Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

Bloc Access to CRM External Deployment

We just migrated our current CRm 2011 deployment to IFD.  Everything is working fine but our programmers didn't think of something.  Is there anyway to block just our hourly sales people from accessing the external URL remotely.  We obviously have remote users in other countries that access the system but in the US we have all our sales people we do not want in the system from outside of our building.  Is there a way to do this?
0
APWIP-Admin
Asked:
APWIP-Admin
2 Solutions
 
Feridun KadirPrincipal ConsultantCommented:
I don't think there is a simple way to do this.

When a user access CRM using the external URL, they are presented with a page from ADFS asking them to login. Of course, the user has a valid windows acccount and password so they can log in. I think you would be better off looking to see if something could be done in ADFS to selectively grant/deny access to groups of users. I would envisage creating a security group in AD for users allowed to access CRM remotely or a group for users denied remote access.

Then, somehow (but I'm afraid I don't know how) configuring ADFS to allow or deny access using the new group(s).
0
 
ArneLoviusCommented:
to look at it a different way to feridun

if you forget about it being CRM for a moment and just think of it as a web server that is externally accessible

If I understand you correctly, you want to block some people from being able to access the web server, but the only way of discriminating between valid users and invalid users is wht group they are in within the company.

This is not possible to do directly as the web server doesn't know who they are before they have logged in.

You have two options

1/ Have an authenticating reverse proxy/SSL VPN "in front" of the web server to which user authenticate before accessing the web server and restrict access to the server using this method.

2/ Use Access Control within the web application to restrict access to only allowed users.

If you do not want users be be able to even attempt to login to the application, then 1/ would be your best option, however this would require either another application/server/appliance, so I would tend to go with option 2 as suggested by feridun
0
 
APWIP-AdminAuthor Commented:
That is pretty much what I figured.  Thanks for your assistance though.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now