Where to install AD FS services

I have the following setup and objective.

CRM has been upgraded from 2011 to 2013 internally for the internal end users, all working fine. (1 x Dynamics SQL box, 2 x Dynamics App/IIS servers)

I need to incorporate external access for users on our domain so no Cross-Domain services required.

I have the 3 CRM servers internally as described above, also 1 x DC internally with AD FS services running on the DC for another application, and 1 front end web server, non-production at the moment in our DMZ originally built for the CRM upgrade.

I want to know the following when wanting to provide CRM access to our AD end users externally:

Can I use the DC which has AS FS on it for CRM? I'm not happy with this as AD FS with IIS shouldn't really be running on a Domain Controller, unless mistaken.

Or, should I build a dedicated IIS server internally with AD FS running specifically for the CRM platform?

Can I use the Front End Web Server in the DMZ as my CRM front end access server for the external users making sure that it sees the internal CRM SQL server?

So long story short, my external users would type in a URL for example https://crm.mydomain.com into a mobile device. DNS resolves an IP for the CRM Front End web server in the DMZ. Then the Front End server in the DMZ would redirect users to AD FS (wherever that server/service should be), which must also be accessible over the Internet, which in turn will contact a DC to verify the username and password.

Once authenticated the user is then taken back to the Front End Web server in the DMZ which renders the CRM application.

Am I on the right track with this? I just need to know really whether my ADFS server can be the current one on the DC, or should I build a new ADFS server? and should the ADFS server be in the DMZ with the front end server, or internally with everything else?
CTCRMInfrastructure EngineerAsked:
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
ADFS Proxy server is not mandatory but recommended

You can publish your ADFS server from corporate network directly to internet over NAT if wanted to.

However you can install ADFS Proxy in DMZ which then forward your ADFS  request to corporate network ADFS server
You need to open TCP 443 towards ADFS proxy server from internet and same port need to be opened between ADFS and ADFS Proxy server bi-directionally
Also same certificate on ADFS server must be imported on ADFS Proxy server as well with private key

According to my understanding, You should not put both Backend \ front end server and ADFS \ ADFS Proxy server on same host

CTCRMInfrastructure EngineerAuthor Commented:
Actually, another question. Can I have AD FS running on the Front End server in the DMZ? or is that not good practice?
Feridun KadirConnect With a Mentor Principal ConsultantCommented:
I don't think CRM cares where the AD FS server is located as long as it can communicate with it and the AD FS server is accessible over the Internet by external users.

You can have AD FS and CRM on the same server but AD FS uses the default web site (at least version 2.0 does) so you can't have have AD FS on the same server as CRM if it also uses the default web site. CRM can be installed on a new web site but AD FS 2.0 cannot.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

CTCRMInfrastructure EngineerAuthor Commented:
So what would be your recommendation;
ADFS on its own server on the internal network, or ADFS on its own server in the DMZ?
Feridun KadirPrincipal ConsultantCommented:
I would put the ADFS server on the internal network. You can set up an AD FS proxy in a DMZ but that is something I have not tried.
CTCRMInfrastructure EngineerAuthor Commented:
And can the proxy in the DMZ be on the CRM front end Web Server in the DMZ?
CTCRMInfrastructure EngineerAuthor Commented:
OK, this is what I have in place at the moment and need to know what needs adding if anything in terms of servers to complete the external users access tot he internal CRM environment.

Internal CRM = 2 x CRM App/IIS Servers, and 1 x CRM SQL box. This is up and running for all internal users following a 2011 to 2013 upgrade.

Internal ADFS dedicated server built for this implementation but not configured yet.

DMZ = There is 1 x CRM Front End Server, not configured yet, nor being used by users.

Can I have the internal ADFS server pointing straight out to the internet (NAT) to allow external authentication against my internal Domain Controllers, without using the front end Web Server in the DMZ. Or should the front end be included in this implementation?
CTCRMInfrastructure EngineerAuthor Commented:

I'm going to use a ADFS proxy in the DMZ so that my internal ADFS server is being exposed.

So to clarify now, when using the ADFS proxy does the external user enter the CRM URL on their Internet connected device, which then points to the CRM Front End Web Server in the DMZ which then points to the internal ADFS server via the ADFS proxy in the DMZ, which then authenticates the user against the internal DC before connecting to the internal CRM services before those services are pushed back out to the front end server to present to the external user?

Apologies for the questions, I just to make sure this is setup correctly as I'm introducing external access to the internal network.
You are right, the network flow is perfect.

Just put ADFS Proxy in DMZ, it will be safe

Also You may \ may not put CRM front end server, you can contact CRM vendor for best practise on publishing CRM to internet
CTCRMInfrastructure EngineerAuthor Commented:
Thanks Guys
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.