CRM 4.0 IFD - From The Beginning Please

if The desired outcome is for internal and external users to be able to access CRM and have it access over HTTPS,  then you MUST find a host with enough bandwidth for acces by the estimated number of simultaneous users. Also, you should also have an idea of the the number of monthly users to estimate the bandwith you  will be required to pay per month.

Here is a detailed article on how to deploy CRM 4.0 with IFD: Configuring Microsoft Dynamics CRM 4.0 for Internet-facing deployment

Let's try this again.  I have my CRM deployment.  I need it to be available to external users.  I've tried to use the tool and I think I'm mostly there.  I'm still missing something(s).  DNS says it's ok, but if the url is http://orgname.domain.com then, I'm not having any luck.

Org name is "n0xpd"
domsin is "n0xpd.com"
http://n0xpd.n0xpd.com will not come up in the browser.

Please look at the screenshots and advise, thanks.

 
 
 
 
I'd like to get this going, then get it setup on HTTPS.  Disregard the screenshot below, it should not b here.  Thanks.
IFD01.jpg

To make your CRM available to external users you need to do the following:

- run the IFD tool (which you seem to have done)
- Add a DNS entry for n0xpd on the DNS server that handles the n0xpd.com domain. This is likely to be an external DNS server hosted by your ISP or other 3rd party provider (unless of course you are hosting your own DNS records).
- To be externally accessible the record for n0xpd.n0xpd.com will have an external IP address which must be mapped via your firewall/router or whatever device to your internal CRM website.


I've used a DNS lookup tool and verified that n0xpd.n0xpd.com has an entry and is mapped to 72.215.217.43.
When I browse to n0xpd.n0xpd.com ( and it has to be that address for the IFD tool) I get page not found which suggests that your firewall is not forwarding requests to your CRM web site.

You need to make sure that incoming requests to that IP are directed to your CRM server.


Once you have all this working, then you can think about getting an SSL certificate for n0xpd.n0xpd.com and changing to https.

Sorry I took so long geting back to you.

I think you have to find a hosting site to install your CRM 4.0. Once you have found the host site, you will require to install using their paramaters. The host will be able to let you know exactly what you must do to install correctly.

From what I have seen (and, while I have deployed some Internet sites, I haven't tried it with CRM 4.0) it's rather complex.

I found these articles for Installing CRM 4 on Windows 2008 Server, setting up a test Microsoft dynamics CRM server on a server at home and How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0

There is no need to use a hosting site. DustinEWright can keep his CRM 4.0 installation on their own servers.

Feridun,

I'm so glad you are here!  Internally, the CRM server is 192.168.0.19 and the CRM website is on port 5555.  I think i do have external traffic routed to the server, see the screenshot.

 
My ISP gives me 5 public IPs with my package, but I can only put one on the router, how can I have a uniqe public IP for Remote Web Workplace (SBS) and another for CRM?

 
Thanks all.  I'm sure I'm doing something wrong, so what are the odvious steps you would do?  That is probably what I've overlooked.  Thanks for helping me learn.

Also, once we are done, would it not need to be:

http://orgname.crmservername.domainname.com ?
http://n0xpd.crm01.n0xpd.com ?

Once we get that worked out, I'll buy an SSL cert so we can secure it.

Thanks!

On the face of it, your firewall settings appear to be correct.

The external URL for the CRM web site is organizationname.external domain name  so in your case, seeing how the IFD has been configured it will be:

http://n0xpd.n0xpd.com

What could I be doing wrong?

I figured out the IFD part.  In the IFD and SDK App Root Domains, I needed to add the port :5555.  So now, http://n0xpd.n0xpd.com:5555 does work.


Great, most of the way there!

Now, we need to get the SSL setup.  I bought a wildcard SSL from GoDaddy with the common name of "*.n0xpd.com" just as the instructions say to:

http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/secure_comm.aspx#o31272

"...1.Obtain a certificate from a CA. To use certificates you will have set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations. You can use a third-party PKI with Windows Server 2003, or you can establish your own PKI based on Windows Server 2003 Certificate Services.

