Powershell remoting: Cannot connect to Windows 2012 EC2 Instance

2
votes

I'm trying to use a windows 7 client to try to remotely control a Windows Server 2012 EC2 instance with an elastic IP attached. It's the default configuration, so the WinRM services should be up and running, but for good measure, I've also run the following commands on the server:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force 
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 0 -Force
Enable-PSRemoting

On the client, I've then run 

$remoteUsername = "##########" 
$remotePassword = "#######"
$remoteHostname = "00.000.000.00" #this is my elastic IP
$securePassword = ConvertTo-SecureString -AsPlainText -Force $remotePassword
$cred = New-Object System.Management.Automation.PSCredential $remoteUsername, $securePassword

test-WSman -computername "54.252.195.14"

But the result I get back is 

Connect-WSMan : The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. 
At ***************.ps1:14 char:14
+ Connect-WSMan <<<<  -Credential $cred $remoteHostname
    + CategoryInfo          : InvalidOperation: (*********) [Connect-WSMan], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.ConnectWSManCommand

I've then tried to run the following code on the client as well, but that hasn't helped either:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force 
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value 0 -Force
Enable-PSRemoting

There isn't a lot of info out there in terms of how to get windows AMIs running and automated on EC2, is anyone able to help me figure out the error here? The client and server are not on the same domain, but I thought changing the trustedhosts would make it possible to remotely connect anyway?

UPDATE

After following Barak's advice below, I was able to establish a telnet connection from the server to itself on the right port, but only when using the private IP, and not when using the elastic IP.

The Security rules are as follows:

-1 icmp 0.0.0.0/0
22 tcp 0.0.0.0/0
443 tcp 0.0.0.0/0
3389 tcp 0.0.0.0/0
5985 tcp 0.0.0.0/0
5986 tcp 0.0.0.0/0
8888 tcp 0.0.0.0/0

2
windowspowershellamazon-web-servicesamazon-ec2powershell-remoting
I was following the instructions here if that's of any help:stackoverflow.com/questions/10237083/…analystic
Are you sure that the WinRM port (5985) is open on your EC2 Security Group and the Windows Firewall rules?Wade Matveyenko
I am sure it's open on the EC2 security group, as is 5986 (for HTTPS). I have run the Enable-PSRemoting command on the server, and I recall it stating that a firewall exception had been created. Even if I completely disable all firewalls on my client I still get the same issue.analystic
I am struggling over the same issues. I put Wireshark on the instance and observed the HTTP traffic arriving from the outside - but the windows server never sends any response packet. The firewall is open, the EC2 security group is open, the http listener is on, the trusted host list is "*"... and it just ignores the inbound request. Can you install Wireshark and see if the same occurrs?Joe Koberg

2 Answers

3
votes

First you need to sort out if a connection can be established to the remote machine. Easiest is to try the following command from the windows command prompt:

telnet <ip> 5985

If the telnet client is not installed, add it via add/remove windows components. If a connection is not possible, you will get an error. This is the most likely error. Possible reasons:

  1. Client side firewall (local or network) preventing the connection
  2. EC2 Security group configuration
  3. Server firewall rule.

Since you can access the remote machine over remote desktop, run the same command on the server to make sure that the WinRM service is actually working and listening on the default port.

If a connection is possible from the client machine, open the event viewer on the server and go to: "Applications and Services Logs" -> Microsoft -> Windows -> "Windows Remote Management" -> Operational and look for errors in the event log.

0
votes

I've been beating my head against this issue, too. I think it has to do with enabling PowerShell listening via the set-item wsman:\localhost\listener\listener*\port -value 5985 command, which is using localhost. Localhost is the internal IP address, NOT the public IP. I don't know of a way to get the 2 IPs mapped to each other.