the following command on a typical domain-joined workstation as an administrator:

    winrm quickconfig -transport:https -force

    If an error is returned indicating there is no appropriate certificate, a certificate template will need to be configured for enrollment. Other wise, run step 1 again. If a listener is shown, skip to the Group Policy Configuration.

Create a Certificate Template

  1. Open Active Directory Certificate Services. This can be done through the Server Manager or from Administrative Tools.
  2. Expand the Certificate Authority (CA) and select Certificate Templates. Select Action > Manage.
  3. Select the Workstation Authentication template. Select Action > Duplicate.
  4. Change Template Display Name to FortiNAC WinRM
  5. Select the Subject Name tab > Build from this Active Directory Information.Fill in the following fields:
    1. Subject name format: DNS name
    2. Alternate subject name: DNS name
  6. Select Security tab > Application Policies > Edit > Add > Server Authentication.

    (Optionally, select Client Authentication and click the remove button)

  7. Select OK to dismiss the Edit Application Policies Extension dialog.
  8. Select OK to dismiss the FortiNAC WinRM Properties dialog.
  9. Close the window.
  10. Select Certificate Template and choose Action > New > Certificate to issue
  11. Choose FortiNAC WinRM and select OK.
  12. If required, create a new Group Policy Object for Certificate Enrollment.

Create a Group Policy Object to configure WinRM

  1. Create a Group Policy Object (GPO) named FortiNAC WinRM
  2. Select the GPO and choose Action > Edit
  3. Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > System Services
  4. Double-click Windows Remote Management (WS-Management)
  5. Tick the box for Define this policy setting and select Automatic.
  6. Select OK
  7. Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Expand > Inbound Rules
  8. Right-click and select New Rule
  9. Select Port > Next > TCP. Enter 5986 in Specific local ports. Select Next.
  10. Select Allow the Connection > Next.
  11. Un-tick the box for Private and Public. Leave only Domain ticked.
  12. Name the rule WinRM HTTPS for FortiNAC. Select Finish.

Optionally, restrict to your FortiNAC Application Server IP Address.

  1. Double-click the rule.
  2. Click the scope tab
  3. Under Remote IP Address, select These IP Addresses
  4. Select Add and enter the addresses for your FortiNAC appliances.
  5. Navigate to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)
  6. Double-click Startup
  7. Select Show Files
  8. Create a new batch file or other script you're comfortable with. Name it winrm-enable.bat
  9. The contents of the file should be the following command:

    winrm quickconfig -transport:https -force

  10. Select Add > Browse
  11. Select winrm-enable.bat
  12. Select OKto dismiss any dialogs.
  13. Close the Group Policy Management Editor
  14. Link the FortiNAC WinRM GPO as needed

Alternate steps to configure WinRM.

Caution

Typically insecure configuration

  1. Create a GPO FortiNAC WinRM
  2. Select the GPO and choose Action->Edit
  3. Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> System Services
  4. Double-click Windows Remote Management (WS-Management)
  5. Tick Define this policy setting and select "Automatic"
  6. Click Ok.
  7. Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Expand -> Inbound Rules
  8. Right-click and select New Rule
  9. Select Predefined > Windows Remote Management > Next
  10. Untick the compatibility mode which opens port 80 and click Next.
  11. Select Allow the Connection and click Finished.

Optionally, restrict to your FortiNAC Application Server IP Address.

  1. Double-click the rule.
  2. Click the scope tab
  3. Under Remote IP Address, select These IP Addresses
  4. Select Add and enter the addresses for your FortiNAC appliances.
  5. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service
  6. Enable Allow remote server management through WinRM with * as the IPv4 and IPv6 filters.
  7. Enable Allow unencrypted traffic
  8. Close the Group Policy Management Editor
  9. Link the FortiNAC WinRM GPO as needed.

WinRM Device Profile Requirements and Setup

Requirements:

  • WinRM service must be enabled on endpoints.

  • The WinRM HTTP port(s) (5986 or 5985 (insecure)) must be enabled and available through the firewall to the FortiNAC App. server. HTTPS (5986) is strongly encouraged for security purposes.

  • NTLM Authentication with domain credentials authorized to run powershell commands get-wmiobject, get-itemproperty, get-service, get-process, convertto-json, and read the registry.

