FSx for Windows appears to be blocking WinRM

Question

I have stood up FSx for windows and I can connect to the shares and manage them fine. I have include the necessary ports in the SG to manage the service from the documentation. However, when I tried to connect via WinRM on port 5985 to the FSx instance, it fails to connect. I can connect via SMB 445 when running a test and we confirmed that by connecting to the service and creating shares. SMB and WinRM are opened in the same SG for FSx, so it makes no sense. All ports are allowed outbound and the NACL is still set to default all open in both directions. What is even more strange is that a connectivity analysis test says the port is open between the same instance and ENI for FSx (445 and 5985), but from inside the instance it is not open when doing a test. Local firewall is disabled and all ports open on instance SG and NACL for the same local private subnet (FSx and instance). This is very bizarre. Anyone else run into this?

https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-manage-prereqs.html

Answer

Hi, thanks for sharing the output of the `Test-NetConnection` command.

This tells us that the port is open and the security group attached to FSx is correct.

Please could you share the command that you are using to connect to the FSx remote powershell endpoint?

Alternatively, please try this example command:

```
$FSxWindowsRemotePowerShellEndpoint  = "ReplacewithyourRemotePowerShellEndpointDNSname"

Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Get-FSxSmbOpenFile}
```

One of the key differences between regular PS remoting and FSx, is that you need to specify the -ConfigurationName FSxRemoteAdmin parameter.

Let me know how it goes :)

Answer

Hello there!
I notice that you are having trouble connecting to your FSx instance via WinRM on port 5985.
From the notes you have mentioned that you have configured the instance for testing via SMB port 445 and opened the SG for SMB and WinRM. You also mention that all ports are allowed outbound and NACL set for both directions. 
However I would like you to please note a couple of factors in regards to your case:
For starters you have to ensure that you can connect to the Windows Remote PowerShell Endpoint. The main point that I noticed is that there was no mention of the file system’s inbound rule that will grant access for remote PowerShell connections. It is mandatory that the SG group in the inbound direction to allow traffic on port 5985 so a remote Powershell session is established. This will allow traffic from your FSx file system, which is what is currently blocking the connection[1]. Please also check that you are not using the addresses 198.18.0.0/15 space in your VPC, which is referenced in the documentation[2]. For more information about inbound rules and associating a security group[3] have a look at the references below.

References:
[1] https://docs.aws.amazon.com/fsx/latest/WindowsGuide/remote-pwr-shell.html

[2] https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_prereqs.html

[3] https://docs.aws.amazon.com/fsx/latest/WindowsGuide/limit-access-security-groups.html#fsx-vpc-security-groups

Answer

Hello Antonio, when testing the endpoint and port using the command below, it comes back with True (I have removed the network-specific info). I'll need to go back and test it again. I have been just using the File Server role to manage the shares, etc. for now:
PS C:\Users\username> test-netconnection {endpoint.domain.com} -port 5985
ComputerName     : {endpoint.domain.com}
RemoteAddress    : XXX.XX.XXX.XXX
RemotePort       : 5985
InterfaceAlias   : Ethernet
SourceAddress    : XXX.XX.XXX.XXX
TcpTestSucceeded : True

FSx for Windows appears to be blocking WinRM

Relevant content