diff options
| author | Matt Davis <mrd@redhat.com> | 2017-12-20 20:18:33 -0800 |
|---|---|---|
| committer | Matt Davis <mrd@redhat.com> | 2017-12-20 21:35:20 -0800 |
| commit | a7874889908a4e58a2053d473584f0e9ee569b8f (patch) | |
| tree | 65d67601ac504248d3131fa53c86badb2c293d70 | |
| parent | 0255ab2e27d1268faa409bff855682f2992f0f85 (diff) | |
| download | ansible-a7874889908a4e58a2053d473584f0e9ee569b8f.tar.gz | |
add GlobalHttpFirewallAccess arg
(cherry picked from commit a9ca0389b6cdf2992b04d6bafbd2cb3feb861d12)
| -rw-r--r-- | examples/scripts/ConfigureRemotingForAnsible.ps1 | 61 |
1 files changed, 60 insertions, 1 deletions
diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1 index 2f599bada8..e5a13af809 100644 --- a/examples/scripts/ConfigureRemotingForAnsible.ps1 +++ b/examples/scripts/ConfigureRemotingForAnsible.ps1 @@ -50,7 +50,8 @@ Param ( [switch]$SkipNetworkProfileCheck, $CreateSelfSignedCert = $true, [switch]$ForceNewSSLCert, - [switch]$EnableCredSSP + [switch]$EnableCredSSP, + [switch]$GlobalHttpFirewallAccess ) Function Write-Log @@ -119,6 +120,60 @@ Function New-LegacySelfSignedCert return $parsed_cert.Thumbprint } +Function Enable-GlobalHttpFirewallAccess +{ + Write-Verbose "Forcing global HTTP firewall access" + # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing + $fw = New-Object -ComObject HNetCfg.FWPolicy2 + + # try to find/enable the default rule first + $add_rule = $false + $matching_rules = $fw.Rules | ? { $_.Name -eq "Windows Remote Management (HTTP-In)" } + $rule = $null + If ($matching_rules) { + If ($matching_rules -isnot [Array]) { + Write-Verbose "Editing existing single HTTP firewall rule" + $rule = $matching_rules + } + Else { + # try to find one with the All or Public profile first + Write-Verbose "Found multiple existing HTTP firewall rules..." + $rule = $matching_rules | % { $_.Profiles -band 4 }[0] + + If (-not $rule -or $rule -is [Array]) { + Write-Verbose "Editing an arbitrary single HTTP firewall rule (multiple existed)" + # oh well, just pick the first one + $rule = $matching_rules[0] + } + } + } + + If (-not $rule) { + Write-Verbose "Creating a new HTTP firewall rule" + $rule = New-Object -ComObject HNetCfg.FWRule + $rule.Name = "Windows Remote Management (HTTP-In)" + $rule.Description = "Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]" + $add_rule = $true + } + + $rule.Profiles = 0x7FFFFFFF + $rule.Protocol = 6 + $rule.LocalPorts = 5985 + $rule.RemotePorts = "*" + $rule.LocalAddresses = "*" + $rule.RemoteAddresses = "*" + $rule.Enabled = $true + $rule.Direction = 1 + $rule.Action = 1 + $rule.Grouping = "Windows Remote Management" + + If ($add_rule) { + $fw.Rules.Add($rule) + } + + Write-Verbose "HTTP firewall rule $($rule.Name) updated" +} + # Setup error handling. Trap { @@ -275,6 +330,10 @@ If ($EnableCredSSP) } } +If ($GlobalHttpFirewallAccess) { + Enable-GlobalHttpFirewallAccess +} + # Configure firewall to allow WinRM HTTPS connections. $fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" $fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any |