  • Minimum Windows Management Framework (WMF) version: 3.0

Supported Windows Versions:

Windows Server 2008 R2 SP1 - With WMF 3.0 Windows 10 (All versions)
Windows 7 SP1 - With WMF 3.0 Windows Server 2016
Windows 8.1 Windows Server 2019
Windows Server 2012 R2

Endpoint Setup Instructions

If desired, the configuration of domain endpoints to support WinRM can be done through these steps. They are required to configure a secure HTTPS connection from FortiNAC to endpoints using WinRM. The following settings should be the result:

  • WinRM Listener on port 5986 with transport HTTPS
  • Certificate enrollment resulting in a certificate on the endpoint with hostname as subject (e.g. CN=hostname.example.com) and "Server Authentication" key usage.
  • Inbound Windows Firewall rule for port 5986
  • Windows Remote Management service enabled.
Note

If you want to fore go security, you can use alternate steps to configure and use HTTP while allowing unencrypted content. However, this is not recommended for security reasons.

  1. Open Windows PowerShell or a command prompt. Run the following command to determine if you already have WinRM over HTTPS configured:

    winrm enumerate winrm/config/listener

    If you see a listener on port 5986 with Transport = HTTPS, WinRM over HTTPS is already configured and no further steps are necessary.

  2. If WinRM over HTTPS is not already configured, run the following command on a typical domain-joined workstation as an administrator:

    winrm quickconfig -transport:https -force

    If an error is returned indicating there is no appropriate certificate, a certificate template will need to be configured for enrollment. Other wise, run step 1 again. If a listener is shown, skip to the Group Policy Configuration.

Create a Certificate Template

  1. Open Active Directory Certificate Services. This can be done through the Server Manager or from Administrative Tools.
  2. Expand the Certificate Authority (CA) and select Certificate Templates. Select Action > Manage.
  3. Select the Workstation Authentication template. Select Action > Duplicate.
  4. Change Template Display Name to FortiNAC WinRM
  5. Select the Subject Name tab > Build from this Active Directory Information.Fill in the following fields:
    1. Subject name format: DNS name
    2. Alternate subject name: DNS name
  6. Select Security tab > Application Policies > Edit > Add > Server Authentication.

    (Optionally, select Client Authentication and click the remove button)

  7. Select OK to dismiss the Edit Application Policies Extension dialog.
  8. Select OK to dismiss the FortiNAC WinRM Properties dialog.
  9. Close the window.
  10. Select Certificate Template and choose Action > New > Certificate to issue
  11. Choose FortiNAC WinRM and select OK.
  12. If required, create a new Group Policy Object for Certificate Enrollment.

Create a Group Policy Object to configure WinRM

  1. Create a Group Policy Object (GPO) named FortiNAC WinRM
  2. Select the GPO and choose Action > Edit
  3. Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > System Services
  4. Double-click Windows Remote Management (WS-Management)
  5. Tick the box for Define this policy setting and select Automatic.
  6. Select OK
  7. Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Expand > Inbound Rules
  8. Right-click and select New Rule
  9. Select Port > Next > TCP. Enter 5986 in Specific local ports. Select Next.
  10. Select Allow the Connection > Next.
  11. Un-tick the box for Private and Public. Leave only Domain ticked.
  12. Name the rule WinRM HTTPS for FortiNAC. Select Finish.

Optionally, restrict to your FortiNAC Application Server IP Address.

  1. Double-click the rule.
  2. Click the scope tab
  3. Under Remote IP Address, select These IP Addresses
  4. Select Add and enter the addresses for your FortiNAC appliances.
  5. Navigate to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)
  6. Double-click Startup
  7. Select Show Files
  8. Create a new batch file or other script you're comfortable with. Name it winrm-enable.bat
  9. The contents of the file should be the following command:

    winrm quickconfig -transport:https -force

  10. Select Add > Browse
  11. Select winrm-enable.bat
  12. Select OKto dismiss any dialogs.
  13. Close the Group Policy Management Editor
  14. Link the FortiNAC WinRM GPO as needed

Alternate steps to configure WinRM.

Caution

Typically insecure configuration

  1. Create a GPO FortiNAC WinRM
  2. Select the GPO and choose Action->Edit
  3. Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> System Services
  4. Double-click Windows Remote Management (WS-Management)
  5. Tick Define this policy setting and select "Automatic"
  6. Click Ok.
  7. Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Expand -> Inbound Rules
  8. Right-click and select New Rule
  9. Select Predefined > Windows Remote Management > Next
  10. Untick the compatibility mode which opens port 80 and click Next.
  11. Select Allow the Connection and click Finished.

Optionally, restrict to your FortiNAC Application Server IP Address.

  1. Double-click the rule.
  2. Click the scope tab
  3. Under Remote IP Address, select These IP Addresses
  4. Select Add and enter the addresses for your FortiNAC appliances.
  5. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service
  6. Enable Allow remote server management through WinRM with * as the IPv4 and IPv6 filters.
  7. Enable Allow unencrypted traffic
  8. Close the Group Policy Management Editor
  9. Link the FortiNAC WinRM GPO as needed.