Using a DSC Push Configuration for a DMZ Web Server
So In a previous posts we showed you a pretty basic DSC configuration file and how to find the available types of features but also how to add a Resource to that configuration.
But one of the scenarios I was playing out with in the Push configuration initially gave me a stumbling block.
Normally there is a trust between computers on a Domain and Desired State Configuration, or more correctly WinRM relies upon this.
But what if you wanted to use DSC for a pretty common scenario? Spinning up a new Web server in a DMZ configuration? In this scenario you typically are not on the Domain and probably even in a different subnet.
So where do you start?
First let’s build a simple Web Server configuration.
Configuration StandardWebServerDMZ
{
Node CONTOSO-WEB
{
}
}
So we now have a basic DSC Configuration called “StandardWebServerDMZ” for a node called “CONTOSO-WEB”
Now for an IIS Server we’re going to need the Web Features installed. So using the File Server as an example, the resource name is called “WindowsFeature”.
But where did we get the names to work with?
DSC is actually leveraging the Names from the “GET-WindowsFeature” Cmdlet. If I ran the following Cmdlet in Server 2012R2 it would show me all the names relevant to FILE
GET-WindowsFeature *FILE*
And we can see the name from the output, the name for File and Storage Services that PowerShell references is called “FileAndStorage-Services”
Which is EXACTLY the name we used in our DSC for CONTOSO-FPS
WindowsFeature FileStorage
{
Ensure = "Present"
Name = "FileAndStorage-Services"
}
Remember of course that although I described the Feature as “FileStorage” I could have named it “MyFileStandard” or “BaseFPSConfig” or even “RubberBouncyJello”. The first part is descriptive but IDEALLY should make sense too.
So I wouldn’t recommend “RubberBouncyJello” even though it could be used.
So for a WEB server we’ll need to get the names used for the IIS Services. So let’s run a quick Cmdlet to find that out.
GET-WindowsFeature *Web*
So the Base name for IIS is Web-Server. So if we add this to our configuration
Configuration StandardWebServerDMZ
{
Node CONTOSO-WEB
{
WindowsFeature BasicWebServerComponents
{
Ensure = "Present"
Name = "Web-Server"
}
}
}
It would ensure that the Server in question called “CONTOSO-WEB” has the basic components required for IIS. You can of course add more features to the list as you need or even add additional files like those for a Default web site.
But you will encounter a problem when trying to push this configuration. The Web Server and your DSC server don’t trust each other. That’s completely expected.
What you need to do on your Server that is applying the DSC Configuration you’ll need to ensure four things
Firewall exclusions are in place for WinRM communication between your Server and the Targeted DMZ workstation
You can resolve the remote server name to IP (Whether via DNS or HOSTS)
You add the name of the remote server as “Trusted” in WinRM.
You have credentials on the Remote system
To add the remote system as Trusted you’ll have to run this command from an Elevated Command prompt.
WINRM set winrm/config/client ‘@{TrustedHosts=”CONTOSO-WEB”}’
At this point you can apply the Configuration (Presuming you’ve already BUILT the .MOF file by running the Script and executing the configuration by typing StandardWebServerDMZ)
START-DSCConfiguration –path .\StandardWebServerDMZ –verbose –credential (GET-CREDENTIAL) –computername CONTOSO-WEB
You’ll get prompted for Credentials for the remote Web Server and in moments you’ll have yourself a Shiny new computer running IIS on Server 2012 R2.
Looking for a bit more? Check out Microsoft Virtual Academy and check out their PowerShell learning modules.
Until then
Remember, the Power of Shell is in YOU
Sean
the Energized Tech
Windows PowerShell MVP
Honorary Scripting Guy