I have the following setup and objective.
CRM has been upgraded from 2011 to 2013 internally for the internal end users, all working fine. (1 x Dynamics SQL box, 2 x Dynamics App/IIS servers)
I need to incorporate external access for users on our domain so no Cross-Domain services required.
I have the 3 CRM servers internally as described above, also 1 x DC internally with AD FS services running on the DC for another application, and 1 front end web server, non-production at the moment in our DMZ originally built for the CRM upgrade.
I want to know the following when wanting to provide CRM access to our AD end users externally:
Can I use the DC which has AS FS on it for CRM? I'm not happy with this as AD FS with IIS shouldn't really be running on a Domain Controller, unless mistaken.
Or, should I build a dedicated IIS server internally with AD FS running specifically for the CRM platform?
Can I use the Front End Web Server in the DMZ as my CRM front end access server for the external users making sure that it sees the internal CRM SQL server?
So long story short, my external users would type in a URL for example https://crm.mydomain.com into a mobile device. DNS resolves an IP for the CRM Front End web server in the DMZ. Then the Front End server in the DMZ would redirect users to AD FS (wherever that server/service should be), which must also be accessible over the Internet, which in turn will contact a DC to verify the username and password.
Once authenticated the user is then taken back to the Front End Web server in the DMZ which renders the CRM application.
Am I on the right track with this? I just need to know really whether my ADFS server can be the current one on the DC, or should I build a new ADFS server? and should the ADFS server be in the DMZ with the front end server, or internally with everything else?