Solved

Where to install AD FS services

Posted on 2014-04-17
10
736 Views
Last Modified: 2014-04-22
I have the following setup and objective.

CRM has been upgraded from 2011 to 2013 internally for the internal end users, all working fine. (1 x Dynamics SQL box, 2 x Dynamics App/IIS servers)

I need to incorporate external access for users on our domain so no Cross-Domain services required.

I have the 3 CRM servers internally as described above, also 1 x DC internally with AD FS services running on the DC for another application, and 1 front end web server, non-production at the moment in our DMZ originally built for the CRM upgrade.

I want to know the following when wanting to provide CRM access to our AD end users externally:

Can I use the DC which has AS FS on it for CRM? I'm not happy with this as AD FS with IIS shouldn't really be running on a Domain Controller, unless mistaken.

Or, should I build a dedicated IIS server internally with AD FS running specifically for the CRM platform?

Can I use the Front End Web Server in the DMZ as my CRM front end access server for the external users making sure that it sees the internal CRM SQL server?

So long story short, my external users would type in a URL for example https://crm.mydomain.com into a mobile device. DNS resolves an IP for the CRM Front End web server in the DMZ. Then the Front End server in the DMZ would redirect users to AD FS (wherever that server/service should be), which must also be accessible over the Internet, which in turn will contact a DC to verify the username and password.

Once authenticated the user is then taken back to the Front End Web server in the DMZ which renders the CRM application.

Am I on the right track with this? I just need to know really whether my ADFS server can be the current one on the DC, or should I build a new ADFS server? and should the ADFS server be in the DMZ with the front end server, or internally with everything else?
0
Comment
Question by:CTCRM
  • 6
  • 2
  • 2
10 Comments
 
LVL 2

Author Comment

by:CTCRM
ID: 40006159
Actually, another question. Can I have AD FS running on the Front End server in the DMZ? or is that not good practice?
0
 
LVL 29

Assisted Solution

by:feridun
feridun earned 200 total points
ID: 40007223
I don't think CRM cares where the AD FS server is located as long as it can communicate with it and the AD FS server is accessible over the Internet by external users.

You can have AD FS and CRM on the same server but AD FS uses the default web site (at least version 2.0 does) so you can't have have AD FS on the same server as CRM if it also uses the default web site. CRM can be installed on a new web site but AD FS 2.0 cannot.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40008819
So what would be your recommendation;
ADFS on its own server on the internal network, or ADFS on its own server in the DMZ?
0
 
LVL 29

Expert Comment

by:feridun
ID: 40008832
I would put the ADFS server on the internal network. You can set up an AD FS proxy in a DMZ but that is something I have not tried.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40009100
And can the proxy in the DMZ be on the CRM front end Web Server in the DMZ?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 35

Accepted Solution

by:
Mahesh earned 200 total points
ID: 40009507
ADFS Proxy server is not mandatory but recommended

You can publish your ADFS server from corporate network directly to internet over NAT if wanted to.

However you can install ADFS Proxy in DMZ which then forward your ADFS  request to corporate network ADFS server
You need to open TCP 443 towards ADFS proxy server from internet and same port need to be opened between ADFS and ADFS Proxy server bi-directionally
Also same certificate on ADFS server must be imported on ADFS Proxy server as well with private key

According to my understanding, You should not put both Backend \ front end server and ADFS \ ADFS Proxy server on same host

Mahesh.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40014640
OK, this is what I have in place at the moment and need to know what needs adding if anything in terms of servers to complete the external users access tot he internal CRM environment.

Internal CRM = 2 x CRM App/IIS Servers, and 1 x CRM SQL box. This is up and running for all internal users following a 2011 to 2013 upgrade.

Internal ADFS dedicated server built for this implementation but not configured yet.

DMZ = There is 1 x CRM Front End Server, not configured yet, nor being used by users.

Can I have the internal ADFS server pointing straight out to the internet (NAT) to allow external authentication against my internal Domain Controllers, without using the front end Web Server in the DMZ. Or should the front end be included in this implementation?
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40014667
Hi

I'm going to use a ADFS proxy in the DMZ so that my internal ADFS server is being exposed.

So to clarify now, when using the ADFS proxy does the external user enter the CRM URL on their Internet connected device, which then points to the CRM Front End Web Server in the DMZ which then points to the internal ADFS server via the ADFS proxy in the DMZ, which then authenticates the user against the internal DC before connecting to the internal CRM services before those services are pushed back out to the front end server to present to the external user?

Apologies for the questions, I just to make sure this is setup correctly as I'm introducing external access to the internal network.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40014744
You are right, the network flow is perfect.

Just put ADFS Proxy in DMZ, it will be safe

Also You may \ may not put CRM front end server, you can contact CRM vendor for best practise on publishing CRM to internet
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40014752
Thanks Guys
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now