Solved

Bloc Access to CRM External Deployment

Posted on 2013-05-30
3
318 Views
Last Modified: 2013-06-04
We just migrated our current CRm 2011 deployment to IFD.  Everything is working fine but our programmers didn't think of something.  Is there anyway to block just our hourly sales people from accessing the external URL remotely.  We obviously have remote users in other countries that access the system but in the US we have all our sales people we do not want in the system from outside of our building.  Is there a way to do this?
0
Comment
Question by:APWIP-Admin
3 Comments
 
LVL 29

Assisted Solution

by:Feridun Kadir
Feridun Kadir earned 250 total points
ID: 39212049
I don't think there is a simple way to do this.

When a user access CRM using the external URL, they are presented with a page from ADFS asking them to login. Of course, the user has a valid windows acccount and password so they can log in. I think you would be better off looking to see if something could be done in ADFS to selectively grant/deny access to groups of users. I would envisage creating a security group in AD for users allowed to access CRM remotely or a group for users denied remote access.

Then, somehow (but I'm afraid I don't know how) configuring ADFS to allow or deny access using the new group(s).
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 250 total points
ID: 39213129
to look at it a different way to feridun

if you forget about it being CRM for a moment and just think of it as a web server that is externally accessible

If I understand you correctly, you want to block some people from being able to access the web server, but the only way of discriminating between valid users and invalid users is wht group they are in within the company.

This is not possible to do directly as the web server doesn't know who they are before they have logged in.

You have two options

1/ Have an authenticating reverse proxy/SSL VPN "in front" of the web server to which user authenticate before accessing the web server and restrict access to the server using this method.

2/ Use Access Control within the web application to restrict access to only allowed users.

If you do not want users be be able to even attempt to login to the application, then 1/ would be your best option, however this would require either another application/server/appliance, so I would tend to go with option 2 as suggested by feridun
0
 

Author Closing Comment

by:APWIP-Admin
ID: 39219452
That is pretty much what I figured.  Thanks for your assistance though.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now