2

I'm trying to use a windows 7 client to try to remotely control a Windows Server 2012 EC2 instance with an elastic IP attached. It's the default configuration, so the WinRM services should be up and running, but for good measure, I've also run the following commands on the server:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force 
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 0 -Force
Enable-PSRemoting

On the client, I've then run 

$remoteUsername = "##########" 
$remotePassword = "#######"
$remoteHostname = "00.000.000.00" #this is my elastic IP
$securePassword = ConvertTo-SecureString -AsPlainText -Force $remotePassword
$cred = New-Object System.Management.Automation.PSCredential $remoteUsername, $securePassword

test-WSman -computername "54.252.195.14"

But the result I get back is 

Connect-WSMan : The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. 
At ***************.ps1:14 char:14
+ Connect-WSMan <<<<  -Credential $cred $remoteHostname
    + CategoryInfo          : InvalidOperation: (*********) [Connect-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.ConnectWSManCommand

I've then tried to run the following code on the client as well, but that hasn't helped either:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force 
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 0 -Force
Enable-PSRemoting

There isn't a lot of info out there in terms of how to get windows AMIs running and automated on EC2, is anyone able to help me figure out the error here? The client and server are not on the same domain, but I thought changing the trustedhosts would make it possible to remotely connect anyway?

UPDATE

After following Barak's advice below, I was able to establish a telnet connection from the server to itself on the right port, but only when using the private IP, and not when using the elastic IP.

The Security rules are as follows:

-1 icmp 0.0.0.0/0
22 tcp 0.0.0.0/0
443 tcp 0.0.0.0/0
3389 tcp 0.0.0.0/0
5985 tcp 0.0.0.0/0
5986 tcp 0.0.0.0/0
8888 tcp 0.0.0.0/0

analystic
  • 351
  • 5
  • 17
  • I was following the instructions here if that's of any help:http://stackoverflow.com/questions/10237083/how-to-programmatically-remotely-execute-a-program-in-ec2-windows-instance/13284313 – analystic Jul 10 '13 at 09:35
  • Are you sure that the WinRM port (5985) is open on your EC2 Security Group and the Windows Firewall rules? – Wade Matveyenko Jul 10 '13 at 20:27
  • I am sure it's open on the EC2 security group, as is 5986 (for HTTPS). I have run the Enable-PSRemoting command on the server, and I recall it stating that a firewall exception had been created. Even if I completely disable all firewalls on my client I still get the same issue. – analystic Jul 11 '13 at 12:04
  • I am struggling over the same issues. I put Wireshark on the instance and observed the HTTP traffic arriving from the outside - but the windows server never sends any response packet. The firewall is open, the EC2 security group is open, the http listener is on, the trusted host list is "*"... and it just ignores the inbound request. Can you install Wireshark and see if the same occurrs? – Joe Koberg Oct 07 '13 at 18:49

2 Answers2

3

First you need to sort out if a connection can be established to the remote machine. Easiest is to try the following command from the windows command prompt:

telnet <ip> 5985

If the telnet client is not installed, add it via add/remove windows components. If a connection is not possible, you will get an error. This is the most likely error. Possible reasons:

  1. Client side firewall (local or network) preventing the connection
  2. EC2 Security group configuration
  3. Server firewall rule.

Since you can access the remote machine over remote desktop, run the same command on the server to make sure that the WinRM service is actually working and listening on the default port.

If a connection is possible from the client machine, open the event viewer on the server and go to: "Applications and Services Logs" -> Microsoft -> Windows -> "Windows Remote Management" -> Operational and look for errors in the event log.

Barak
  • 3,066
  • 2
  • 20
  • 33
  • I can't telnet from the client, but I can from the host. However, I can't telnet from the server to itself via the elastic IP I've assigned, so it isn't reachable publicly - do you have any idea why this might be? – analystic Jul 13 '13 at 04:02
  • Try shutting down the windows firewall completely. Also check the security group configuration again. Try telnet-ing to port 3389 (RDP) and compare the results. Check with the public IP (not the elastic IP) as well. – Barak Jul 14 '13 at 06:32
  • Took me until now to try all of these - I can telnet to the RDP port remotely or locally, but not on the PSremoting port 5985 unless I use the private IP. I can only telnet to the PSRemoting port using the private IP for some reason, even locally. I'm starting to give up hope on this - I don't understand how it can be so difficult unless I've set up my security groups incorrectly somehow?! – analystic Jul 25 '13 at 06:08
  • So the WinRM port is definitely open, since you can connect to it locally. A bad security group configuration is the most likely culprit. Check which security groups are active for your machine. Copy the security group rules here (in the question) and we can have a look. Also double check the windows firewall on the server - disable it completely, just for this test. – Barak Jul 25 '13 at 08:06
  • Added in the security rules. I get the same issue if I turn off the firewall unfortunately... – analystic Jul 25 '13 at 08:49
  • Not the obvious thing, then. Let's try for the more exotic stuff. Start a new Amazon Windows machine, using the same security group, and try connecting from the new machine to the old one using telnet, both to the private ip and public one (which should map to the private one anyway) – Barak Jul 25 '13 at 11:41
  • BTW, it is entirely possible that there is something wrong with this particular instance. Have you tried doing connecting with some other windows VM? – Barak Aug 08 '13 at 19:02
0

I've been beating my head against this issue, too. I think it has to do with enabling PowerShell listening via the set-item wsman:\localhost\listener\listener*\port -value 5985 command, which is using localhost. Localhost is the internal IP address, NOT the public IP. I don't know of a way to get the 2 IPs mapped to each other.

Jim Roth
  • 399
  • 2
  • 9