Since the 15th of this month Microsoft Assessment Planning (MAP)Toolkit 6.0 is available for download.

Usually MAP is being deployed in an environment behind a TMG which can include domains and workgroups. The setup of MAP is pretty straight forward. Just read the Getting Started Guide and you are on your way.

But what if you have an environment with a perimeter network which also needs to be assessed by MAP? The Getting Started Guide talks about firewalls but these are the local firewalls on your servers and clients. How will you be able to also assess those computer objects in the perimeter network?

But before continuing let’s first introduce MAP.

“MAP is an agentless, automated, multi-product planning and assessment tool for quicker and easier desktop and server migrations. MAP provides detailed readiness assessment reports and executive proposals with extensive hardware and software information, and actionable recommendations to help organizations accelerate their IT infrastructure planning process, and gather more detail on assets that reside within their current environment. MAP also provides private and public cloud planning assessments, and server utilization data for Hyper-V server virtualization planning; identifying server placements, and performing virtualization candidate assessments, including ROI analysis for server consolidation with Hyper-V.”

More details of what you can do with MAP can be found here.

There are basically two scenarios’ that can be applied (nutshell versions):

  1. You install and configure MAP in the perimeter network and one in the trusted network. Run MAP once in each network, combine the results and voila a complete MAP assessment is done.
  2. Or you install one MAP, configure your TMG to allow MAP related traffic between the internal and perimeter network and in the end you will have one complete MAP assessment.

Both scenarios’ may have some pros and cons, but that is not what I want to share with you. What I want to share with you is the rule you need to make in TMG to allow the MAP traffic to communicate between the internal network and the perimeter network.

Assume you have a 3-leg-network like the picture below.

clip_image001

MAP would be located in the internal network, the computer objects you want to scan in the perimeter network.

The basics of the rule are explained in the Getting Started Guide. This guide includes an appendix called “Prepare Your Environment to Run the MAP Toolkit”, page 19. In this appendix a number of requirements are explained that you need to implement before you can run MAP successfully including a number of protocols with port numbers. These protocols are:

  • 135, epmap – DCE endpoint resolution
  • 137, netbios-ns – NETBIOS Name Service
  • 138, netbios-dgm – NETBIOS Datagram Service
  • 139, netbios-ssn – NETBIOS Session Service
  • 445, microsoft-ds – Microsoft-DS

Source IANA and the MAP Getting Started Guide.

Okay, now let’s configure this rule in TMG! What you are going to do is to create an access rule which allows the MAP network traffic to go from the internal network to the perimeter network.

Before you start make the following Toolbox of TMG. First you start with making a computer object which will be representing the MAP server. In my case my server is called MAP! Then you are going to make a user defined protocol with port number 1026. When creating these objects leave all the settings on all tabs on default. No extra’s need to be done on these objects. I needed to do this otherwise MAP wouldn’t successfully assess the server. Take a close look at the monitoring of TMG if this port or any other port is needed besides the ones in the Getting Started Guide.

Okay, when finished you will have the following.

clip_image002 clip_image003

You are now ready to start configuring the Access Rule. So click on Create Access Rule in the Tasks on the right side and start configure this rule! Here are some useful screen dumps!

clip_image004

Expected more?

Okay one more. The screen dump below is when you finished configuring the access rule and call the properties of this rule. The checkbox needs to be unchecked. By default TMG enforces strict RPC security on all firewall rules and on the system policy. We need to loosen this security some in order for MAP traffic to flow between the MAP server and the perimeter network through the firewall. This needs to be done on the MAP access rule.

clip_image005

When all is done you will end up with the access rule as shown in the image below.

clip_image006

You are now set and able to use MAP, which will be in your internal network, to communicate with the computer objects in the perimeter network!

Enjoy assessing and planning!