VSTS Task: Window machine file copy: system error 53

Question

I'm trying to make a release from VSTS to a VM(running on AWS) that is running an IIS. For that I use three tasks.

1. Windows Machine File Copy
2. Manage IIS App
3. Deploy IIS App

Before the release I'm running a build pipeline that that gives me an artifact containing the web app (webapp.zip). When I manually put it on the server I can run step 2 and 3 of my release and the application works. The problem I have is that I don't get the Windows Machine File Copy to work. It always throws an exception giving a 'System Error 53: The network path was not found'. Of course the machines are not domain joined, because I'm running my release on VSTS and need the files on a AWS VM. I tried to open port 445 (for file sharing) and made sure the user has rights for the destination path on the target machine. So my question is: How can I actually move the files from VSTS to the AWS VM if the two machines are not joined.

Answer 1

Using FTP Upload or cURL upload step/task instead.

Regarding how to create FTP site, you can refer to this article: Creating a New FTP Site in IIS 7.

Answer 2

Windows File Copy is designed to work on the same network and enabling it on the internet would open your server for hacking. It's designed for internal networks. FTP would also result in a significant security risk unless managed properly.

The easiest way to move forward would be to run an Agent on the VM in AWS that you want to release to. The agent will then download the artifacts to the AWS VM and run whatever tasks you need to install.

This allows you to run tasks on the local machine without opening it up to security risks.

If you had multiple machines that you need to manage in AWS you can easily create a local network that will allow your single agent to use Windows File Copy to push files to multiple VM's without risk.

Answer 3

Disclaimer: this answer merely explains how to fulfill the requirements to use tasks of Windows Machine File Copy and Manage/Deploy IIS tasks. Please always be concerned about security of your target hosts, its hardening and security assessment is absolutely necessary.

As noted in comments, you need to protect the channel of deployment from the outside world, here an high level example:

Answer: in order to use the Windows Machine File Copy task you need to:

• on the target machine (the one running IIS) enable File and Printer Sharing running the following command from administrative command prompt:

  netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes

• assure that on the target machine PowerShell 4 or more recent is installed; the following executed from a PS command prompt prints the version installed on the local machine:

  PS> $PSVersionTable.PSVersion

  To get PowerShell 5 you could for example install WMF 5 ;

• on the target machine you must have installed .NET Framework 4.5 or more recent;

For the other two tasks (Manage/Deploy IIS Task), both require you to enable a WinRM HTTPS listener on the target machine. For development deployment scenario you could follow these steps:

• download the ConfigureWinRM.ps1 PowerShell script at from the officaial VSTS Tasks GitHub repository;

• enable from an Administrative PowerShel command prompt the RemoteSigned PowerShell execution policy:

  PS> Set-ExecutionPolicy RemoteSigned

• run the script with the following arguments:

  PS> ConfigureWinRM.ps1 FQDN https

Note that FQDN is the complete domain name of your machine as it is reached by the VSTS task, e.g. myhostname.domain.example . Note also that this script downloads two executables (makecert.exe and winrmconf.cmd) from Internet, so this machine must have Internet connection. Otherwise just download those two files, place them sibling to the script, comment out from the script the Download-Files invocation.

Now you have enabled a WinRM HTTPS listener with a self signed certificate. Remember to use the "Test Certificate" option (which ironically means to not test the certificate, better name would have been "Skip CA Check") for those two tasks.

In production deployment scenario you may want to use instead a certificate which is properly signed.