[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

CRM 4.0 IFD - From The Beginning Please

Posted on 2011-04-18
32
Medium Priority
?
1,873 Views
Last Modified: 2012-05-11
Hi All,

Please help me.  I have a functioning CRM 4.0 deployment.  I need to get it setup as IFD.  I've read the document that goes with the config tool, but I'm stuck already.

Do I need to setup the CRM server with a public IP?

If so, how do i do that?

The desired outcome is for internal and external users to be able to access CRM and have it access over HTTPS.

Let's start here and we'll go from there.  Thanks!
0
Comment
Question by:DustinEWright
  • 20
  • 10
  • 2
32 Comments
 
LVL 33

Expert Comment

by:Paul Sauvé
ID: 35419809
if The desired outcome is for internal and external users to be able to access CRM and have it access over HTTPS,  then you MUST find a host with enough bandwidth for acces by the estimated number of simultaneous users. Also, you should also have an idea of the the number of monthly users to estimate the bandwith you  will be required to pay per month.

Here is a detailed article on how to deploy CRM 4.0 with IFD: Configuring Microsoft Dynamics CRM 4.0 for Internet-facing deployment
0
 

Author Comment

by:DustinEWright
ID: 35420988
Let's try this again.  I have my CRM deployment.  I need it to be available to external users.  I've tried to use the tool and I think I'm mostly there.  I'm still missing something(s).  DNS says it's ok, but if the url is http://orgname.domain.com then, I'm not having any luck.

Org name is "n0xpd"
domsin is "n0xpd.com"
http://n0xpd.n0xpd.com will not come up in the browser.

Please look at the screenshots and advise, thanks.

 #1a
 #2
 #3
 #4
I'd like to get this going, then get it setup on HTTPS.  Disregard the screenshot below, it should not b here.  Thanks.
IFD01.jpg
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35428793
To make your CRM available to external users you need to do the following:

- run the IFD tool (which you seem to have done)
- Add a DNS entry for n0xpd on the DNS server that handles the n0xpd.com domain. This is likely to be an external DNS server hosted by your ISP or other 3rd party provider (unless of course you are hosting your own DNS records).
- To be externally accessible the record for n0xpd.n0xpd.com will have an external IP address which must be mapped via your firewall/router or whatever device to your internal CRM website.


I've used a DNS lookup tool and verified that n0xpd.n0xpd.com has an entry and is mapped to 72.215.217.43.
When I browse to n0xpd.n0xpd.com ( and it has to be that address for the IFD tool) I get page not found which suggests that your firewall is not forwarding requests to your CRM web site.

You need to make sure that incoming requests to that IP are directed to your CRM server.


Once you have all this working, then you can think about getting an SSL certificate for n0xpd.n0xpd.com and changing to https.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 33

Expert Comment

by:Paul Sauvé
ID: 35428815
Sorry I took so long geting back to you.

I think you have to find a hosting site to install your CRM 4.0. Once you have found the host site, you will require to install using their paramaters. The host will be able to let you know exactly what you must do to install correctly.

From what I have seen (and, while I have deployed some Internet sites, I haven't tried it with CRM 4.0) it's rather complex.

I found these articles for Installing CRM 4 on Windows 2008 Server, setting up a test Microsoft dynamics CRM server on a server at home and How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35428871
There is no need to use a hosting site. DustinEWright can keep his CRM 4.0 installation on their own servers.
0
 

Author Comment

by:DustinEWright
ID: 35428925
Feridun,

I'm so glad you are here!  Internally, the CRM server is 192.168.0.19 and the CRM website is on port 5555.  I think i do have external traffic routed to the server, see the screenshot.

 #5
My ISP gives me 5 public IPs with my package, but I can only put one on the router, how can I have a uniqe public IP for Remote Web Workplace (SBS) and another for CRM?

 #6
Thanks all.  I'm sure I'm doing something wrong, so what are the odvious steps you would do?  That is probably what I've overlooked.  Thanks for helping me learn.
0
 

Author Comment

by:DustinEWright
ID: 35428933
Also, once we are done, would it not need to be:

http://orgname.crmservername.domainname.com ?
http://n0xpd.crm01.n0xpd.com ?

Once we get that worked out, I'll buy an SSL cert so we can secure it.

Thanks!
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35431000
On the face of it, your firewall settings appear to be correct.

The external URL for the CRM web site is organizationname.external domain name  so in your case, seeing how the IFD has been configured it will be:

http://n0xpd.n0xpd.com

0
 

Author Comment

by:DustinEWright
ID: 35432645
What could I be doing wrong?
0
 

Author Comment

by:DustinEWright
ID: 35453605
I figured out the IFD part.  In the IFD and SDK App Root Domains, I needed to add the port :5555.  So now, http://n0xpd.n0xpd.com:5555 does work.

