A web-server Internet Information Service in Windows 2016 / 2012 / R2, like previous IIS versions, can be managed remotely. In fact, it is convenient enough to manage multiple IIS servers from a single console, and it is almost the only way to manage a web server running in the Core / Nano mode. However, by default the remote IIS management is disabled, and if you try to add a remote server with the running IIS to the IIS Management Console (Connect to a Server menu) on another server, the following error message appears:
Details: Unable to connect to the remote server
Installing IIS Management Service
The matter is that during the standard IIS installation the service responsible for its remote management (IIS Management Service) is not installed. You can make sure that this service is missing in the system using the following Powershell command:
As you can see, the Web-Mgmt-Service service is not installed. Install it by execute the following Powershell command with local admin permissions:
Or you can use:
You can also install the Management Service component from the Server Manager console.
Then restart the IIS web service:
The next step is to allow remote connections in the IIS web server settings. To do it, open Management Service item in the Management section of IIS Manager.
Check the «Enable remote connections» option in Management Service section.
Here you can restrict connections to the IIS Management Console by IP address. To do it, deny connections for unspecified clients (Access for unspecified clients: Deny) and specify IP address/ IP subnets for which the connections is allowed. The remote connection service uses an SSL certificate, but you can use another one if you imported it into the server’s certificate store (you can create and use a self-signed SSL certificate using PoSh). Save the changes.
Reg Add HKLM\Software\Microsoft\WebManagement\Server /V EnableRemoteManagement /T REG_DWORD /D 1
In this case you have to create the firewall rule manually:
netsh advfirewall firewall add rule name=”Allow IIS Web Management” dir=in action=allow service=”WMSVC”
Now you just have to start Web Management Service:
net start wmsvc
And configure the service to start automatically when the system starts up:
set-service wmsvc -StartupType Automatic
Or as follows:
sc config WMSVC start= auto
After that, a remote IIS web server can be added to the IIS Manager console and you can manage the IIS server, multiple sites on it the same way as the local web server.
Allow Non-Admin accounts to Remotely Manage the IIS Site
By default, only users with administrator privileges have the permission to remotely manage the IIS server. In order to grant the permission to IIS remote management for standard users, it is necessary to grant the corresponding permissions at the level of each IIS website. Select a site and find the IIS Manager Permissions option.
In the Actions panel, click on Allow User. Select the user account to which you want to grant access to IIS and click OK.
User permissions to manage sites on IIS server are configured in the Feature Delegation section at the IIS server level.
You can select one of three user access levels for each IIS server management functional: Read Only, Read/Write or Not Delegated.
How to Manage IIS Servers Remotely from Windows 10
If you need to remotely manage IIS servers from a client desktop with Windows 10 (Windows 7 or 8.1), you need to install the IIS Management Console from: Turn Windows features on or off – Internet Information Services -> Web Management Tools -> IIS Management Console.
You can install this feature using the PowerShell command:
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-ManagementService"
However, when you run the IIS Manager console in Windows 10, the Connect to a server item in the menu is missing.
To be able to connect remotely to IIS from Windows 10, you need to download and install the package IIS Manager for Remote Administration (https://www.microsoft.com/en-us/download/details.aspx?id=41177).
After installation, you need to restart the IIS Manager and connect to the site. If, when connecting to IIS, it turns out that the console version is different on the client and the server, a notification will appear about the need to update the console version (all necessary files will be automatically downloaded from the server).
Now you must successfully connect to your IIS server and remotely manage it from your desk.
IIS Remote Management and TLS 1.1 / TLS 1.2 Support
If you have disabled the unsecure SSLv3 and TLS 1.0 protocols on IIS and left only TLS 1.1/ TLS 1.2, then when remotely connecting to IIS, an error will appear:
The underlying connection was closed: An unexpected error occurred on a send.
To fix the problem it is necessary to make changes in the registry on the client side, for the mandatory use of the TLS 1.2 protocol during connection. Settings depend on the version of Windows.
Windows 10 and Windows Server 2016:
Windows 2012/ R2 and Windows 8/8.1:
NET Framework 4.5.2 or higher must be installed (how to check which versions of the NET Framework are installed).
Windows Server 2008 R2 / Windows 7:
You must first install the update KB3154518 to support TLS 1.2 in the .NET Framework 3.5.1.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]"DisabledByDefault"=dword:00000000