-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathRdsGw.psm1
320 lines (278 loc) · 11.1 KB
/
RdsGw.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
function New-RdsGwCap {
param (
[Parameter(Mandatory)]
[String] $Name,
[bool] $Enable = $true,
[bool] $PasswordAuthentication = $true,
[bool] $SmartcardAuthentication = $false,
[switch] $DiskDrivesDisabled,
[switch] $PlugAndPlayDevicesDisabled,
[switch] $PrintersDisabled,
[switch] $SerialPortsDisabled,
[switch] $ClipboardDisabled,
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[String] $UserGroupNames,
[uint32] $SessionTimeout = 0
)
#Somehow, only when all options are set to false AND DeviceRedirectionType is set to 2, the AllowOnlySDRServers setting is ingored and set to $true, so correct this behavior
if ((!($DiskDrivesDisabled)) -and (!($PlugAndPlayDevicesDisabled)) -and (!($PrintersDisabled)) -and (!($SerialPortsDisabled)) -and (!($ClipboardDisabled))) {
$DeviceRedirectionType = [uint32]0
} else {
$DeviceRedirectionType = [uint32]2
}
$CapArgs = @{
AllowOnlySDRServers = $false
ClipboardDisabled = $ClipboardDisabled
ComputerGroupNames = [string]::Empty
CookieAuthentication = $true
DeviceRedirectionType = $DeviceRedirectionType
<#
Specifies which devices will be redirected.
0 All devices will be redirected.
1 No devices will be redirected.
2 Specified devices will not be redirected. The DiskDrivesDisabled, PrintersDisabled, SerialPortsDisabled, ClipboardDisabled, and PlugAndPlayDevicesDisabled properties control which devices will not be redirected.
#>
DiskDrivesDisabled = $DiskDrivesDisabled
Enabled = $Enable
#HasNapAttributes = $false
IdleTimeout = [uint32]0
Name = $Name
#Order : 1
Password = $PasswordAuthentication
PlugAndPlayDevicesDisabled = $PlugAndPlayDevicesDisabled
PrintersDisabled = $PrintersDisabled
SecureId = $false
SerialPortsDisabled = $SerialPortsDisabled
SessionTimeout = $SessionTimeout
SessionTimeoutAction = [uint32]0
Smartcard = $SmartcardAuthentication
UserGroupNames = $UserGroupNames
}
try {
$Invoke = Invoke-CimMethod -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayConnectionAuthorizationPolicy -MethodName Create -Arguments $CapArgs
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed creating CAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
} else {
Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayConnectionAuthorizationPolicy -Filter ('Name = "{0}"' -f $Name)
}
} catch {
Write-Error -ErrorRecord $_
}
}
function New-RdsGwRap {
param (
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[String] $Name,
[String] $Description = [String]::Empty,
[bool] $Enabled = $true,
[ValidateSet('RG','CG','ALL')]
[string] $ResourceGroupType = 'ALL',
[string] $ResourceGroupName = [string]::Empty,
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string] $UserGroupNames,
[ValidateSet('3389','*')]
[string] $PortNumbers = '3389'
)
$RapArgs = @{
Name = $Name
Description = $Description
Enabled = $Enabled
ResourceGroupType = $ResourceGroupType
ResourceGroupName = $ResourceGroupName
UserGroupNames = $UserGroupNames
ProtocolNames = 'RDP'
PortNumbers = $PortNumbers
}
try {
$Invoke = Invoke-CimMethod -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayResourceAuthorizationPolicy -MethodName Create -Arguments $RapArgs
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed creating RAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
} else {
Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayResourceAuthorizationPolicy -Filter ('Name = "{0}"' -f $Name)
}
} catch {
Write-Error -ErrorRecord $_
}
}
function Get-RdsGwCap {
[cmdletbinding(DefaultParameterSetName='list')]
param (
[Parameter(Mandatory, ParameterSetName='Named')]
[ValidateNotNullOrEmpty()]
[string] $Name
)
$QueryParams = @{
Namespace = 'root/CIMV2/TerminalServices'
ClassName = 'Win32_TSGatewayConnectionAuthorizationPolicy'
}
if ($PSCmdlet.ParameterSetName -eq 'Named') {
$QueryParams.Add('Filter',('Name = "{0}"' -f $Name))
}
Get-CimInstance @QueryParams
}
function Get-RdsGwRap {
[cmdletbinding(DefaultParameterSetName='list')]
param (
[Parameter(Mandatory, ParameterSetName='Named')]
[ValidateNotNullOrEmpty()]
[string] $Name
)
$QueryParams = @{
Namespace = 'root/CIMV2/TerminalServices'
ClassName = 'Win32_TSGatewayResourceAuthorizationPolicy'
}
if ($PSCmdlet.ParameterSetName -eq 'Named') {
$QueryParams.Add('Filter',('Name = "{0}"' -f $Name))
}
Get-CimInstance @QueryParams
}
function Remove-RdsGwRap {
[cmdletbinding(SupportsShouldProcess, ConfirmImpact='High')]
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwRap
)
if ($PSCmdlet.ShouldProcess($RdsGwRap)) {
$Invoke = $RdsGwRap | Invoke-CimMethod -MethodName Delete