#7
Great, most of the way there!

Now, we need to get the SSL setup.  I bought a wildcard SSL from GoDaddy with the common name of "*.n0xpd.com" just as the instructions say to:

http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/secure_comm.aspx#o31272

"...1.Obtain a certificate from a CA. To use certificates you will have set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations. You can use a third-party PKI with Windows Server 2003, or you can establish your own PKI based on Windows Server 2003 Certificate Services.

Important: The CA must support wildcard certificates and the common name for the certificate requested from the Microsoft Dynamics CRM Web site must use a wildcard. This wildcard certificate requirement only applies to Internet-facing Microsoft Dynamics CRM Web sites. .."


I hope guying fro GoDaddy deals with the PKI in the first paragraph, I do not know what that means.  Please let me know if that is something I need to deal with.

Something that confuses me is this:

"...Important: You can apply only a single certificate to the Microsoft Dynamics CRM Web site. Therefore, you if you have configured Microsoft Dynamics CRM Server for both internal and Internet-facing (external) access, you cannot configure SSL for both internal and external connections to the Microsoft Dynamics CRM Web site. .."

Reading this seems to imply I can get HTTPS for IFD, but not for both IFD & Internal.  I'm fine with that, but later on it tells me to....

"...d. If you want clients to use only SSL when connecting to the Microsoft Dynamics CRM application, on the Directory Security tab, in the Secure communications area, click Edit. On the Secure Communications dialog box, select the Require secure channel (SSL) check box...."

Maybe I do not check that to use SSL over IFD?

Again, I only care abut SSL over IFD, not internally.

Please advise, Thanks!
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35453910
Glad to hear to you are making progress.

For CRM 4.0 you can configure internal to use http and external access to use https. In the IFD configuration tool make sure that you select https for the IFD Domain scheme and leave the AD one as http.

You will need to install your new certificate on your IIS server and then add an https binding on the CRM web site. Leave the existing http binding as is. Then when internal users connect to the web site they will connect with the http binding.

Do post how you get on.
0
 

Author Comment

by:DustinEWright
ID: 35454458
I'm having trouble because of another SSL cert I have on the other server.  I'm running SBS 2008 and I have RWW secured https://remote.wrightitsolutions.com  When I followed the document:

http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/secure_comm.aspx#o31272

Assuming I understood the directions (probably do not) I end up with it trying to connect internally via SSL also.

When I try to go to https://n0xpd.n0xpd.com or the same with :5555 I think it was, I get a cert error and 403.  It thinks it's using the cert for remote.wrightitsolutions.com.

Perhaps putting SSL on CRM is more trouble than it's worth.

It's a pretty safe bet I'm either doing something wrong or not doing something I should.  Fortunatly I took an snapshot of the server (Hyper-V) and was able to restore it just now, so I'm still working.

Here's what I've done:

1. Obtain a certificate from a CA. To use certificates you will have set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations. You can use a third-party PKI with Windows Server 2003, or you can establish your own PKI based on Windows Server 2003 Certificate Services.
Important: The CA must support wildcard certificates and the common name for the certificate requested from the Microsoft Dynamics CRM Web site must use a wildcard. This wildcard certificate requirement only applies to Internet-facing Microsoft Dynamics CRM Web sites.
A wildcard certificate for the Contoso organization might appear similar to the following example: *.contoso.com
For more information about wildcard certificates, see the following TechNet article: Obtaining and Installing a Wildcard Server Certificate (IIS 6.0)

I did buy a wildcard cert from GoDaddy common name "*.n0xpd.com"

2. Make sure that there are no users accessing Internet Information Services (IIS) where the Microsoft Dynamics CRM Web application is installed. To do this, stop the Microsoft Dynamics CRM Web site: right-click the Web site, and then click Stop.

Done

3. Configure the Microsoft Dynamics CRM Web site to use SSL. To do this, perform the following steps on the server running IIS where the Microsoft Dynamics CRM Web application is installed:
a. Start Internet Information Services (IIS) Manager
b. Right-click the Microsoft Dynamics CRM Web site, and then click Properties.

c. Click the Directory Security tab, click Server Certificate, and then follow the instructions in the Web Server Certificate Wizard.
This one worries me, GoDaddy wolked me through what seems like a different process to install the cert.  They provided two files one was an "intermediate" and the final for lack of a better word.

#8
#9
#10
d. If you want clients to use only SSL when connecting to the Microsoft Dynamics CRM application, on the Directory Security tab, in the Secure communications area, click Edit. On the Secure Communications dialog box, select the Require secure channel (SSL) check box.

