================================================================================ SUBNET CONFIGURATION FOR WINRM HTTPS ================================================================================ The deployment scripts have been updated to allow specific subnets for WinRM HTTPS access, addressing cross-subnet firewall restrictions. ================================================================================ DEFAULT CONFIGURATION ================================================================================ Management Subnet: 10.48.130.0/23 Shopfloor Subnet: 10.134.48.0/24 By default, the firewall rule allows connections from: 10.48.130.0/23 ================================================================================ HOW IT WORKS ================================================================================ The Deploy-PCCertificate.ps1 script now has an -AllowedSubnets parameter: Default (built into batch file): -AllowedSubnets "10.48.130.0/23" This creates a firewall rule that ONLY allows connections from your management subnet (10.48.130.0/23). ================================================================================ CONFIGURATION OPTIONS ================================================================================ Option 1: Single Subnet (Default - Most Secure) ──────────────────────────────────────────────────────────────── Deploy-PCCertificate.bat automatically uses: -AllowedSubnets "10.48.130.0/23" Only your management subnet can connect. Option 2: Multiple Subnets ──────────────────────────────────────────────────────────────── Edit Deploy-PCCertificate.bat, line 80: -AllowedSubnets "10.48.130.0/23,10.134.48.0/24" Allows both management and shopfloor subnets. Option 3: Allow All Subnets ──────────────────────────────────────────────────────────────── Edit Deploy-PCCertificate.bat, line 80: -AllowedSubnets "Any" Allows connections from any IP address (less secure). Option 4: Manual PowerShell Deployment ──────────────────────────────────────────────────────────────── If running PowerShell directly: .\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23" .\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23,10.50.0.0/16" .\Deploy-PCCertificate.ps1 -AllowedSubnets "Any" ================================================================================ FIXING G9KN7PZ3ESF (Already Deployed) ================================================================================ Since G9KN7PZ3ESF was deployed before this update, fix the firewall rule: On G9KN7PZ3ESF: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23" Or to allow any: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any ================================================================================ VERIFYING THE CONFIGURATION ================================================================================ On the PC (after deployment): Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Get-NetFirewallAddressFilter | Select-Object RemoteAddress Expected Output: RemoteAddress ------------- 10.48.130.0/23 From Management Computer: Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986 Expected: TcpTestSucceeded : True ================================================================================ SUBNET NOTATION (CIDR) ================================================================================ Examples: 10.48.130.0/23 - Network: 10.48.130.0 - Netmask: 255.255.254.0 - Range: 10.48.130.0 - 10.48.131.255 - 512 IP addresses 10.134.48.0/24 - Network: 10.134.48.0 - Netmask: 255.255.255.0 - Range: 10.134.48.0 - 10.134.48.255 - 256 IP addresses 10.0.0.0/8 - Entire 10.x.x.x private network - All Class A private addresses ================================================================================ SECURITY RECOMMENDATIONS ================================================================================ Best Practice: Use Specific Subnets ✓ Only allow known management subnets ✓ Reduces attack surface ✓ Prevents unauthorized access from other networks Acceptable: Multiple Known Subnets ✓ Allow management subnet + shopfloor subnet ✓ Useful for PC-to-PC communication on shopfloor ✓ Still restricted to known networks Not Recommended: "Any" ❌ Allows connections from anywhere ❌ Higher security risk ❌ Only use for testing or isolated networks ================================================================================ DEPLOYING TO ALL 175 PCs ================================================================================ Since Deploy-PCCertificate.bat now includes -AllowedSubnets "10.48.130.0/23": 1. Copy updated Deploy-PCCertificate.bat to network share: S:\dt\adata\script\deploy\Deploy-PCCertificate.bat 2. Copy updated Deploy-PCCertificate.ps1 to network share: S:\dt\adata\script\deploy\Deploy-PCCertificate.ps1 3. On each PC, run: S:\dt\adata\script\deploy\Deploy-PCCertificate.bat The firewall rule will automatically allow your management subnet. ================================================================================ TROUBLESHOOTING ================================================================================ Problem: TcpTestSucceeded = False after deployment Solution: 1. Check firewall rule on PC: Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Get-NetFirewallAddressFilter 2. Verify your IP is in allowed subnet: On your computer: ipconfig /all Compare with allowed subnet 3. Update firewall rule if needed: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "your-subnet/mask" Problem: Need to add another subnet Solution: On PC: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress @("10.48.130.0/23", "10.50.0.0/16") Or update Deploy-PCCertificate.bat for future deployments Problem: Accidentally blocked management access Solution: 1. Physically access the PC 2. Run: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23" 3. Or temporarily allow all: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any ================================================================================ SUMMARY ================================================================================ ✓ Deploy-PCCertificate.ps1 now supports -AllowedSubnets parameter ✓ Default: 10.48.130.0/23 (your management subnet) ✓ Can specify multiple subnets: "subnet1,subnet2,subnet3" ✓ Can allow all: "Any" ✓ Built into Deploy-PCCertificate.bat for automatic deployment ✓ More secure than allowing all subnets ✓ Solves cross-subnet firewall restriction issues ================================================================================