Exchange 2010 Remote PowerShell

It has been a while since I have posted so here goes for the first post of 2010.

PowerShell v2 has brought with it the ability to connect from remote machines as PowerShell is made available via an IIS published URL. This allows support engineers to connect to PowerShell over the internet and administer servers without having to open a VPN to the enterprise network.

I have been looking for a while around how to achieve this from a non-domain joined workstation so that I could administer client systems. Information on the internet never seemed to give the complete picture so I have documented it here. This example is connecting to Exchange Server 2010.

Step 1. Enable Remote PowerShell

Remote PowerShell first needs to be enabled on the Exchange 2010 CAS servers which are internet facing. This can be achieve by using the PowerShell command enable-psremoting.

RemotePS1  

The command describes what it is going to do and then prompts for confirmation on a couple of actions including a restart of the WinRM service.

Step 2. Enable Remote PowerShell for users

Remote PowerShell is enabled by default on user objects. You can confirm that is enabled by running the command: get-user –id <userID> ¦ select displayname,remotepowershellenabled ¦ fl

RemotePS2

The command set-user –id <userID> –remotepowershellenabled:$true will enable remote PowerShell for a user.

Step 3. Enable Authentication on the IIS Web SiteRemotePS3

We normally publish the Exchange CAS servers through Microsoft ISA Server 2006. By default the PowerShell virtual directory is enabled for Anonymous authentication only. Open IIS Manager on the Exchange 2010 CAS server, open the Authentication settings of the PowerShell virtual directory and enable Basic Authentication.

 

 

 

Step 4. Publish the PowerShell Virtual Directory on ISA ServerRemotePS4

As previously mentioned Exchange CAS servers are normally deployed behind a Microsoft ISA Server. Adding the PowerShell virtual directory to the publishing rules for Outlook Web App will expose the location to the internet. We normally have to ISA policies publishing OWA, one for Negotiated Authentication and one for Basic Authentication. The PowerShell virtual directory will need to be published via the Basic Authentication publishing rule.

That completes the configurations required to expose PowerShell to the internet. All that remains the establishing the connection to Exchange Server over the internet from PowerShell v2 installed on my workstation.

 

 

Step 5 – Set Session Options

If you are testing Remote PowerShell to a Proof of Concept or a live system that is still utilizing self-signed certificates you may need to establish some session options for the connection.

Open a PowerShell v2 Window on your client machine and enter the following (don’t close the PowerShell Window between the steps below)

$so = new-pssessionoption –skiprevocationcheck –skipcncheck -skipcacheck

Capture3

These options will allow the connection to ignore common problems when making connections while using self-signed certificates.

Step 6 – Enter CredentialsCapture2

In order to connect you need to enter some credentials in order to login to the remote system. This can be achieved by entering the command: $Cred = Get-Credential

In the dialog enter the credentials of a user who has remote PowerShell rights and also rights to administer Exchange set through the Role Based Access Control (RBAC).

 

 

 

Step 7 – Create a Remote PowerShell Session

Next we use the Session Options and the Credentials entered in the previous steps to establish the session with one of the CAS servers published through the ISA Server.

Enter the command: $PSSession = new-pssession –configurationname Microsoft.Exchange –connectionuri “https://<External FQDN>/PowerShell” –credential $Cred –authentication Basic –SessionOption $so

Where <External FQDN> is the internet address of your Exchange servers.

Capture4

Step 8 – Import the Remote PowerShell Session

The final step in the connection process is to import the session. This downloads the commands that you are allowed to use from the Exchange Servers. Only the commands that you are allowed to use based on your RBAC privileges are downloaded and made available.

To import the PowerShell session type the command : import-pssession $PSsession

Capture6

A cyan progress bar will appear at the top of the screen while the commands are downloaded.

Step 9 – Use Remote PowerShell

Once the command download is complete you can use Exchange PowerShell commands to administer the servers over the internet.

Capture1

Step 10 – Close the Remote PowerShell session

When you have completed your tasks at hand the PowerShell session should ideally be closed gracefully using the command : remove-pssession $PSSession

Capture7

That’s it for this article see you next time.

This entry was written by GaryWilkins, posted on February 23, 2010 at 7:44 pm, filed under Exchange. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never shared. Required fields are marked *

*
*


Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/nas04l/p/parative.com/user/htdocs/analytics.php on line 2