Forum Discussion

3NCORE's avatar
3NCORE
Copper Contributor
Mar 01, 2024

Modernized Gateway - WinRM over HTTPS

Hi

I wanted to try the modernized gateway preview but I get the "WinRM cannot complete the operation" when trying to connect to any server imported in WAC.

The same action works just fine with the 2311 version though. It's like the Modernized Gateway just ignores the "Force WinRM over HTTPS" setting.

Has anyone faced the same issue ? Is there a workaround for this ? We do not want WinRM over HTTP.

  • it still a complicated topic because of the certs. plus you have to alter the WinRM listener at best turn off http etc etc. so lots of manual or GPO work here and if you don't nail it you are locked out with Remote management. Perhaps instead of https you might want to follow the MSFT recommendation to use a PAWS + limit the firewall of the serve to manage to this IP. So no one outside the PAWS can do remote WinRM / PS etc. That's already very secure. Does this help?

    • 3NCORE's avatar
      3NCORE
      Copper Contributor

      Hello Karl,
      Thanks for the reply. I'll add some context because I'm not sure I understand the answer. We're already using WAC with WinRM over HTTPS configured on ~100 machines. Each managed machine has its valid certificate and its listener configured to use HTTPS as transport. We're also using firewall restriction so only the WAC gateway can do remote WinRM to these.
      We're only allowing 5986 via the firewall and this configuration has been working nicely on the public version of WAC 2311.
      However, we want to upgrade to the Modernized Gateway but it seems that WinRM over HTTPS just does not work on the Public Preview. Even though the box "Force WinRM over HTTPS" was ticked during install, the WAC server is not able to connect to any of the hosts which have been configured to listen to HTTPS only. Just like if it tried to query HTTP instead.
      I agree with the network isolation being already very secure, I just do not believe switching to plain HTTP is the way to go since it worked great on 2311 and this behaviour rather looks like a bug in the modernized gateway.

Resources