I can use Set-WebBinding to change the port of a given binding, but can I use it to change from http on port 80 to https on port 443 or vice versa?
I tried with this command but it fails because it doesn't recognize -PropertyName Protocol:
Set-WebBinding -Name 'Default Web Site' -BindingInformation '127.0.0.1:80:localhost' -PropertyName Port -Value 443 -PropertyName Protocol -Value 'https'
Or should I use Remove-WebBinding and then New-WebBinding to make such a change?
I think you will need to remove the existing binding with Remove-WebBinding and re-create it with New-WebBinding, which allows you to supply protocol, port, etc
Related
I use testing firewall using ps cmds; after they run successfully; but when I open browser, I am still open to visit websites; do I miss anything and how to debug this? or is it because other exiting firewall rules overwrite mine?
New-NetFirewallRule -DisplayName "Block Inbound Port 80, 443" -Direction Inbound -LocalPort 80,443 -Protocol TCP -Action Block -Profile Domain, Private, Public -Enabled :True
New-NetFirewallRule -DisplayName "Block Outbound Port 80, 443" -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block -Profile Domain, Private, Public -Enabled :True
You want to specify -RemotePort instead of -LocalPort for outbound traffic. Some other notes:
There's no reason to explicitly block inbound 80/443 traffic - the windows firewall doesn't block traffic from established sessions
Block rules apply before other rules with few exceptions. Your rule as it is in your question should work fine after fixing the port direction, but double-check that it did actually get created, and that it's enabled:
Get-NetFirewallRule -DisplayName 'Block Outbound Port 80, 443'
Best practice is to set the firewall to block all outbound connections by enabling the setting "Outbound connections that do not match a rule are blocked". Then create only exception/allow rules.
Ports 5985 and 5986 is blocked in our environment and I need an alternate
solution to execute Invoke and Enter-PSSession commands using different
ports(Like 3389).
Output of winrm get winrm/config/client:
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Error:
get-wsmaninstance : The WinRM client received an unknown HTTP status code
from the remote WS-Management service.
At line:1 char:1
+ get-wsmaninstance -enumerate wmicimv2/win32_service -computername
sadcm0000078:8 ...
Felt this was a sufficient answer in hindsight:
There is a -Port parameter on the -PSSession cmdlets. You can specify whichever port you want, but you need to configure the endpoint to change which port it's listening on.
PS C:\> Get-Help New-PSSession -Parameter Port
-Port <Int32>
Specifies the network port on the remote computer that is used for this connection. To connect to a remote
computer, the remote computer must be listening on the port that the connection uses. The default ports are 5985,
which is the WinRM port for HTTP, and 5986, which is the WinRM port for HTTPS.
Before using another port, you must configure the WinRM listener on the remote computer to listen at that port.
Use the following commands to configure the listener:
1. `winrm delete winrm/config/listener?Address=*+Transport=HTTP`
2. `winrm create winrm/config/listener?Address=*+Transport=HTTP #{Port="<port-number>"}`
Do not use the Port parameter unless you must. The port setting in the command applies to all computers or
sessions on which the command runs. An alternate port setting might prevent the command from running on all
computers.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
The idea is to automate linking an SSL certificate to a website in IIS 7 or above.
All the websites in a server use same IP address and same default port. So they are all differentiated by their host header names.
I could achieve this manually without any issue. But while automating there is issue.
When done manually, the ssl configuation entries in http.sys are recorded as HostNameport TestName:443, not as ipport xx.yy.z.a:443.
So I wanted to mimic the same manual steps for automation to work. But it is not helping.
I tried below steps.
Create a new ssl configuration in http.sys for hostname port combination with below command.
netsh --% http add sslcert hostnameport=Testssl:443 certhash=d70930bb790f89c04c728d9285b64f5fb0258fc7 appid={01010101-0101-0101-0101-010101010101} certstorename=MY
Create a new web binding for the website using hostheader name.
New-ItemProperty IIS:\sites\TestSite -name bindings -value #{protocol="https";bindingInformation="192.168.1.108:443:Testssl"}
or
New-WebBinding -Name TestSite -Protocol https -Port 443 -HostHeader Testssl -IPAddress 192.168.1.108
With the above two steps the new binding is present, but the SSL certificate is not attached to the binding.
Is it not possible to set SSL certificate for a binding with a corresponding hostname port entry in http.sys ssl configuration?
With the help of comment from Lex Li, the below command WORKS.
New-WebBinding -Name TestSite -Protocol https -Port 443 -HostHeader Testssl -IPAddress 192.168.1.108 -SslFlags 1
I found this excellent blog post which shows the steps to set up a NAT Virtual Switch, which I followed.
https://4sysops.com/archives/native-nat-in-windows-10-hyper-v-using-a-nat-virtual-switch/
First, the cmdlet New-NetNat does not even take an external IP as a parameter. How does NetNat know which external IP to use if there is more than one (which is my case)?