Why would this not try to use SSL for any connection either inside or outside the domain?  This appears to be a contradiction that only one cert can be on the site and you can't use SSL for both internal and external access, but this implies ALL traffic must use SSL.  Please help me understand this one.  See next...

e. Close Internet Information Services (IIS) Manager.
Important: You can apply only a single certificate to the Microsoft Dynamics CRM Web site. Therefore, you if you have configured Microsoft Dynamics CRM Server for both internal and Internet-facing (external) access, you cannot configure SSL for both internal and external connections to the Microsoft Dynamics CRM Web site.
4. You must manually modify the following values in the configuration database.
Warning: Incorrectly modifying the configuration database (MSCRM_CONFIG) can cause unexpected behavior in the Microsoft Dynamics CRM system or cause the system to stop working. We recommend that you back up the Microsoft Dynamics CRM system before you complete these steps. For information about how to back up the Microsoft Dynamics CRM system, see the Operating and Maintaining Guide that is part of the Microsoft Dynamics CRM 4.0 Implementation Guide document set.
. On the computer running Microsoft SQL Server, start SQL Server Management Studio.
a. Expand Databases, expand MSCRM_CONFIG, expand Tables, right-click dbo.DeploymentProperties, and then click Open Table.
b. In the dbo.DeploymentProperties table under the ColumnName column, in the IFDRootDomainScheme row, change the NVarCharColumn column value from http to https. Note that this value must be in lower-case letters.

Is that right?  In the table itself, they are all UPPER case?

c. In the dbo.DeploymentProperties table, under the ColumnName column, in the IFDSdkRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site.

The friendly name for my cert is "Microsoft Dynamics CRM", but again, I'm not on the default website, I'm on a different one on port :5555, so should I change it to:

Microsoft Dynamics CRM
or
Microsoft Dynamics CRM:5555


d. In the dbo.DeploymentProperties table, under the ColumnName column, in the IFDWebApplicationRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site. The name of the certificate can be found in Internet Information Services (IIS) Manager on the Directory Security tab of the Microsoft Dynamics CRM Web site properties page. Click View Certificate, on the Certificate dialog box, click Details. Click the Friendly Name field to locate the certificate name.

Again, same thing "Microsoft Dynamics CRM" or "Microsoft Dynamics CRM:5555"?

e. Make sure your modifications are saved and then close SQL Server Management Studio.

I'm assuming simply under the file menu "Save All"?

5. Modify the LocalSDKPort Windows registry subkey value. To do this, complete the following steps.
Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system and Microsoft Dynamics CRM. We cannot guarantee that these problems can be solved. Modify the registry at your own risk.
. Start Registry Editor, and locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey.
a. Right-click LocalSdkPort, click Modify, and then click OK.
b. In the Base area, click Decimal, and then type the TCP port.
c. Click OK.
d. Close Registry Editor.

I found this as "5555" should I change it to "443"?


6. Restart IIS. To do this, at the command line, run the iisreset command.
7. Start the Microsoft Dynamics CRM Web site. To do this, right-click the Microsoft Dynamics CRM Web site, and then click Start.
8. Restart the Microsoft Dynamics CRM Asynchronous Processing Service. To do this, click Start, point to Administrative Tools, and then click Services. In the list of services, right-click Microsoft Dynamics CRM Asynchronous Processing Service, and then click Restart.
9. Verify that you can successfully connect to the Microsoft Dynamics CRM Web site over the Internet by using an external URL that begins with https. For example, in Internet Explorer the URL will appear similar to the following address: https://ServerName.DomainName.com/OrganizationName/

I did not see this, the URL is now called out as "https://ServerName.DomainName.com/OrganizationName/" currently I'm using "http://orgname.domaon.com:5555"  If I did this, I'd need to create a new sub-domain and DNS record at my domain registrar and in my DNS server to make it "https://crm01.n0xpd.com/n0xpd"  What about :5555 would it actually be "https://crm01.n0xpd.com/n0xpd:5555"?
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35455260
Dustin, this is getting a little complicated to resolve in this question. However, here a few comments.
The certificate image you posted from GoDaddy seems fine.
Althought you imported the certificate into IIS, did you add a new https to the CRM web site and select the new certificate?
The default port number for https is 443
You don't need to make any of the database changes that you described, running the IFD tool manages all that.
0
 

Author Comment

by:DustinEWright
ID: 35457103
Feridun,

Thanks for all your input!  Can you please clarify this:

did you add a new https to the CRM web site and select the new certificate?


Where is it I change the TCP port from 5555 to 443?  Again, mine is not on the defualt site/port (80)

Glad I don't have to make the database changes!

Again, thanks for all your help, you are very sharp and I very much appreciate it.
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35457260
Yes, add a new https binding to the CRM web site and select the new certificate.

You should then have two bindings, one on http for port 5555 (this is for internal access and does not change). You do not change the existing 5555.

You do not need to specify 443 for the https binding as this is the default.

