How-to – Load Remote Exchange PowerShell Session on Exchange 2010, 2013, 2016, Exchange Online (O365) - which ports do you need

1-Intro

In a previous blog post, I exposed the trick to load the Exchange Management Shell on ISE, the Integrated Scripting Environment of PowerShell, just like the Exchange Management Shell shortcut that is installed when you install the Exchange Management Tools. That trick needed the Exchange Management Tools to be installed locally, which is not bad as your ISE will behave exactly like your Exchange Management Shell, but with the benefits of the ISE.

Now, and as George highlighted in a comment in this previous blog post's comments section, you can also load Exchange cmdlets from a remote PowerShell session, using New-PSSession and Import-PSSession. Note that not all Exchange cmdlets and functions are available using that way (what you "lose" is a topic for a future blog post but basically you can just compare Exchange cmdlets list side by side after dumping these using "get-excommand")

As mentioned in the same previous blog post, that PowerShell session import method has its own advantages, like the ability to load Exchange management cmdlets to any workstation or server that has PowerShell and the proper ports opened, without the need to install the Exchange Management Shell. It can be very useful for your applications relying on Exchange Powershell cmdlets for example…

Below I pasted the PowerShell snippets to connect to your Exchange platform (Exchange 2010, 2013, 2016 and Exchange Online), along with the related TechNet links if you need or want more details.

 

2- Ports needed between management console and the remote server

Ports between that station and the remote Exchange server(s) or the remote Exchange Load Balancer must be opened – by default, your Exchange servers WinRM listener will use ports 5985 for HTTP and 5986 for HTTPS

  • To check which ports your Exchange servers listen to, you can run the following:

Get-WSManInstance –ResourceURI winrm/config/listener –Enumerate

Which will show the 5985 port only… meaning that if only port 80 is opened between your station and your Exchange server, you won't be able to import a PS Session from it – you will need to enable listening on "traditional" http and/or https ports, respectively TCP port 80 for HTTP and TCP port 443 for HTTPS, you will need to run the below on each of your Exchange servers you will want to connect to:

Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value true

Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpsListener -Value true

  • Before adding the HTTP port 80 and/or HTTPs port 443 Listeners, Get-WSManInstance command above gives you :

cfg : https://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : https://www.w3.org/2001/XMLSchema-instance
lang : en-US
Address : *
Transport : HTTP
Port : 5985
Hostname :
Enabled : true
URLPrefix : wsman
CertificateThumbprint :
ListeningOn : {127.0.0.1, 192.168.2.51, ::1, fe80::5efe:192.168.2.51%13, fe80::d42:e6f1:faff:ecfb%12}

  • And after adding these using the two Set-Item WSMan commands, running the above Get-WSManInstance will output the previous one, plus the HTTP + HTTPS ones highlighted in yellow:

cfg : https://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : https://www.w3.org/2001/XMLSchema-instance
lang : en-US
Address : *
Transport : HTTP
Port : 5985
Hostname :
Enabled : true
URLPrefix : wsman
CertificateThumbprint :
ListeningOn : {127.0.0.1, 192.168.2.51, ::1, fe80::5efe:192.168.2.51%13, fe80::d42:e6f1:faff:ecfb%12}

cfg : https://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : https://www.w3.org/2001/XMLSchema-instance
Source : Compatibility
lang : en-US
Address : *
Transport : HTTP
Port : 80
Hostname :
Enabled : true
URLPrefix : wsman
CertificateThumbprint :
ListeningOn : {127.0.0.1, 192.168.2.51, ::1, fe80::5efe:192.168.2.51%13, fe80::d42:e6f1:faff:ecfb%12}

cfg : https://schemas.microsoft.com/wbem/wsman/1/config/listener
xsi : https://www.w3.org/2001/XMLSchema-instance
Source : Compatibility
lang : en-US
Address : *
Transport : HTTPS
Port : 443
Hostname : E2013N1.E2013CANADA.CA
Enabled : true
URLPrefix : wsman
CertificateThumbprint :
ListeningOn : {127.0.0.1, 192.168.2.51, ::1, fe80::5efe:192.168.2.51%13, fe80::d42:e6f1:faff:ecfb%12}

For more information about the above, you can check the below TechNet page:

https://blogs.msdn.microsoft.com/wmi/2009/07/22/new-default-ports-for-ws-management-and-powershell-remoting/

 

3- Code snippet to open a remote session to your Exchange environment

You can use the below snippets to test Exchange PowerShell "session remoting". I pasted here the code to connect to Exchange 2010, 2013, 2016 and Exchange Online, taken from the TechNet (now Microsoft Docs) pages for each technology – feel free to check the corresponding Microsoft Docs page if you want more information about these.

#For all versions, including for EoL, it's recommended you remove the PSSession as closing the PowerShell window will let the remote session opened on the server side, and the session will have to time out, and the quota for the maximum number of concurrent connections may prevent you from connecting back to the service on a timely basis.
#using Remove-PSSession $Session once finished will remove and close the remote session

For all Exchange on-premise versions, the below snippets come from this docs.microsoft.com link (these are progressively replacing the TechNet pages).

For Exchange Online, the snippet come from this docs.microsoft.com link.

Exchange 2010 with current user

#Exchange 2010 with current user
$ExchangeOrNLBFQDN = "E2013N1.E2013Canada.ca"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeOrNLBFQDN/PowerShell/" -Authentication Kerberos
Import-PSSession $Session

#(Remove-PSSession $Session once finished)

Exchange 2010 with other user (Run As)

#Exchange 2010 with other user (runAs type)
$ExchangeOrNLBFQDN = "E2013N1.E2013Canada.ca"
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeOrNLBFQDN/PowerShell/" -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session

#(Remove-PSSession $Session once finished)

Exchange 2013

#E2013
#Exchange 2013 with other user (just like using RunAs) – to connect using the current user credentials, remove or comment the $UserCredential = Get-Credential line and remove the "-Credential $UserCredential" parameter from the $Session = New-PSSession...
$ExchangeOrNLBFQDN = "E2013N1.E2013Canada.ca"
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeOrNLBFQDN/PowerShell/" -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session

#(Remove-PSSession $Session once finished)

Exchange 2016

#E2016
#Exchange 2016 with other user (just like using RunAs) – to connect using the current user credentials, remove or comment the $UserCredential = Get-Credential line and remove the "-Credential $UserCredential" parameter from the $Session = New-PSSession...
$ExchangeOrNLBFQDN = "E2013N1.E2013Canada.ca"
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeOrNLBFQDN/PowerShell/" -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session

#(Remove-PSSession $Session once finished)

Exchange Online (Office 365)

#EO365
#Exchange Online
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -Credential $UserCredential -AllowRedirection
Import-PSSession $Session

#(Remove-PSSession $Session once finished)

References and Great Articles: