Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Setting up MSDynamics 2013 IFD setup

Posted on 2014-04-14
4
Medium Priority
?
543 Views
Last Modified: 2014-04-15
i'm currently looking at setting up remote access to our recently upgraded MSDynamics CRM platorm, we have upgraded from 2011 to 2013.

All of our internal users have access and we have the Dynamics servers sat on the internal network which is protected by the company firewall.

My question is this. I want to implement Internet Facing Deployment using Claims Based Authentication to verify credentiials of external users. We also have a Domain Controller in our DMZ with ADFS on it and a un-used web server in the DMZ.

I need to know if I can setup IFD on the DC and Web Server in the DMZ, then have them point to the internal Dynamics Application?

It seems that the preference or recommendation is for the IFD to be configured with external users connection directly to the IIS service on the internal Dynamics servers. I'm not keep on this direct connection and would like to know the best solution.
0
Comment
Question by:CTCRM
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 39999322
Configuring IFD for CRM 2013 (and 2011) means that you have to expose the CRM web-site to the Internet. Users sign-in using ADFS which redirects incoming access to the CRM web-site.

IFD is configured for a CRM deployment which can have more than one CRM server.

You might be able to do this (but this is supposition on my part - I have not tried this). You could have an internal CRM server that has all CRM roles and then a second CRM server with the Front End roles (which include the CRM web site). Then you configure claims-based authentication and IFD which will apply to all users. But you can arrange for the external URL for external users to land users on the second CRM Server (in your DMZ). However, this second server will need to be able to communicate directly with the SQL server that has the CRM databases so I'm not sure if this helps your requirement.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40000961
So, I currently have 3 CRM servers (1xSQL and 2xCRM App/IIS servers) on the internal network.
I also have a Web server in the DMZ that was built and then put on hold until a decision was made.

Would the second Front End server in the DMZ  configured to have CRM Front End Roles have any impact on the internal users access to CRM?

Just to clarify then; Remote users would authenticate via AD FS on the DC in the DMZ, which would then point to the CRM FE Web Server in the DMZ, which needs to be able to see the CRM SQL b DB?
0
 
LVL 30

Accepted Solution

by:
Feridun Kadir earned 1500 total points
ID: 40000975
To your last point, external users browse to a URL of the form https://orgname.companyname.com where orgname is the name of the CRM organization. You must create a DNS entry for orgname in the external DNS for your company domain. The name would resolve to an IP address on your network, the CRM FE Web server in the DMZ.  That web server would then redirect users to AD FS, which must also be accessible over the Internet, which in turn will contact a domain controller to verify the username and password. I'm not sure how to constrain the AD FS server to work with a specific DC. After the user is authenticated they are then taken back to the CRM FE web server which renders the CRM application - this server needs to communicate with the SQL server.

Internal users will browse to a URL that lands them on the internal CRM web server.

I don't see that having two CRM FE web servers would impact either audience set.

I must point out that I have not tried the above configuration so please test it if you can before launching into a production scenario.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40001156
Thanks for the advice provided and I will set this up in development first to test.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question