Important: The CA must support wildcard certificates and the common name for the certificate requested from the Microsoft Dynamics CRM Web site must use a wildcard. This wildcard certificate requirement only applies to Internet-facing Microsoft Dynamics CRM Web sites. .."

I hope guying fro GoDaddy deals with the PKI in the first paragraph, I do not know what that means.  Please let me know if that is something I need to deal with.

Something that confuses me is this:

"...Important: You can apply only a single certificate to the Microsoft Dynamics CRM Web site. Therefore, you if you have configured Microsoft Dynamics CRM Server for both internal and Internet-facing (external) access, you cannot configure SSL for both internal and external connections to the Microsoft Dynamics CRM Web site. .."

Reading this seems to imply I can get HTTPS for IFD, but not for both IFD & Internal.  I'm fine with that, but later on it tells me to....

"...d. If you want clients to use only SSL when connecting to the Microsoft Dynamics CRM application, on the Directory Security tab, in the Secure communications area, click Edit. On the Secure Communications dialog box, select the Require secure channel (SSL) check box...."

Maybe I do not check that to use SSL over IFD?

Again, I only care abut SSL over IFD, not internally.

Please advise, Thanks!

Glad to hear to you are making progress.

For CRM 4.0 you can configure internal to use http and external access to use https. In the IFD configuration tool make sure that you select https for the IFD Domain scheme and leave the AD one as http.

You will need to install your new certificate on your IIS server and then add an https binding on the CRM web site. Leave the existing http binding as is. Then when internal users connect to the web site they will connect with the http binding.

Do post how you get on.

I'm having trouble because of another SSL cert I have on the other server.  I'm running SBS 2008 and I have RWW secured https://remote.wrightitsolutions.com  When I followed the document:

http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/secure_comm.aspx#o31272

Assuming I understood the directions (probably do not) I end up with it trying to connect internally via SSL also.

When I try to go to https://n0xpd.n0xpd.com or the same with :5555 I think it was, I get a cert error and 403.  It thinks it's using the cert for remote.wrightitsolutions.com.

Perhaps putting SSL on CRM is more trouble than it's worth.

It's a pretty safe bet I'm either doing something wrong or not doing something I should.  Fortunatly I took an snapshot of the server (Hyper-V) and was able to restore it just now, so I'm still working.

Here's what I've done:

1. Obtain a certificate from a CA. To use certificates you will have set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations. You can use a third-party PKI with Windows Server 2003, or you can establish your own PKI based on Windows Server 2003 Certificate Services.
Important: The CA must support wildcard certificates and the common name for the certificate requested from the Microsoft Dynamics CRM Web site must use a wildcard. This wildcard certificate requirement only applies to Internet-facing Microsoft Dynamics CRM Web sites.
A wildcard certificate for the Contoso organization might appear similar to the following example: *.contoso.com
For more information about wildcard certificates, see the following TechNet article: Obtaining and Installing a Wildcard Server Certificate (IIS 6.0)

I did buy a wildcard cert from GoDaddy common name "*.n0xpd.com"

2. Make sure that there are no users accessing Internet Information Services (IIS) where the Microsoft Dynamics CRM Web application is installed. To do this, stop the Microsoft Dynamics CRM Web site: right-click the Web site, and then click Stop.

Done

3. Configure the Microsoft Dynamics CRM Web site to use SSL. To do this, perform the following steps on the server running IIS where the Microsoft Dynamics CRM Web application is installed:
a. Start Internet Information Services (IIS) Manager
b. Right-click the Microsoft Dynamics CRM Web site, and then click Properties.

c. Click the Directory Security tab, click Server Certificate, and then follow the instructions in the Web Server Certificate Wizard.
This one worries me, GoDaddy wolked me through what seems like a different process to install the cert.  They provided two files one was an "intermediate" and the final for lack of a better word.




d. If you want clients to use only SSL when connecting to the Microsoft Dynamics CRM application, on the Directory Security tab, in the Secure communications area, click Edit. On the Secure Communications dialog box, select the Require secure channel (SSL) check box.

