- Create a certificate-signed RDP shortcut via Group Policy - Fri, Aug 9 2019
- Monitor web server uptime with a PowerShell script - Tue, Aug 6 2019
- How to build a PowerShell inventory script for Windows Servers - Fri, Aug 2 2019
Setting up IIS on a Windows Server installs a PowerShell module called WebAdministration and creates the IIS PowerShell drive. Using both of these items lets us create, read, modify, and remove IIS bindings with PowerShell. To demonstrate this, you'll first either need to RDP to the web server directly and open up a PowerShell console or use PowerShell remoting to connect to a remote session. Since I'm not up for RDPing to a server, I'll connect to my web server via PowerShell remoting.
$computerName = 'SRV1' $credential = Get-Credential Enter-PSSession -ComputerName $computerName -Credential $credential
Once connected to my session, I'll then need to import the WebAdministration module gained when installing the Web-Server Windows feature.
Querying web bindings
Once authenticated, I'm ready to get started. First, since a binding is no good without a website, I'll first ensure I can query my default website using the Get-Website cmdlet.
Get-Website -Name 'Default Web Site' Name ID State Physical Path Bindings ---- -- ----- ------------- -------- Default Web Site 1 Stopped %SystemDrive%\inetpub\wwwroot http *:80:
After I confirm I have a website available, I now need to investigate the bindings on that site. By default, you can only see the string output of the Bindings property when using Get-Website. We need to get some further information about this so I'll pipe the output to Select-Object and use the ExpandProperty parameter to see whether there's more information about bindings available if needed.
I can also approach this task of finding web bindings by using the Get-WebBinding command as well. This command will only return information about the bindings attached to a site rather than returning lots of other site information.
PS C:\> Get-WebBinding -Name 'Default Web Site' protocol bindingInformation sslFlags -------- ------------------ -------- http *:80: 0
The information returned from Get-WebBinding is the same information as what's in the Collection property inside the binding property from the output that Get-Website returns.
PS> (Get-Website -Name 'Default Web Site').bindings.Collection protocol bindingInformation sslFlags -------- ------------------ -------- http *:80: 0
Changing web bindings
Once we've confirmed attachment of a binding to a site, we can modify it and use the Set-WebBinding command. This command allows you to specify the website name using the Name parameter, the binding information, and the binding property you'd like to change. In the example below, I'm changing the binding attribute for my Default Web Site from port 80 to port 81.
Set-WebBinding -Name 'Default Web Site' -BindingInformation "*:80:" ‑PropertyName Port -Value 81
I can then verify this change using Get-WebBinding.
Get-WebBinding -Name 'Default Web Site' protocol bindingInformation sslFlags -------- ------------------ -------- http *:81: 0
As you probably already know, you can have multiple bindings attached to a single site. Using Set-WebBinding only modifies existing bindings. To create new bindings, we need to use the New-WebBinding cmdlet that allows you to point to a specific website name, provide the protocol, port, and other information to create a binding that fits your needs.
Below you can see I'm creating a new binding that binds HTTP to port 82. I'm then reading the web binding using Get-WebBinding to ensure the default website returns both bindings.
New-WebBinding -Name 'Default Web Site' -Protocol http -Port 82 Get-WebBinding -Name 'Default Web Site' protocol bindingInformation sslFlags -------- ------------------ -------- http *:81: 0 http *:82: 0
You've been working with HTTP bindings only, but IIS also has SSL bindings you need to manage periodically. Luckily, we can perform all the same actions on SSL bindings as we do on HTTP bindings.
To work with SSL bindings, we'll use the IIS PowerShell drive instead of the cmdlets to show you a different approach.
Let's say I have a certificate installed on my web server, and I want to bind that certificate to my Default Web Site. To do this, I'd first need to read the certificate. I can do this with PowerShell by reading the certificate from the Cert: drive.
PS> $cert = Get-ChildItem cert:\localmachine\my PS> $cert PSParentPath: Microsoft.PowerShell.Security\Certificate::localmachine\my Thumbprint Subject ---------- ------- BD34F8866D09803C7049F296ED3580355B220B78 OU=Testing, CN=SRV1
Once I have assigned the certificate to a variable, I then need to create the binding information string. Notice I'm using SSLBindings in the path. In the example below, I plan to bind the certificate to listen on all IP addresses bound to port 445.
$bindingInfo = "IIS:\SSLBindings\*!445"
Finally, I can pipe the certificate I just gathered to the SSLBindings object I retrieved above to create the SSL binding.
Subscribe to 4sysops newsletter!
$cert | Set-Item -Path $bindingInfo
PowerShell's WebAdministration module and IIS drive are great resources to use when needing to automate or manage IIS web bindings via the command line.
Join the 4sysops PowerShell group!
Your question was not answered? Ask in the PowerShell forum!
this is good stuff! you rock dude!
This is a life saver !! Great write-up for a beginner PS person
What if you have multiple sites and you want each their own cert?
You need to have a unique combination of IP & Port to manage multiple SSL sites on the server. So, you can bind multiple IP's first, or you can use a separate port for the SSL traffic for each site.
So, you would use multiple New-WebBinding commands for each site (ip/port).
I'm trying to use the Set-WebBinding command to just change the IP address of the binding. Very similar to your changing the port from 80 to 81. No matter what I try it fails.
I am running into the same issue. Any solutions for this?
I am RDP'd into my windows 2016 .net core server. None of the iis binding commands are found. I get the error, e.g.: The term 'get-iissitebinding' is not recognized as the name of a cmdlet, function, script file, or operable program.
If I following some other instructions found on i-net, I get following: WARNING: Module webadministration is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell please use 'Import-Module -SkipEditionCheck' syntax.
If I use the -skipeditioncheck I get: Import-Module: Could not load type 'System.Management.Automation.PSSnapIn' from assembly 'System.Management.Automation, Version=220.127.116.11, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
The only way that seems to work is to enter a pssession even while RDP's in and use the commands above. It works and doesn't require credentials so it's OK. But does that sound right that you can only perform iis admin from a remote session?
you need to import the webadministration module first
run this command
You need to import your IISAdministration module. That should create the PSDrive for you.
Turns out I was wrong.. it's the webadministration module that creates the PSDrive, not the newer IISAdministration module.