================================================================================
SUBNET CONFIGURATION FOR WINRM HTTPS
================================================================================

The deployment scripts have been updated to allow specific subnets for WinRM
HTTPS access, addressing cross-subnet firewall restrictions.

================================================================================
DEFAULT CONFIGURATION
================================================================================

Management Subnet: 10.48.130.0/23
Shopfloor Subnet:  10.134.48.0/24

By default, the firewall rule allows connections from: 10.48.130.0/23


================================================================================
HOW IT WORKS
================================================================================

The Deploy-PCCertificate.ps1 script now has an -AllowedSubnets parameter:

Default (built into batch file):
  -AllowedSubnets "10.48.130.0/23"

This creates a firewall rule that ONLY allows connections from your
management subnet (10.48.130.0/23).


================================================================================
CONFIGURATION OPTIONS
================================================================================

Option 1: Single Subnet (Default - Most Secure)
────────────────────────────────────────────────────────────────
Deploy-PCCertificate.bat automatically uses:
  -AllowedSubnets "10.48.130.0/23"

Only your management subnet can connect.


Option 2: Multiple Subnets
────────────────────────────────────────────────────────────────
Edit Deploy-PCCertificate.bat, line 80:
  -AllowedSubnets "10.48.130.0/23,10.134.48.0/24"

Allows both management and shopfloor subnets.


Option 3: Allow All Subnets
────────────────────────────────────────────────────────────────
Edit Deploy-PCCertificate.bat, line 80:
  -AllowedSubnets "Any"

Allows connections from any IP address (less secure).


Option 4: Manual PowerShell Deployment
────────────────────────────────────────────────────────────────
If running PowerShell directly:

  .\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23"

  .\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23,10.50.0.0/16"

  .\Deploy-PCCertificate.ps1 -AllowedSubnets "Any"


================================================================================
FIXING G9KN7PZ3ESF (Already Deployed)
================================================================================

Since G9KN7PZ3ESF was deployed before this update, fix the firewall rule:

On G9KN7PZ3ESF:

  Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"

Or to allow any:

  Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any


================================================================================
VERIFYING THE CONFIGURATION
================================================================================

On the PC (after deployment):

  Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" |
      Get-NetFirewallAddressFilter |
      Select-Object RemoteAddress

Expected Output:
  RemoteAddress
  -------------
  10.48.130.0/23


From Management Computer:

  Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986

Expected:
  TcpTestSucceeded : True


================================================================================
SUBNET NOTATION (CIDR)
================================================================================

Examples:

  10.48.130.0/23
    - Network: 10.48.130.0
    - Netmask: 255.255.254.0
    - Range: 10.48.130.0 - 10.48.131.255
    - 512 IP addresses

  10.134.48.0/24
    - Network: 10.134.48.0
    - Netmask: 255.255.255.0
    - Range: 10.134.48.0 - 10.134.48.255
    - 256 IP addresses

  10.0.0.0/8
    - Entire 10.x.x.x private network
    - All Class A private addresses


================================================================================
SECURITY RECOMMENDATIONS
================================================================================

Best Practice: Use Specific Subnets
  ✓ Only allow known management subnets
  ✓ Reduces attack surface
  ✓ Prevents unauthorized access from other networks

Acceptable: Multiple Known Subnets
  ✓ Allow management subnet + shopfloor subnet
  ✓ Useful for PC-to-PC communication on shopfloor
  ✓ Still restricted to known networks

Not Recommended: "Any"
  ❌ Allows connections from anywhere
  ❌ Higher security risk
  ❌ Only use for testing or isolated networks


================================================================================
DEPLOYING TO ALL 175 PCs
================================================================================

Since Deploy-PCCertificate.bat now includes -AllowedSubnets "10.48.130.0/23":

1. Copy updated Deploy-PCCertificate.bat to network share:
   S:\dt\adata\script\deploy\Deploy-PCCertificate.bat

2. Copy updated Deploy-PCCertificate.ps1 to network share:
   S:\dt\adata\script\deploy\Deploy-PCCertificate.ps1

3. On each PC, run:
   S:\dt\adata\script\deploy\Deploy-PCCertificate.bat

The firewall rule will automatically allow your management subnet.


================================================================================
TROUBLESHOOTING
================================================================================

Problem: TcpTestSucceeded = False after deployment
Solution:
  1. Check firewall rule on PC:
     Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Get-NetFirewallAddressFilter

  2. Verify your IP is in allowed subnet:
     On your computer: ipconfig /all
     Compare with allowed subnet

  3. Update firewall rule if needed:
     Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "your-subnet/mask"


Problem: Need to add another subnet
Solution:
  On PC:
    Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress @("10.48.130.0/23", "10.50.0.0/16")

  Or update Deploy-PCCertificate.bat for future deployments


Problem: Accidentally blocked management access
Solution:
  1. Physically access the PC
  2. Run: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
  3. Or temporarily allow all: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any


================================================================================
SUMMARY
================================================================================

✓ Deploy-PCCertificate.ps1 now supports -AllowedSubnets parameter
✓ Default: 10.48.130.0/23 (your management subnet)
✓ Can specify multiple subnets: "subnet1,subnet2,subnet3"
✓ Can allow all: "Any"
✓ Built into Deploy-PCCertificate.bat for automatic deployment
✓ More secure than allowing all subnets
✓ Solves cross-subnet firewall restriction issues

================================================================================