Why would this not try to use SSL for any connection either inside or outside the domain?  This appears to be a contradiction that only one cert can be on the site and you can't use SSL for both internal and external access, but this implies ALL traffic must use SSL.  Please help me understand this one.  See next...

e. Close Internet Information Services (IIS) Manager.
Important: You can apply only a single certificate to the Microsoft Dynamics CRM Web site. Therefore, you if you have configured Microsoft Dynamics CRM Server for both internal and Internet-facing (external) access, you cannot configure SSL for both internal and external connections to the Microsoft Dynamics CRM Web site.
4. You must manually modify the following values in the configuration database.
Warning: Incorrectly modifying the configuration database (MSCRM_CONFIG) can cause unexpected behavior in the Microsoft Dynamics CRM system or cause the system to stop working. We recommend that you back up the Microsoft Dynamics CRM system before you complete these steps. For information about how to back up the Microsoft Dynamics CRM system, see the Operating and Maintaining Guide that is part of the Microsoft Dynamics CRM 4.0 Implementation Guide document set.
. On the computer running Microsoft SQL Server, start SQL Server Management Studio.
a. Expand Databases, expand MSCRM_CONFIG, expand Tables, right-click dbo.DeploymentProperties, and then click Open Table.
b. In the dbo.DeploymentProperties table under the ColumnName column, in the IFDRootDomainScheme row, change the NVarCharColumn column value from http to https. Note that this value must be in lower-case letters.

Is that right?  In the table itself, they are all UPPER case?

c. In the dbo.DeploymentProperties table, under the ColumnName column, in the IFDSdkRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site.

The friendly name for my cert is "Microsoft Dynamics CRM", but again, I'm not on the default website, I'm on a different one on port :5555, so should I change it to:

Microsoft Dynamics CRM
or
Microsoft Dynamics CRM:5555

d. In the dbo.DeploymentProperties table, under the ColumnName column, in the IFDWebApplicationRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site. The name of the certificate can be found in Internet Information Services (IIS) Manager on the Directory Security tab of the Microsoft Dynamics CRM Web site properties page. Click View Certificate, on the Certificate dialog box, click Details. Click the Friendly Name field to locate the certificate name.

Again, same thing "Microsoft Dynamics CRM" or "Microsoft Dynamics CRM:5555"?

e. Make sure your modifications are saved and then close SQL Server Management Studio.

I'm assuming simply under the file menu "Save All"?

5. Modify the LocalSDKPort Windows registry subkey value. To do this, complete the following steps.
Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system and Microsoft Dynamics CRM. We cannot guarantee that these problems can be solved. Modify the registry at your own risk.
. Start Registry Editor, and locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey.
a. Right-click LocalSdkPort, click Modify, and then click OK.
b. In the Base area, click Decimal, and then type the TCP port.
c. Click OK.
d. Close Registry Editor.

I found this as "5555" should I change it to "443"?


6. Restart IIS. To do this, at the command line, run the iisreset command.
7. Start the Microsoft Dynamics CRM Web site. To do this, right-click the Microsoft Dynamics CRM Web site, and then click Start.
8. Restart the Microsoft Dynamics CRM Asynchronous Processing Service. To do this, click Start, point to Administrative Tools, and then click Services. In the list of services, right-click Microsoft Dynamics CRM Asynchronous Processing Service, and then click Restart.
9. Verify that you can successfully connect to the Microsoft Dynamics CRM Web site over the Internet by using an external URL that begins with https. For example, in Internet Explorer the URL will appear similar to the following address: https://ServerName.DomainName.com/OrganizationName/

I did not see this, the URL is now called out as "https://ServerName.DomainName.com/OrganizationName/" currently I'm using "http://orgname.domaon.com:5555"  If I did this, I'd need to create a new sub-domain and DNS record at my domain registrar and in my DNS server to make it "https://crm01.n0xpd.com/n0xpd"  What about :5555 would it actually be "https://crm01.n0xpd.com/n0xpd:5555"?

Dustin, this is getting a little complicated to resolve in this question. However, here a few comments.
The certificate image you posted from GoDaddy seems fine.
Althought you imported the certificate into IIS, did you add a new https to the CRM web site and select the new certificate?
The default port number for https is 443
You don't need to make any of the database changes that you described, running the IFD tool manages all that.

