Solved

Setting up MSDynamics 2013 IFD setup

Posted on 2014-04-14
4
526 Views
Last Modified: 2014-04-15
i'm currently looking at setting up remote access to our recently upgraded MSDynamics CRM platorm, we have upgraded from 2011 to 2013.

All of our internal users have access and we have the Dynamics servers sat on the internal network which is protected by the company firewall.

My question is this. I want to implement Internet Facing Deployment using Claims Based Authentication to verify credentiials of external users. We also have a Domain Controller in our DMZ with ADFS on it and a un-used web server in the DMZ.

I need to know if I can setup IFD on the DC and Web Server in the DMZ, then have them point to the internal Dynamics Application?

It seems that the preference or recommendation is for the IFD to be configured with external users connection directly to the IIS service on the internal Dynamics servers. I'm not keep on this direct connection and would like to know the best solution.
0
Comment
Question by:CTCRM
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:feridun
ID: 39999322
Configuring IFD for CRM 2013 (and 2011) means that you have to expose the CRM web-site to the Internet. Users sign-in using ADFS which redirects incoming access to the CRM web-site.

IFD is configured for a CRM deployment which can have more than one CRM server.

You might be able to do this (but this is supposition on my part - I have not tried this). You could have an internal CRM server that has all CRM roles and then a second CRM server with the Front End roles (which include the CRM web site). Then you configure claims-based authentication and IFD which will apply to all users. But you can arrange for the external URL for external users to land users on the second CRM Server (in your DMZ). However, this second server will need to be able to communicate directly with the SQL server that has the CRM databases so I'm not sure if this helps your requirement.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40000961
So, I currently have 3 CRM servers (1xSQL and 2xCRM App/IIS servers) on the internal network.
I also have a Web server in the DMZ that was built and then put on hold until a decision was made.

Would the second Front End server in the DMZ  configured to have CRM Front End Roles have any impact on the internal users access to CRM?

Just to clarify then; Remote users would authenticate via AD FS on the DC in the DMZ, which would then point to the CRM FE Web Server in the DMZ, which needs to be able to see the CRM SQL b DB?
0
 
LVL 29

Accepted Solution

by:
feridun earned 500 total points
ID: 40000975
To your last point, external users browse to a URL of the form https://orgname.companyname.com where orgname is the name of the CRM organization. You must create a DNS entry for orgname in the external DNS for your company domain. The name would resolve to an IP address on your network, the CRM FE Web server in the DMZ.  That web server would then redirect users to AD FS, which must also be accessible over the Internet, which in turn will contact a domain controller to verify the username and password. I'm not sure how to constrain the AD FS server to work with a specific DC. After the user is authenticated they are then taken back to the CRM FE web server which renders the CRM application - this server needs to communicate with the SQL server.

Internal users will browse to a URL that lands them on the internal CRM web server.

I don't see that having two CRM FE web servers would impact either audience set.

I must point out that I have not tried the above configuration so please test it if you can before launching into a production scenario.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40001156
Thanks for the advice provided and I will set this up in development first to test.
0

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now