Connect to remote clients behind nat, different domain or lan

QMSPS · February 9, 2021, 3:52pm

Hi,

As a example, whats the way to set a scheduled script to run on a client behind a NAT, a different domain or lan? For now I created a automation script to monitor and automatically fix Hyper-V replication inside my domain, and that’s working without any problems.

But now I want to schedule and monitor the same script, in a totally different environment. I checked the documentation and also searched the forum. Or I don’t get it, maybe I didn’t use the right search? But I can’t find a clear answer to this question.

I did already have a idea for a solution, if it is not possible. But maybe there is a solution already, do I need to use the “invoke-uascript” for this? Or do I need something like Ente-PSsession for this, with something like a SSH session and public and private key? Please help me a little

Kind regards!

Atreidae · February 21, 2021, 1:24am

Hi QMSPS,
Your best bet would be to set up some task on those remote endpoints to “check in” with your app.
Unfortunately due to the way that networking and security works. Getting a PowerShell session in any form behind a NAT router/Firewall etc is going to be difficult.

Devices behind NAT typically cant be contacted directly, hence the need for port forwarding for certain applications.
PowerShell and other admin interfaces typically don’t trust connections from other networks due to the security risk.

I wouldn’t recommend forwarding management ports to the hosts behind NAT either as that’s a massive security concern too.

Best have a scheduled task that picks up “instructions” from your UD instance and executes them.

Hope this helps.

QMSPS · February 24, 2021, 7:16pm

Can you sketch a idea for me, on how to “have scheduled task that picks up “instructions” from your UD instance and executes them”. Because I like to start, but I don’t really know where to start.

As first script I created a script to monitor Hyper-V replication and run some resume / repair commands if needed, based on the replication state. So I was thinking to use Powershell Universall as a new central place for my scripts and execute them to the clients.

But now I think that I maybe make a mistake by my idea, to push the script scheduled to the clients. On my own clients it’s working, but they are in the same domain. But now I want to run the scripts to some client outside the domain.

I did a little test with the cmdlets, that I installed on a client. But it looks like it’s just starting the script on the Universal server and not on the client. Is it possible to run the scripts with the cmdlets on the client, or did I understand that wrong? And do I need to go complete another way, to my goal?

Kind regards

RamonMA · February 24, 2021, 8:19pm

These clients outside of your domain, how are they currently managed by you? Do you have a current RMM or Server management software you’re using like SCCM? In order to avoid exposing those clients directly you’ll need something to run on those machines that either have an existing established connection (through another tool) or a scheduled task that could talk to an API endpoint on powershell universal’s end. From PSU perspective its handling a web request and will return what you want, probably a ps1 file. It could be technically possible, but I don’t think PSU would fit this use case well due to them being outside of your network and no secure way to communicate directly with them.

I would look into a RMM tool, something that installs on the machines you’re managing, most RMM tools will let you setup some basic monitoring and run powershell scripts. That’s what we do for our clients, and I use powershell universal to talk to the RMM’s API if there are commands I want to run or check some info from PSU.