Feridun,

Thanks for all your input!  Can you please clarify this:

did you add a new https to the CRM web site and select the new certificate?


Where is it I change the TCP port from 5555 to 443?  Again, mine is not on the defualt site/port (80)

Glad I don't have to make the database changes!

Again, thanks for all your help, you are very sharp and I very much appreciate it.

Yes, add a new https binding to the CRM web site and select the new certificate.

You should then have two bindings, one on http for port 5555 (this is for internal access and does not change). You do not change the existing 5555.

You do not need to specify 443 for the https binding as this is the default.

Might this be what I need to do?

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/56bdf977-14f8-4867-9c51-34c346d48b04.mspx?mfr=true

Step 6 confuses me
6.   In the Secure Communications box, select the Require secure channel (SSL) check box.

In my earlier attempts, this seems to make the website want SSL both internally as well as externally even though the IFD tool has HTTP for the AD (internal) domains.

Please help me understand,
Thanks!
 

I don't think you need to complete any of the steps listed in your reference. In particular, as you point out, if you do complete step 6 then the whole website is configured for SSL so you definitely should not complete that step.

Adding the https bindining and then running the IFD configuration tool should be sufficient to configure the CRM web site.

Thanks, how to I add this binding, or check to see if it has been done?

Please look at the screenshot, is not not "bound" already?

 

When I try setting the IFD tool to do https on the IFD side, I get an odd error (403) regarding my other SSL cert for Remote Web Workplace.  The other domain.

Any ideas?
Thanks

 

Do you think this is because RWW and CRM are on the same public IP?

If I need another public IP for the CRM server, how can I set that up?  I have five from the ISP, but my router only accepts 1.

Thanks

http://social.microsoft.com/Forums/en/crm/thread/e5cba95c-7859-4c5d-be31-188ba399239b

It appears it is possible to run both on the same ip.

My gut tells me this has something to do with SSL/port 443.  I have 443 mapped to the SBS server for Remote Web Workplace.  I'm thinking any 443 traffic that comes in the router is pushing it to the SBS box.  What do you think?

There is most likely a confusion with your SBS, Remote Web Workplace. I'll post more on Tuesday.

I tried chaning the SSL port on the CRM website to 9443 and creating a rule on the firewell to route traffic on that port to the CRM server, but that seems to break Companyweb and https still will not work.  I'm sure I'm just missing something.

Fortunatly, I'm a SonicWALL partner, so I've ordered a TZ100.  I have 5 public IPs, so i'll setup a seperate public IP for the CRM server.  I think that will take care of it.  It will be a few days before I get it but I'll post back.

Got the "new" TZ100 and had SonicWALL help me configure it.  I'll show two screenshots of the packet capture.  It seems to be configured correctly, but there seems to be an issue with the certificate.  http works fine, htttps will not work.

I'll review everything and continue.

One question about the IFD config tool, for http the url is "http://n0xpd.n0xpd.com:5555" would ":5555" still be used on https? Or, would it simply be "https://n0xpd.n0xpd.com"?  I can't seem to find that carification.  Must be one of those things I'm supposed to just know.

Fullsize, then cropped to be easier to read.

With regard to the IFD config tool, you would not specify 5555 for https. Use https://n0xpd.n0xpd.com. This assumes that port 443 will be used (which is the default for https).

I just browsed to https://n0xpd.n0xpd.com/ and get to the screen in the attached screen shot.

capture.PNG

That appears to be http, not https.

I have Remote Web Workplace, firewall management, and CRM (http) all working.  I will have to go back and start from the top to try to get https working for CRM.  I've not changed anything on the server side, any ideas why https won't work?

Again, I do not have to do any manual changes that the config document describes, the IFD tool does it all, right?

Thanks.

It appears to work now https://n0xpd.n0xpd.com for CRM https://remote.wrightitsolutions.com for RWW and https://72.215.217.43:9443 for remote management of the SonicWALL.  Please check these and verify for me, thanks.

Thank you so much for helping me get this going.  If anyone finds this thread in the future, please feel free to reach out to me, I will do my best to share my experience to help you.

Thank you very very much!