ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/winrm-ca-scripts/SUBNET-CONFIGURATION.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

215 lines
7.2 KiB
Plaintext
Raw Blame History

================================================================================
SUBNET CONFIGURATION FOR WINRM HTTPS
================================================================================
The deployment scripts have been updated to allow specific subnets for WinRM
HTTPS access, addressing cross-subnet firewall restrictions.
================================================================================
DEFAULT CONFIGURATION
================================================================================
Management Subnet: 10.48.130.0/23
Shopfloor Subnet: 10.134.48.0/24
By default, the firewall rule allows connections from: 10.48.130.0/23
================================================================================
HOW IT WORKS
================================================================================
The Deploy-PCCertificate.ps1 script now has an -AllowedSubnets parameter:
Default (built into batch file):
-AllowedSubnets "10.48.130.0/23"
This creates a firewall rule that ONLY allows connections from your
management subnet (10.48.130.0/23).
================================================================================
CONFIGURATION OPTIONS
================================================================================
Option 1: Single Subnet (Default - Most Secure)
────────────────────────────────────────────────────────────────
Deploy-PCCertificate.bat automatically uses:
-AllowedSubnets "10.48.130.0/23"
Only your management subnet can connect.
Option 2: Multiple Subnets
────────────────────────────────────────────────────────────────
Edit Deploy-PCCertificate.bat, line 80:
-AllowedSubnets "10.48.130.0/23,10.134.48.0/24"
Allows both management and shopfloor subnets.
Option 3: Allow All Subnets
────────────────────────────────────────────────────────────────
Edit Deploy-PCCertificate.bat, line 80:
-AllowedSubnets "Any"
Allows connections from any IP address (less secure).
Option 4: Manual PowerShell Deployment
────────────────────────────────────────────────────────────────
If running PowerShell directly:
.\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23"
.\Deploy-PCCertificate.ps1 -AllowedSubnets "10.48.130.0/23,10.50.0.0/16"
.\Deploy-PCCertificate.ps1 -AllowedSubnets "Any"
================================================================================
FIXING G9KN7PZ3ESF (Already Deployed)
================================================================================
Since G9KN7PZ3ESF was deployed before this update, fix the firewall rule:
On G9KN7PZ3ESF:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
Or to allow any:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any
================================================================================
VERIFYING THE CONFIGURATION
================================================================================
On the PC (after deployment):
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" |
Get-NetFirewallAddressFilter |
Select-Object RemoteAddress
Expected Output:
RemoteAddress
-------------
10.48.130.0/23
From Management Computer:
Test-NetConnection g9kn7pz3esf.logon.ds.ge.com -Port 5986
Expected:
TcpTestSucceeded : True
================================================================================
SUBNET NOTATION (CIDR)
================================================================================
Examples:
10.48.130.0/23
- Network: 10.48.130.0
- Netmask: 255.255.254.0
- Range: 10.48.130.0 - 10.48.131.255
- 512 IP addresses
10.134.48.0/24
- Network: 10.134.48.0
- Netmask: 255.255.255.0
- Range: 10.134.48.0 - 10.134.48.255
- 256 IP addresses
10.0.0.0/8
- Entire 10.x.x.x private network
- All Class A private addresses
================================================================================
SECURITY RECOMMENDATIONS
================================================================================
Best Practice: Use Specific Subnets
✓ Only allow known management subnets
✓ Reduces attack surface
✓ Prevents unauthorized access from other networks
Acceptable: Multiple Known Subnets
✓ Allow management subnet + shopfloor subnet
✓ Useful for PC-to-PC communication on shopfloor
✓ Still restricted to known networks
Not Recommended: "Any"
❌ Allows connections from anywhere
❌ Higher security risk
❌ Only use for testing or isolated networks
================================================================================
DEPLOYING TO ALL 175 PCs
================================================================================
Since Deploy-PCCertificate.bat now includes -AllowedSubnets "10.48.130.0/23":
1. Copy updated Deploy-PCCertificate.bat to network share:
S:\dt\adata\script\deploy\Deploy-PCCertificate.bat
2. Copy updated Deploy-PCCertificate.ps1 to network share:
S:\dt\adata\script\deploy\Deploy-PCCertificate.ps1
3. On each PC, run:
S:\dt\adata\script\deploy\Deploy-PCCertificate.bat
The firewall rule will automatically allow your management subnet.
================================================================================
TROUBLESHOOTING
================================================================================
Problem: TcpTestSucceeded = False after deployment
Solution:
1. Check firewall rule on PC:
Get-NetFirewallRule -DisplayName "WinRM HTTPS-In" | Get-NetFirewallAddressFilter
2. Verify your IP is in allowed subnet:
On your computer: ipconfig /all
Compare with allowed subnet
3. Update firewall rule if needed:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "your-subnet/mask"
Problem: Need to add another subnet
Solution:
On PC:
Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress @("10.48.130.0/23", "10.50.0.0/16")
Or update Deploy-PCCertificate.bat for future deployments
Problem: Accidentally blocked management access
Solution:
1. Physically access the PC
2. Run: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress "10.48.130.0/23"
3. Or temporarily allow all: Set-NetFirewallRule -DisplayName "WinRM HTTPS-In" -RemoteAddress Any
================================================================================
SUMMARY
================================================================================
✓ Deploy-PCCertificate.ps1 now supports -AllowedSubnets parameter
✓ Default: 10.48.130.0/23 (your management subnet)
✓ Can specify multiple subnets: "subnet1,subnet2,subnet3"
✓ Can allow all: "Any"
✓ Built into Deploy-PCCertificate.bat for automatic deployment
✓ More secure than allowing all subnets
✓ Solves cross-subnet firewall restriction issues
================================================================================
Reference in New Issue View Git Blame Copy Permalink