Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Where to install AD FS services

Posted on 2014-04-17
10
Medium Priority
?
801 Views
Last Modified: 2014-04-22
I have the following setup and objective.

CRM has been upgraded from 2011 to 2013 internally for the internal end users, all working fine. (1 x Dynamics SQL box, 2 x Dynamics App/IIS servers)

I need to incorporate external access for users on our domain so no Cross-Domain services required.

I have the 3 CRM servers internally as described above, also 1 x DC internally with AD FS services running on the DC for another application, and 1 front end web server, non-production at the moment in our DMZ originally built for the CRM upgrade.

I want to know the following when wanting to provide CRM access to our AD end users externally:

Can I use the DC which has AS FS on it for CRM? I'm not happy with this as AD FS with IIS shouldn't really be running on a Domain Controller, unless mistaken.

Or, should I build a dedicated IIS server internally with AD FS running specifically for the CRM platform?

Can I use the Front End Web Server in the DMZ as my CRM front end access server for the external users making sure that it sees the internal CRM SQL server?

So long story short, my external users would type in a URL for example https://crm.mydomain.com into a mobile device. DNS resolves an IP for the CRM Front End web server in the DMZ. Then the Front End server in the DMZ would redirect users to AD FS (wherever that server/service should be), which must also be accessible over the Internet, which in turn will contact a DC to verify the username and password.

Once authenticated the user is then taken back to the Front End Web server in the DMZ which renders the CRM application.

Am I on the right track with this? I just need to know really whether my ADFS server can be the current one on the DC, or should I build a new ADFS server? and should the ADFS server be in the DMZ with the front end server, or internally with everything else?
0
Comment
Question by:CTCRM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
10 Comments
 
LVL 2

Author Comment

by:CTCRM
ID: 40006159
Actually, another question. Can I have AD FS running on the Front End server in the DMZ? or is that not good practice?
0
 
LVL 30

Assisted Solution

by:Feridun Kadir
Feridun Kadir earned 600 total points
ID: 40007223
I don't think CRM cares where the AD FS server is located as long as it can communicate with it and the AD FS server is accessible over the Internet by external users.

You can have AD FS and CRM on the same server but AD FS uses the default web site (at least version 2.0 does) so you can't have have AD FS on the same server as CRM if it also uses the default web site. CRM can be installed on a new web site but AD FS 2.0 cannot.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40008819
So what would be your recommendation;
ADFS on its own server on the internal network, or ADFS on its own server in the DMZ?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 30

Expert Comment

by:Feridun Kadir
ID: 40008832
I would put the ADFS server on the internal network. You can set up an AD FS proxy in a DMZ but that is something I have not tried.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40009100
And can the proxy in the DMZ be on the CRM front end Web Server in the DMZ?
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 600 total points
ID: 40009507
ADFS Proxy server is not mandatory but recommended

You can publish your ADFS server from corporate network directly to internet over NAT if wanted to.

However you can install ADFS Proxy in DMZ which then forward your ADFS  request to corporate network ADFS server
You need to open TCP 443 towards ADFS proxy server from internet and same port need to be opened between ADFS and ADFS Proxy server bi-directionally
Also same certificate on ADFS server must be imported on ADFS Proxy server as well with private key

According to my understanding, You should not put both Backend \ front end server and ADFS \ ADFS Proxy server on same host

Mahesh.
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40014640
OK, this is what I have in place at the moment and need to know what needs adding if anything in terms of servers to complete the external users access tot he internal CRM environment.

Internal CRM = 2 x CRM App/IIS Servers, and 1 x CRM SQL box. This is up and running for all internal users following a 2011 to 2013 upgrade.

Internal ADFS dedicated server built for this implementation but not configured yet.

DMZ = There is 1 x CRM Front End Server, not configured yet, nor being used by users.

Can I have the internal ADFS server pointing straight out to the internet (NAT) to allow external authentication against my internal Domain Controllers, without using the front end Web Server in the DMZ. Or should the front end be included in this implementation?
0
 
LVL 2

Author Comment

by:CTCRM
ID: 40014667
Hi

I'm going to use a ADFS proxy in the DMZ so that my internal ADFS server is being exposed.

So to clarify now, when using the ADFS proxy does the external user enter the CRM URL on their Internet connected device, which then points to the CRM Front End Web Server in the DMZ which then points to the internal ADFS server via the ADFS proxy in the DMZ, which then authenticates the user against the internal DC before connecting to the internal CRM services before those services are pushed back out to the front end server to present to the external user?

Apologies for the questions, I just to make sure this is setup correctly as I'm introducing external access to the internal network.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40014744
You are right, the network flow is perfect.

Just put ADFS Proxy in DMZ, it will be safe

Also You may \ may not put CRM front end server, you can contact CRM vendor for best practise on publishing CRM to internet
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40014752
Thanks Guys
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question