?
Solved

Setting up MSDynamics 2013 IFD setup

Posted on 2014-04-14
4
Medium Priority
?
533 Views
Last Modified: 2014-04-15
i'm currently looking at setting up remote access to our recently upgraded MSDynamics CRM platorm, we have upgraded from 2011 to 2013.

All of our internal users have access and we have the Dynamics servers sat on the internal network which is protected by the company firewall.

My question is this. I want to implement Internet Facing Deployment using Claims Based Authentication to verify credentiials of external users. We also have a Domain Controller in our DMZ with ADFS on it and a un-used web server in the DMZ.

I need to know if I can setup IFD on the DC and Web Server in the DMZ, then have them point to the internal Dynamics Application?

It seems that the preference or recommendation is for the IFD to be configured with external users connection directly to the IIS service on the internal Dynamics servers. I'm not keep on this direct connection and would like to know the best solution.
0
Comment
Question by:CTCRM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 39999322
Configuring IFD for CRM 2013 (and 2011) means that you have to expose the CRM web-site to the Internet. Users sign-in using ADFS which redirects incoming access to the CRM web-site.

IFD is configured for a CRM deployment which can have more than one CRM server.

You might be able to do this (but this is supposition on my part - I have not tried this). You could have an internal CRM server that has all CRM roles and then a second CRM server with the Front End roles (which include the CRM web site). Then you configure claims-based authentication and IFD which will apply to all users. But you can arrange for the external URL for external users to land users on the second CRM Server (in your DMZ). However, this second server will need to be able to communicate directly with the SQL server that has the CRM databases so I'm not sure if this helps your requirement.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40000961
So, I currently have 3 CRM servers (1xSQL and 2xCRM App/IIS servers) on the internal network.
I also have a Web server in the DMZ that was built and then put on hold until a decision was made.

Would the second Front End server in the DMZ  configured to have CRM Front End Roles have any impact on the internal users access to CRM?

Just to clarify then; Remote users would authenticate via AD FS on the DC in the DMZ, which would then point to the CRM FE Web Server in the DMZ, which needs to be able to see the CRM SQL b DB?
0
 
LVL 30

Accepted Solution

by:
Feridun Kadir earned 1500 total points
ID: 40000975
To your last point, external users browse to a URL of the form https://orgname.companyname.com where orgname is the name of the CRM organization. You must create a DNS entry for orgname in the external DNS for your company domain. The name would resolve to an IP address on your network, the CRM FE Web server in the DMZ.  That web server would then redirect users to AD FS, which must also be accessible over the Internet, which in turn will contact a domain controller to verify the username and password. I'm not sure how to constrain the AD FS server to work with a specific DC. After the user is authenticated they are then taken back to the CRM FE web server which renders the CRM application - this server needs to communicate with the SQL server.

Internal users will browse to a URL that lands them on the internal CRM web server.

I don't see that having two CRM FE web servers would impact either audience set.

I must point out that I have not tried the above configuration so please test it if you can before launching into a production scenario.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40001156
Thanks for the advice provided and I will set this up in development first to test.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question