WinRM Device Profile Requirements and Setup
Requirements:
-
WinRM service must be enabled on endpoints.
-
The WinRM HTTP port(s) (5986 or 5985 (insecure)) must be enabled and available through the firewall to the FortiNAC App. server. HTTPS (5986) is strongly encouraged for security purposes.
-
NTLM Authentication with domain credentials authorized to run powershell commands get-wmiobject, get-itemproperty, get-service, get-process, convertto-json, and read the registry.
-
Minimum Windows Management Framework (WMF) version: 3.0
Supported Windows Versions:
Windows Server 2008 R2 SP1 - With WMF 3.0 | Windows 10 (All versions) |
Windows 7 SP1 - With WMF 3.0 | Windows Server 2016 |
Windows 8.1 | Windows Server 2019 |
Windows Server 2012 R2 |
Endpoint Setup Instructions
If desired, the configuration of domain endpoints to support WinRM can be done through these steps. They are required to configure a secure HTTPS connection from FortiNAC to endpoints using WinRM. The following settings should be the result:
- WinRM Listener on port 5986 with transport HTTPS
- Certificate enrollment resulting in a certificate on the endpoint with hostname as subject (e.g. CN=hostname.example.com) and "Server Authentication" key usage.
- Inbound Windows Firewall rule for port 5986
- Windows Remote Management service enabled.
If you want to fore go security, you can use alternate steps to configure and use HTTP while allowing unencrypted content. However, this is not recommended for security reasons. |
- Open Windows PowerShell or a command prompt. Run the following command to determine if you already have WinRM over HTTPS configured:
winrm enumerate winrm/config/listener
If you see a listener on port 5986 with Transport = HTTPS, WinRM over HTTPS is already configured and no further steps are necessary.
- If WinRM over HTTPS is not already configured, run the following command on a typical domain-joined workstation as an administrator:
winrm quickconfig -transport:https -force
If an error is returned indicating there is no appropriate certificate, a certificate template will need to be configured for enrollment. Other wise, run step 1 again. If a listener is shown, skip to the Group Policy Configuration.
Create a Certificate Template
- Open Active Directory Certificate Services. This can be done through the Server Manager or from Administrative Tools.
- Expand the Certificate Authority (CA) and select Certificate Templates. Select Action > Manage.
- Select the Workstation Authentication template. Select Action > Duplicate.
- Change Template Display Name to
FortiNAC WinRM
- Select the Subject Name tab > Build from this Active Directory Information.Fill in the following fields:
- Subject name format:
DNS name
- Alternate subject name:
DNS name
- Subject name format:
- Select Security tab > Application Policies > Edit > Add > Server Authentication.
(Optionally, select Client Authentication and click the remove button)
- Select OK to dismiss the Edit Application Policies Extension dialog.
- Select OK to dismiss the FortiNAC WinRM Properties dialog.
- Close the window.
- Select Certificate Template and choose Action > New > Certificate to issue
- Choose FortiNAC WinRM and select OK.
- If required, create a new Group Policy Object for Certificate Enrollment.
Create a Group Policy Object to configure WinRM
- Create a Group Policy Object (GPO) named
FortiNAC WinRM
- Select the GPO and choose Action > Edit
- Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > System Services
- Double-click Windows Remote Management (WS-Management)
- Tick the box for Define this policy setting and select Automatic.
- Select OK
- Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Expand > Inbound Rules
- Right-click and select New Rule
- Select Port > Next > TCP. Enter
5986
in Specific local ports. Select Next. - Select Allow the Connection > Next.
- Un-tick the box for Private and Public. Leave only Domain ticked.
- Name the rule
WinRM HTTPS for FortiNAC
. Select Finish.
Optionally, restrict to your FortiNAC Application Server IP Address.
- Double-click the rule.
- Click the scope tab
- Under Remote IP Address, select These IP Addresses
- Select Add and enter the addresses for your FortiNAC appliances.
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)
- Double-click Startup
- Select Show Files
- Create a new batch file or other script you're comfortable with. Name it
winrm-enable.bat
- The contents of the file should be the following command:
winrm quickconfig -transport:https -force
- Select Add > Browse
- Select
winrm-enable.bat
- Select OKto dismiss any dialogs.
- Close the Group Policy Management Editor
- Link the FortiNAC WinRM GPO as needed
Alternate steps to configure WinRM.
Typically insecure configuration |
- Create a GPO
FortiNAC WinRM
- Select the GPO and choose Action->Edit
- Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> System Services
- Double-click Windows Remote Management (WS-Management)
- Tick Define this policy setting and select "Automatic"
- Click Ok.
- Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Expand -> Inbound Rules
- Right-click and select New Rule
- Select Predefined > Windows Remote Management > Next
- Untick the compatibility mode which opens port 80 and click Next.
- Select Allow the Connection and click Finished.
Optionally, restrict to your FortiNAC Application Server IP Address.
- Double-click the rule.
- Click the scope tab
- Under Remote IP Address, select These IP Addresses
- Select Add and enter the addresses for your FortiNAC appliances.
- Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service
- Enable Allow remote server management through WinRM with
*
as the IPv4 and IPv6 filters. - Enable Allow unencrypted traffic
- Close the Group Policy Management Editor
- Link the FortiNAC WinRM GPO as needed.