Chapter 27. Setting up constrained remoting endpoints

 

The ability to create constrained endpoints has existed since PowerShell v2, but PowerShell v3 makes them easier to create and makes them an effective way to set up delegated administration capabilities within your environment. We’ll walk you through the complete process of creating and configuring these and give you some ideas for how you might utilize them in your own organization.

27.1. Refresher: Remoting architecture

Figure 27.1 provides a quick overview of PowerShell’s Remoting architecture. You use the Web Services for Management (WS-MAN) protocol to communicate between computers (or even between two services on the same computer). WS-MAN utilizes either HTTP or HTTPS, with HTTP being the default. On the remote computer, a Windows Remote Management (WinRM) service receives the incoming WSMAN traffic and routes that traffic to one or more endpoints. When those endpoints connect to PowerShell, a session configuration determines the capabilities of that particular connection. The default session configurations created when you enable Remoting (by running Enable-PSRemoting) are basically unrestricted and may only be utilized by Administrators.

Figure 27.1. PowerShell Remoting architecture
Note

For a more in-depth look at how Remoting works, we recommend Learn Windows PowerShell 3 in a Month of Lunches. You can also refer to Don’s free Secrets of PowerShell Remoting guide, which is available at http://PowerShellBooks.com.

27.2. What are constrained endpoints?

27.3. Creating the endpoint definition

27.4. Registering the endpoint

27.5. Connecting to the endpoint

27.6. Lab