Say my host machine has an external IP "192.168.1.112" and the guest machine behind the NAT has an internal IP "10.0.75.2". I am trying to set up a port forwarding. The obvious syntax to try is:
Add-NetNatStaticMapping -NatName "NAT" -ExternalIpAddress "192.168.1.112" -ExternalPort 4000 -InternalIPAddress "10.0.75.2" -InternalPort 3389 -Protocol TCP
and I am getting the following error:
Add-NetNatStaticMapping : The external IP address 192.168.1.112 and
port number 4000 for the static mapping does not match an existing
ExternalAddress' IP address or port range. Use
Add-NetNatExternalAddress to add an ExternalAddress.
I don't understand what it means, but I follow the suggestion and type:
Add-NetNatExternalAddress -NatName "NAT" -IPAddress "192.168.1.112" -PortStart 4000 -PortEnd 4000
and I get the following error:
Add-NetNatExternalAddress : Element not found.
At this stage I have reached the limits of my competence. I can't find any relevant documentation on this NAT feature, apart from PowerShell's unhelpful tautology ("Add-NetNatExternalAddress: Adds an external address to a NAT instance.").
What does adding an External Address to a NetNat do? What happens if I don't specify the ports? Will it have any impact on the ability of the host to connect? What is the correct syntax to add an External Address in a way that will allow me to set up a Static Mapping?
The link above is to my blog, Cloudpuzzles. The scenario there is when using NVGRE and NAT gateways, and not the new NAT virtual switch. I don't currently have a write up about it, but Thomas here did a bit on it: http://www.thomasmaurer.ch/2015/11/hyper-v-virtual-switch-using-nat-configuration/
Basically, before adding addresses etc, you have to add a new NetNat (which is the NatName you're referring to in Add-NetNatExternalAddress).
PortStart and PortEnd, when it comes to NVGRE at least, is used as a boundary for which ports tenants can use.
I had the same problem and though I am not sure why the Add-NetNatExternalAddress command is failing I was able to get the NetNatStaticMapping to work by doing the below steps:
Run the following command:
Get-NetNatExternalAddress
From the list of External Addresses you get, choose any External IP and External port and use it as the parameter for the Add-NetNatStaticMapping command.
try something like:
Add-NetNatStaticMapping -NatName "NAT" -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 10.0.75.2 -InternalPort 3389 -ExternalPort 4000
This will work for sure... and I recommend you to reconsider your IP scopes...because the IP 192.168.1.11 should be in a private network, and vice versa.
First you need to create a Virtual Switch with NAT:
New-VMSwitch -Name "HTTPS-NAT" -SwitchType NAT -NATSubnetAddress 192.168.100.0/24
Then you need to connect the necessary VM to the specified vswitch and enable the address translation rule for all virtual machines connected through this Hyper-V virtual switch:
New-NetNat -Name HTTPS-NAT -InternalIPInterfaceAddressPrefix 192.168.100.0/24
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress "192.168.100.77" -InternalPort 443 -NatName HTTPS-NAT
After executing these PowerShell commands, all HTTPS traffic that comes to port 443 of the Hyper-V host will be forwarded to the private IP address of the virtual machine.
This is what I am trying to do:
Open a browser and start to browse any https website like Gmail or Google.com
I can see through Wireshark that the name resolution is being done by the DNS server.
But after that, the connection is directly established to port 443 (starting from TCP handshake)
One thing I am not able to understand is, how does the browser knows that it needs to connect to port 443, I tried exploring the DNS packet, but it contains only the destination address, and there is no info which tells that it needs to connect to port 443.
Even if say, the browser has a priority in querying for the first time, it sees that if the port 443 is open then connect to it or connect to port 80, but I am not able to see any such behavior if I connect to a normal HTTP website, in the sense that, if I go to a normal HTTP website, there is no traffic flow from the browser indicating that it had searched first the port 443 and then went to port 80.
I am sure that I am missing something here, but not sure what it is.
The presence of https: in the URL tells it that.
The browser (client) uses the HTTP or HTTPS in the address to determine which port to use...
However the server can be configured to require HTTPS, and to switch/redirect an HTTP port 80 connection to HTTPS port 443 with encryption & certificate. So if the browser connects to a server via HTTP port 80, the server can then immediately switch/redirect the connection to HTTPS port 443. The server may even be configured the other way around to switch/redirect a connection from HTTPS port 443 to HTTP port 80.
I think this is sort of like asking why does a FTP client use the FTP port
Unless you specify a port with "http://...:port" the browser uses 80 for http and 443 for https as thats what the protocol defines but....
A server may respond with a "Strict-Transport-Security: max-age=..." and the browser is then required to retry on https and remember this
In addition Chrome , see HSTS, ships with a large preseeded HSTS list
so even if you type http for a site in the HSTS list - the browser will look at its HSTS configuration see that the site is specified and instead change to HTTPS on port 443 without trying http on port 80 first