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed removing CAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
}
}
function Remove-RdsGwCap {
[cmdletbinding(SupportsShouldProcess, ConfirmImpact='High')]
param (
[Parameter(Mandatory, ValueFromPipeline)]
[ciminstance] $RdsGwCap
)
if ($PSCmdlet.ShouldProcess($RdsGwCap)) {
$Invoke = $RdsGwCap | Invoke-CimMethod -MethodName Delete
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed removing CAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
}
}
function Enable-RdsGwCap {
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwCap
)
$Invoke = $RdsGwCap | SetRdsGwCap -Enable $true
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed enabling CAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
}
function Disable-RdsGwCap {
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwCap
)
$Invoke = $RdsGwCap | SetRdsGwCap -Enable $false
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed disabling CAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
}
function SetRdsGwCap {
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwCap,
[bool] $Enable
)
$RdsGwCap | Invoke-CimMethod -MethodName SetEnabled -Arguments @{Enabled = $Enable}
}
function Enable-RdsGwRap {
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwRap
)
$Invoke = $RdsGwRap | SetRdsGwRap -Enable $true
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed enabling RAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
}
function Disable-RdsGwRap {
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwRap
)
$Invoke = $RdsGwRap | SetRdsGwRap -Enable $false
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed disabling RAP Policy. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
}
function SetRdsGwRap {
param (
[Parameter(Mandatory, ValueFromPipeline)]
$RdsGwRap,
[bool] $Enable
)
$RdsGwRap | Invoke-CimMethod -MethodName SetEnabled -Arguments @{Enabled = $Enable}
}
function New-RdsGwSelfSignedCertificate {
param (
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string] $SubjectName
)
try {
$Invoke = Invoke-CimMethod -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServer -MethodName CreateSelfSignedCertificate -Arguments @{SubjectName = $SubjectName}
if ($Invoke.ReturnValue -ne 0) {
throw ('Failed Certificate creation. Returnvalue: {0}' -f $Invoke.ReturnValue)
}
$Invoke | Set-RdsGwCertificate
} catch {
Write-Error -ErrorRecord $_
}
}
function Set-RdsGwCertificate {
[cmdletbinding(DefaultParameterSetName='Thumbprint')]
param (
[Parameter(Mandatory, ParameterSetName='CertHash', ValueFromPipeline, ValueFromPipelineByPropertyName)]
[byte[]]$CertHash,
[Parameter(Mandatory, ParameterSetName='Thumbprint', ValueFromPipeline, ValueFromPipelineByPropertyName)]
[ValidateNotNullOrEmpty()]
[String] $Thumbprint
)
process {
if ($PSCmdlet.ParameterSetName -eq 'Thumbprint') {
if ($Cert = Get-Item -Path Cert:\LocalMachine\My\$Thumbprint -ErrorAction SilentlyContinue) {
$CertHash = $Cert.GetCertHash()
} else {
throw ('Certificate matching thumbprint {0} was not found' -f $Thumbprint)
}
}
#remove current SSL configuration if exists and restart
if (Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 -Name SslCertHash -ErrorAction SilentlyContinue) {
Remove-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 -Name SslCertHash
Restart-Service -Name TSGateway -Force
}
$SSLConfigure = Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServerSettings |
Invoke-CimMethod -MethodName SetCertificate -Arguments @{CertHash = $CertHash}
if ($SSLConfigure.ReturnValue -ne 0) {
throw ('Failed assigning generated Certificate. Returnvalue: {0}' -f $SSLConfigure.ReturnValue)
}
$SSLACLConfigure = Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServerSettings |
Invoke-CimMethod -MethodName SetCertificateACL -Arguments @{CertHash = $CertHash}
if ($SSLACLConfigure.ReturnValue -ne 0) {
throw ('Failed assigning ACL to generated Certificate. Returnvalue: {0}' -f $SSLACLConfigure.ReturnValue)
}
$SSLContextConfigure = Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServerSettings |
Invoke-CimMethod -MethodName RefreshCertContext -Arguments @{CertHash = $CertHash}
if ($SSLContextConfigure.ReturnValue -ne 0) {
throw ('Failed refreshing context for generated Certificate. Returnvalue: {0}' -f $SSLContextConfigure.ReturnValue)
}
}
}
function Enable-RdsGwServer {
$Configure = Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServerSettings | Invoke-CimMethod -MethodName Configure
if ($Configure.ReturnValue -ne 0) {
throw ('Failed configuring Rds GW. Returnvalue: {0}' -f $Configure.ReturnValue)
}
}
function Get-RdsGwServerConfiguration {
Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServerSettings
}
Export-ModuleMember -Function *-RdsGw*