How to configure WinRM over HTTPS with Basic Authentication

How to configure WinRM over HTTPS with Basic Authentication

146757
Created On 10/27/21 16:12 PM - Last Modified 09/14/23 21:31 PM


Objective


  • This document will explain the steps how we can configure the WinRM over HTTPS with Basic Authentication for server monitoring in Pan-OS integrated user-id(Agentless User-ID)

Environment


  • Pan-OS 9.0 and later
  • Pan-OS integrated user-id configuration(Agentless User-ID)
  • Active directory window server/Microsoft Exchange server 2008 and later

Procedure


  • Please follow the below steps to configure the WinRM over HTTPS with Basic Authentication for server monitoring
Window server-side configuration:
Note: The account you use to configure WinRM on the server you want to monitor must have administrator privileges.
  1. Configure the service account with Remote Management user and CIMV2 privileges. Refer to Create a Dedicated Service Account for the User-ID Agent (PAN-OS 9.1)
  2. Enable the WinRM on the window server
    • To open the ports on the Window server for WinRM connection, enter the command: winrm quickconfig and then enter y to confirm the changes
    • Then confirm that the output displays WinRM service started
    • If WinRM is enabled, the output displays WinRM service is already running on this machine. And you will be prompted to confirm any additional required configuration change
output which shows the winrm service already running on the machine
  • Verify that WinRM communicates using the correct protocol by entering the following command: winrm enumerate winrm/config/listener
      3. Configure the server thumbprint to authenticate the server with the firewall
  • Verify the window server certificate is installed in the Local Computer certificate store (Certificates (Local Computer) > Personal > Certificates)
screenshot showing the server certificate
  • Open the certificate and select General >Details > show: <ALL>, select the Thumbprint, and copy it
screenshot showing Thumbprint information in the certificate
  • From the window server command prompt, enter the following command: winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<Hostname>";CertificateThumbprint="Certificate Thumbprint"}
    • Hostname is the monitored server(FQDN as it appears in the certificate) and Certificate Thumbprint is the value you copied from the certificate
    • Make sure to remove any spaces In the certificate Thumbprint to insure that WinRM can validate the certificate
4. Specify the authentication type and verify successful authentication between the server and the firewall
  • Enable the basic authentication for the client. From the command prompt, enter the following command: winrm set winrm/config/client/auth @{Basic="true"}
  • Run the command: winrm get winrm/config/client/Auth to confirm that Basic = true
output shows basic auth enabled for client
  • Enable the basic authentication for the service. From the command prompt, enter the following command: winrm set winrm/config/service/auth @{Basic="true"}
  • Run the command: winrm get winrm/config/service/Auth to confirm that Basic = true
output shows basic auth enabled for service

Firewall side configuration:
5. Enable authentication between the PAN-OS integrated User-ID agent and the window servers you plan to monitor using WinRM
  • From the firewall web interface, select Device >User Identification >User Mapping >Palo Alto Network User-ID Agent Setup >Server Monitor Account.
  • In domain\username format, enter the User Name for the service account that the User-ID agent will use to monitor servers.(configured in step 1)
  • Enter the Domain's DNS Name of the server monitor account
  • Enter the Password and Confirm Password for the service account and then click OK
screenshot showing the Palo Alto Network User-ID Agent Setup
 
6. Configure the PAN-OS integrated User-ID agent to use a WinRM transport protocol to monitor the windows server.
  • Select the Microsoft server Type (Microsoft Active Directory or Microsoft Exchange)
  • Select the Transport Protocol WinRM-HTTPS
  • Enter the IP address or FQDN Network Address of the server
screenshot showing the server monitor configuration
 
7. Import the root certificate that is used to sign the window server certificate onto the firewall and associate it with the User-ID Certificate profile
  • Configure the certificate profile under Device >Certificate Management >Certificate Profile. Use the root certificate(imported in step 7) under the CA certificate field
screenshot showing the certificate profile configuration
  • Select Device >User Identification >Connection Security and click Edit.
  • Select the certificate profile to use for the User-ID Certificate Profile and then click OK.
screenshot showing User-Id certificate Profile configuration
  • Commit the configuration
8. Verify the status of each server configured for server monitoring is in connected status on the Device >User Identification >User Mapping tab in the web interface.

Additional Information


Admin Guide

Note: The information provided for Windows may change depending on the Windows versions. 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMgiCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language