command line/Powershell administration of networks behind NAT

Question

Scenario. 3rd party admins want to administer systems with PS remoting/direct login of clients and servers behind NAT gateways.

The systems are SBS 2003 or W2K3. all are behind NAT firwalls with varying RFC1918 subnets and no site to site VPNs (although a solution would likely require this.) Each site has its own unrelated AD setup.

The 3rd party admin network (also behind a NAT)has no trusts with the target sites (obviously SBS sites have this problem by default an It seems VPNs have problems if the same RFC1918 subnet address range is used on both sides.

Name resolution across VPN would be a prerequisite. advice

Is there some "reflection" approach (similar to Ultra VNC that would serialize PS objects and pass them through NATs without requiring router reconfig? or is portforwarding to SSH or similar required with direct remote logins? can any of this be accomplished or automated without use of a mouse?

what .NET remoting approaches might help solve this problem?

the nsoftware Powershell server solution works for SSH it seems but only where machines are publically addressable and it was also discounted due to its per CPU licensing scheme. are there other similar alternatives to it?

Answer 1

You're probably best off finding a way to tunnel to a single machine, and then hop from there to the machines you want to administer. You'd need to forward a port to that first machine.

Your network security people should be very concerned about this machine; if they're not, they don't know their jobs.

My first approach would be to use PowerShell V2's remoting for both hops.

Answer 2

I concur with @JayBazuz,i Powershell V2 (currently in CTP3) uses WinRM, which can be configured to work over HTTPS(really any port you choose), thus working through firewalls and NATS.

james