Hi guys, I don’t exactly know why but apparently there are no articles out there, with a good step by step guide to connect from your local pc to a Windows Server 2012 R2 instance hosted on Amazon AWS on EC2, this short article aims to fill this gap:
- This article assumes some knowledge of AWS, the EC2 service and of Windows Server 2012 but nothing is complicated and I’ve added many links with large documentation
- The Powershell comunication uses on the WinRM protocol, therefore it needs a specific port reachable 5985 TCP on the server (be advised, the default transport protocol will be the insecure HTTP).
- The WinRM service is enable by default on WIN2012 R2 but the default Windows Firewall configuration is to allow connections on the 5985 port only from the same subnet of the machine, therefore we need to login to the machine using RDP an modify the default configuration of that firewall rule.
- If your pc (the client !) is not part of the domain of the remote server you need to add the remote server into the list of your trusted hosts on YOUR pc (covered below).
- Deploy the VM with Windows Server 2012 ( docs )
- Modify the security group of the instance, adding a rule to open the port 5985 TCP from your IP/ or from anywhere ( docs )
- Wait a few minutes for the machine to boot up completely and then connect to it using the Remote Desktop protocol (RDP), aka the usual way to connect to win istance on EC2 ( docs )
- Modify the Windows firewall configuration to allow incoming connections to the port 5985 from any ip (or as you please 🙂 ), to do so you can : Control Panel -> Windows Firewall -> Advanced Settings -> Inbound Rules -> “Windows Remote Management (HTTP-In)” where the profile is PUBLIC (make sure to choose the right one !) -> Properties -> Scope -> Remote IP Addresses -> Any IP Address (or know better ! )
Use this simple Powershell command:
Set-NetFirewallRule -Name “WINRM-HTTP-In-TCP-PUBLIC” -RemoteAddress “Any”
- Reboot the Windows Firewall service ( don’t ask me why, but sometimes the rules are not picked up until a reboot of the service, I’ve witnessed that myself ) (docs)
- Then make sure that the WinRM protocol is working correctly on the server machine running this comand in a shell (not really needed, just to make sure it works) Enable-PSRemoting –force
- Then move to your local machine and make sure the WinRM service is working here as well, in a privileged shell:
Start-Service -Name Winrm
- Then add the remote host as a trusted host, running this command into a privileged shell :
Set–Item WSMan:\localhost\Client\TrustedHosts –Value “XXXXXXXXX.eu-west-1.compute.amazonaws.com”
or, possibly smarter maybe not super secure, use a wildcard :
Set–Item WSMan:\localhost\Client\TrustedHosts –Value “*”
- Then connect to the remote machine using one of the various options provided by powershell such as :
Enter-PSSession -ComputerName “XXXXXXX.eu-west-1.compute.amazonaws.com” -Credential $(Get-Credential)
Inserting the login credentials of the remote machine when requested to ( docs )
The WinRM service can be configured server side to use the more secure HTTPS on port 5986 or a COMPATIBLITY MODE running on port 80, used usually for firewall related issues ( docs).
Older versions of Windows have different requirements to set up Powershell Remoting / WinRM ( docs ).
And, obviously, this guide is generazible to many other IaaS services (Azure, Digial Ocean).
Hope this helps somebody !