WinRM: Allow Connections From Specific IP/Prefix


My Goal:

On this test machine (non-domain), I want to restrict WinRM listener (itself) to only listen for specific client IP addresses or client IP address range. I don’t want to attempt to control WinRM traffic via GPO/FW, I want to control WinRM traffic via the listener itself.

My problem:

The command I used to create the listener (The IP I used in "“” is the IP of the public interface (front net). The resulting listener configuration then contains the public IP as the listener Address as well as the ListenOn address. I appreciate if someone case explain what the “Address” field and “ListenOn” field mean and how I can ensure that WinRM is listening on a specific interface on the target server and listening for specific client (requesting) IP’s.

New-WSManInstance winrm/config/Listener -SelectorSet @{Address=“”;Transport=“HTTPS”} -ValueSet @{HostName=‘xxxxxxxxxxxx.xxxxxxxxxxx.xxxx’;CertificateThumbprint=‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’}

Check listener configuration:

PS C:\scripts> winrm e winrm/config/listener
Address =
Transport = HTTPS
Port = xxxx
Hostname = xxxxxxxxxxxx.xxxxxxxxxxx.xxxx
Enabled = true
URLPrefix = wsman
ListeningOn =

Thanks in advance!


That’s something you’d have to lock down in the firewall. Or, I suppose, with IP address restrictions at the IIS level. The WinRM configurations tell it which IP addresses to bind to, not which ones to accept connections from.

Sorry, scratch “IIS level;” I had a pull server in my head. This’d have to be done at the firewall.