0
 

Author Comment

by:DustinEWright
ID: 35457261
Might this be what I need to do?

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/56bdf977-14f8-4867-9c51-34c346d48b04.mspx?mfr=true

Step 6 confuses me
6.   In the Secure Communications box, select the Require secure channel (SSL) check box.

In my earlier attempts, this seems to make the website want SSL both internally as well as externally even though the IFD tool has HTTP for the AD (internal) domains.

Please help me understand,
Thanks!
 
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35457276
I don't think you need to complete any of the steps listed in your reference. In particular, as you point out, if you do complete step 6 then the whole website is configured for SSL so you definitely should not complete that step.

Adding the https bindining and then running the IFD configuration tool should be sufficient to configure the CRM web site.
0
 

Author Comment

by:DustinEWright
ID: 35457492
Thanks, how to I add this binding, or check to see if it has been done?
0
 

Author Comment

by:DustinEWright
ID: 35457509
Please look at the screenshot, is not not "bound" already?

 #11
0
 

Author Comment

by:DustinEWright
ID: 35457523
When I try setting the IFD tool to do https on the IFD side, I get an odd error (403) regarding my other SSL cert for Remote Web Workplace.  The other domain.

Any ideas?
Thanks

 #12
0
 

Author Comment

by:DustinEWright
ID: 35457531
Do you think this is because RWW and CRM are on the same public IP?

If I need another public IP for the CRM server, how can I set that up?  I have five from the ISP, but my router only accepts 1.

Thanks
0
 

Author Comment

by:DustinEWright
ID: 35457547
0
 

Author Comment

by:DustinEWright
ID: 35458095
My gut tells me this has something to do with SSL/port 443.  I have 443 mapped to the SBS server for Remote Web Workplace.  I'm thinking any 443 traffic that comes in the router is pushing it to the SBS box.  What do you think?
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35458151
There is most likely a confusion with your SBS, Remote Web Workplace. I'll post more on Tuesday.
0
 

Author Comment

by:DustinEWright
ID: 35459634
I tried chaning the SSL port on the CRM website to 9443 and creating a rule on the firewell to route traffic on that port to the CRM server, but that seems to break Companyweb and https still will not work.  I'm sure I'm just missing something.
0
 

Author Comment

by:DustinEWright
ID: 35462055
Fortunatly, I'm a SonicWALL partner, so I've ordered a TZ100.  I have 5 public IPs, so i'll setup a seperate public IP for the CRM server.  I think that will take care of it.  It will be a few days before I get it but I'll post back.
0
 

Author Comment

by:DustinEWright
ID: 35691060
Got the "new" TZ100 and had SonicWALL help me configure it.  I'll show two screenshots of the packet capture.  It seems to be configured correctly, but there seems to be an issue with the certificate.  http works fine, htttps will not work.

I'll review everything and continue.

One question about the IFD config tool, for http the url is "http://n0xpd.n0xpd.com:5555" would ":5555" still be used on https? Or, would it simply be "https://n0xpd.n0xpd.com"?  I can't seem to find that carification.  Must be one of those things I'm supposed to just know.

Fullsize, then cropped to be easier to read.
#13#14
0
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 35691193
With regard to the IFD config tool, you would not specify 5555 for https. Use https://n0xpd.n0xpd.com. This assumes that port 443 will be used (which is the default for https).

I just browsed to https://n0xpd.n0xpd.com/ and get to the screen in the attached screen shot.

capture.PNG
0
 

Author Comment

by:DustinEWright
ID: 35698763
That appears to be http, not https.

I have Remote Web Workplace, firewall management, and CRM (http) all working.  I will have to go back and start from the top to try to get https working for CRM.  I've not changed anything on the server side, any ideas why https won't work?

Again, I do not have to do any manual changes that the config document describes, the IFD tool does it all, right?

Thanks.
0
 

Author Comment

by:DustinEWright
ID: 35699196
It appears to work now https://n0xpd.n0xpd.com for CRM https://remote.wrightitsolutions.com for RWW and https://72.215.217.43:9443 for remote management of the SonicWALL.  Please check these and verify for me, thanks.
0
 
LVL 30

Accepted Solution

by:
Feridun Kadir earned 2000 total points
ID: 35699635
Yep, all three work as you describe. The SonicWall address gives a certificate warning.
0
 

Author Closing Comment

by:DustinEWright
ID: 35700061
Thank you so much for helping me get this going.  If anyone finds this thread in the future, please feel free to reach out to me, I will do my best to share my experience to help you.

Thank you very very much!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync meeting or Lync conferencing is what many organizations would like to deploy to allow them save money. But companies are now giving up for various reasons, one of which is that they cannot join external meetings (non-federated company meetings)…
Having trouble getting your hands on Dynamics 365 Field Service or Project Service trial? Worry No More!!!
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question