I'm trying to create a set of command and control scripts for devices and sensors located in various geographic areas. Unfortunately, each site has limited connectivity and requires access through a jump server. I've found that PSSession is blocked unless I'm connecting directly from that specific jump server. My question is, can I initiate a PSSession to each of my jump servers and then run additional PSSession or Invoke-Command commands to the remote machines through those jump servers?
4 Answers
There are several approaches, but each comes with its own considerations. For example, you could use SSH for authentication, which supports jump hosts but bypasses the Kerberos double hop issue—just keep in mind that you need PowerShell 7 or later. Alternatively, Configuring CredSSP authentication can eliminate the double hop problem since it passes your credentials directly, though that can introduce risks if mishandled. Lastly, you might consider trusting specific hosts to tackle double hop issues, but that requires a solid security setup.
Before you dive in, it might help to test it out. What happened when you tried this setup? Sometimes just experimenting can clarify whether it’s feasible. Just a heads up, though, you might run into double hop issues, which are a common concern in setups like this.
It worked in my lab, but I suspect the network circumstances might be different in production. I’m also considering simplifying the process by running scripts directly from the jump servers instead of trying to manage sessions in a session.
I think there are a couple of straightforward solutions here: 1. Use JEA (Just Enough Administration) to set up a session endpoint on your jump servers with specific credentials. Just invoke it with the -ConfigurationName parameter. 2. If you're set on passing credentials, make sure to use $using: or block parameters—but again, be cautious about needing actual plaintext credentials at some point. Avoid making major domain changes unless absolutely necessary.
To make it work, you might need to rethink how user credentials are handled. Instead of using interactive prompts, try passing credentials directly into your remote session. Just be aware of any company policies that might restrict this kind of operation—if you're unsure, it may not be worth the risk.
You're not wrong about the double hop issue—it can complicate things for sure.