Merge pull request ansible#12363 from breathe/devel

allow ConfigureRemotingForAnsible.ps1 script from public zone

docsite/rst/intro_windows.rst

@@ -8,7 +8,7 @@ Windows Support
 Windows: How Does It Work
 `````````````````````````
 
-As you may have already read, Ansible manages Linux/Unix machines using SSH by default.  
+As you may have already read, Ansible manages Linux/Unix machines using SSH by default.
 
 Starting in version 1.7, Ansible also contains support for managing Windows machines.  This uses
 native PowerShell remoting, rather than SSH.
@@ -40,22 +40,22 @@ Installing python-kerberos dependencies
 
    # Via Yum
    yum -y install python-devel krb5-devel krb5-libs krb5-workstation
-   
+
    # Via Apt (Ubuntu)
    sudo apt-get install python-dev libkrb5-dev
-   
+
    # Via Portage (Gentoo)
-   emerge -av app-crypt/mit-krb5 
+   emerge -av app-crypt/mit-krb5
    emerge -av dev-python/setuptools
 
    # Via pkg (FreeBSD)
    sudo pkg install security/krb5
-   
+
    # Via OpenCSW (Solaris)
    pkgadd -d http://get.opencsw.org/now
    /opt/csw/bin/pkgutil -U
-   /opt/csw/bin/pkgutil -y -i libkrb5_3 
-   
+   /opt/csw/bin/pkgutil -y -i libkrb5_3
+
    # Via Pacman (Arch Linux)
    pacman -S krb5
 
@@ -203,18 +203,23 @@ Windows System Prep
 
 In order for Ansible to manage your windows machines, you will have to enable PowerShell remoting configured.
 
-To automate setup of WinRM, you can run `this PowerShell script <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>`_ on the remote machine. 
+To automate setup of WinRM, you can run `this PowerShell script <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>`_ on the remote machine.
+
+The example script accepts a few arguments which Admins may choose to use to modify the default setup slightly, which might be appropriate in some cases.
 
-Admins may wish to modify this setup slightly, for instance to increase the timeframe of
-the certificate.
+Pass the -CertValidityDays option to customize the expiration date of the generated certificate.
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -CertValidityDays 100
+
+Pass the -SkipNetworkProfileCheck switch to configure winrm to listen on PUBLIC zone interfaces.  (Without this option, the script will fail if any network interface on device is in PUBLIC zone)
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck
 
 .. note::
-   On Windows 7 and Server 2008 R2 machines, due to a bug in Windows 
+   On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
    Management Framework 3.0, it may be necessary to install this
    hotfix http://support.microsoft.com/kb/2842230 to avoid receiving
    out of memory and stack overflow exceptions.  Newly-installed Server 2008
    R2 systems which are not fully up to date with windows updates are known
-   to have this issue.   
+   to have this issue.
 
    Windows 8.1 and Server 2012 R2 are not affected by this issue as they
    come with Windows Management Framework 4.0.
@@ -233,8 +238,8 @@ Looking at an Ansible checkout, copy the `examples/scripts/upgrade_to_ps3.ps1 <h
 What modules are available
 ``````````````````````````
 
-Most of the Ansible modules in core Ansible are written for a combination of Linux/Unix machines and arbitrary web services, though there are various 
-Windows modules as listed in the `"windows" subcategory of the Ansible module index <http://docs.ansible.com/list_of_windows_modules.html>`_.  
+Most of the Ansible modules in core Ansible are written for a combination of Linux/Unix machines and arbitrary web services, though there are various
+Windows modules as listed in the `"windows" subcategory of the Ansible module index <http://docs.ansible.com/list_of_windows_modules.html>`_.
 
 Browse this index to see what is available.
 
@@ -368,5 +373,3 @@ form of new modules, tweaks to existing modules, documentation, or something els
        Questions? Help? Ideas?  Stop by the list on Google Groups
    `irc.freenode.net <http://irc.freenode.net>`_
        #ansible IRC chat channel
-
-

examples/scripts/ConfigureRemotingForAnsible.ps1

@@ -4,9 +4,13 @@
 # This script checks the current WinRM/PSRemoting configuration and makes the
 # necessary changes to allow Ansible to connect, authenticate and execute
 # PowerShell commands.
-# 
+#
 # Set $VerbosePreference = "Continue" before running the script in order to
 # see the output messages.
+# Set $SkipNetworkProfileCheck to skip the network profile check.  Without
+# specifying this the script will only run if the device's interfaces are in
+# DOMAIN or PRIVATE zones.  Provide this switch if you want to enable winrm on
+# a device with an interface in PUBLIC zone.
 #
 # Written by Trond Hindenes <[email protected]>
 # Updated by Chris Church <[email protected]>
@@ -19,6 +23,7 @@
 Param (
     [string]$SubjectName = $env:COMPUTERNAME,
     [int]$CertValidityDays = 365,
+    [switch]$SkipNetworkProfileCheck,
     $CreateSelfSignedCert = $true
 )
 
@@ -28,7 +33,7 @@ Function New-LegacySelfSignedCert
         [string]$SubjectName,
         [int]$ValidDays = 365
     )
-    
+
     $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
     $name.Encode("CN=$SubjectName", 0)
 
@@ -96,8 +101,14 @@ ElseIf ((Get-Service "WinRM").Status -ne "Running")
 # WinRM should be running; check that we have a PS session config.
 If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
 {
-    Write-Verbose "Enabling PS Remoting."
+  if ($SkipNetworkProfileCheck) {
+    Write-Verbose "Enabling PS Remoting without checking Network profile."
+    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
+  }
+  else {
+    Write-Verbose "Enabling PS Remoting"
     Enable-PSRemoting -Force -ErrorAction Stop
+  }
 }
 Else
 {