I have about 1500 guests under management, most of which are windows. A few guests are not accepting connections from Ansible. Looking at their WinRM configurations they are set to listen on all IPs for the WinRM listener, their windows firewalls have exceptions for 5986, but when I do a netstat they’re not actually listening on their base IP. Some are listening to all other IPs except that base IP, other times if there’s just a loopback and a base IP they’re only showing results in netstat for the loopback. Has anyone seen anything like this?
Example:
PS C:\Users> winrm e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.11.XXX.XXX, 127.0.0.1, ::1
Networking isn’t my forte but my netstat looks like yours on hosts with multiple adapters. I believe 0.0.0.0 in this context means all IP addresses are listening on that port but could be wrong.
Thanks Jordan. That might indicate a different problem than. On my multiple IP systems I have all IPs show up on netstat with the exception of the base IP. Anyone have a clue about that?
Basically if you’ve configured IIS to only listen on specific IPs on the system, WinRM can only listen on the IPs IIS listens on because they share the same underlying http.sys. That’s a problem for me because I discover my managed list daily, dynamically from their hostnames which are tied to their base IP and multiple services leverage this. These systems need something else running on port 80 on their base IP, and IIS bound to other IPs on the box, therefore they have to be configured that way. Anyone experienced something similar and have a potential solution to propose?
If this is the case, this feels like a windows bug to me. WinRM is intended for administration, so it should really not be tied to the configuration of IIS, which is typically there to provide application services (not administration).
As for a workaround I can only think of lifting the IIS listen configuration and using some kind of network device to protect IIS from receiving traffic it shouldn’t. Networking not my area of expertise though.
I have seen some talk of SPNs (user accounts associated with IIS hosts in AD) messing up the ability to connect to WinRM - might be worth investigating if you use SPNs.