Hi Roland,
That depends of how you configure it. I’am using the ca proxy feature, so the script does not need to reach any server at all.
As soon as I deploy the Host configuration with the director, the master or satellite will connect to the agent and the host will appear in ‘icinga2 ca list’ with his csr. After it is signed on the master, I need to restart the agent once (looks like there is a bug) because the signed certificate does not work before the Agent is restarted.
Additional my deploymentscript will check some information on the windows server and auto create the host with with the director api on a special port, where only some requests are allowed. For this to work, this port needs to be reachable for every server. This way the windows admin can add there hosts completly autonomous (sadly, this restart thing is in the way at the moment :)) But this has nothing to do with the framework, as it looks like its not possible to add custom vars with the self service api (as far as i know).
To clarify: Icinga Powershell Module and Powershell framework are completely different things.
More information about the framework can be found here: A modest attempt to Monitor Windows Service in services.msc