Data not available in Azure Migrate for web app on DMZ server(s)

Simon Windeler 20 Reputation points
2024-10-23T14:03:44.8533333+00:00

Trying to collect web app data from IIS servers in a DMZ, DMZ network has it's own domain that is trusted with the production domain. Azure migrate box isn't connected to the domain, we've recently created another appliance in the DMZ network and get the same error. Software inventory is fine.

Error message

Unable to connect to server "" due to an error. The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts.

Azure Migrate
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
925 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SadiqhAhmed-MSFT 49,326 Reputation points Microsoft Employee Moderator
    2024-10-23T18:40:00.79+00:00

    @Simon Windeler Thank you for contacting us!

    The error message you're encountering suggests issues with the Windows Remote Management (WinRM) configuration, especially in a multi-domain environment with a DMZ.

    First thing, you need to resolve WinRM Connection Issues:

    • Ensure that WinRM is properly configured on the IIS servers in the DMZ.
    • Run the following command on the IIS server to check the current WinRM configuration:
    winrm get winrm/config
    
    

    Secondly, Set Up TrustedHosts:

    • Since the Azure Migrate appliance is not joined to the domain, you need to add the IIS server(s) to the TrustedHosts list.
    • On the Azure Migrate appliance (or any management server trying to connect), run:
        winrm set winrm/config/client '@{TrustedHosts="IIS_Server_IP"}'
      
    • You can replace IIS_Server_IP with the actual IP address of your IIS server. If you have multiple servers, separate them with commas (e.g., "Server1_IP,Server2_IP").

    If your authentication scheme requires it, configure WinRM to use HTTPS. This can enhance security and is often required when dealing with machines not in the same domain.

    To configure HTTPS:

    • First, ensure that a valid SSL certificate is installed on the IIS server.
    • Then, run the following command on the IIS server to enable HTTPS for WinRM:
    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="IIS_Server_FQDN";CertificateThumbprint="YOUR_CERT_THUMBPRINT"}'
    
    

    Replace IIS_Server_FQDN with the fully qualified domain name of the IIS server and YOUR_CERT_THUMBPRINT with the thumbprint of the SSL certificate.

    Ensure that the firewall on the IIS server allows traffic on the WinRM ports (default is 5985 for HTTP and 5986 for HTTPS). Also, check any network firewalls between the Azure Migrate appliance and the DMZ IIS servers.

    Hope these steps help resolve your issue. If problem persist, check the WinRM logs for any additional error messages. The logs are typically located in the Event Viewer under Applications and Services Logs > Microsoft > Windows > WinRM.


    If the response helped, do "Accept Answer" and up-vote it

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.