ADFS Proxy in the DMZ for CRM Dynamics 2013
Guys, I have been at this for weeks trying to resolve this issue with different configurations.
I have managed to configure my internal ADFS 2.0 server to allow internal using access to CRM 2013 platform (SSO).
I now want to allow the same access to external users out on the public domain (staff members with Internet access).
I have placed a ADFS 2.0 Proxy server in our DMZ which connects to the internal ADFS server. However, I am stuck here because I can't see how the external user will gain access to the internal CRM platform once authenticated over ADFS.
Does ADFS issue the token to the user once authenticated and then the user accesses CRM via/through the ADFS Proxy server? If that is the case then that's fine as I'm only using the single Externally facing (Public) IP address.
I have managed to configure my internal ADFS 2.0 server to allow internal using access to CRM 2013 platform (SSO).
I now want to allow the same access to external users out on the public domain (staff members with Internet access).
I have placed a ADFS 2.0 Proxy server in our DMZ which connects to the internal ADFS server. However, I am stuck here because I can't see how the external user will gain access to the internal CRM platform once authenticated over ADFS.
Does ADFS issue the token to the user once authenticated and then the user accesses CRM via/through the ADFS Proxy server? If that is the case then that's fine as I'm only using the single Externally facing (Public) IP address.
Brad Groux
All ADFS authentication traffic takes place over SSL (Port 443). So, your ADFS Proxy Server needs port 443 access to at least one of your domain controllers.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, with this implementation I do not need any other server such as a Front End CRM Web server along side the ADFS Proxy server in the DMZ to present CRM web pages to the external users once ADFS has granted access with a token?
ASKER
Kyle.
Looking at the diagrams on the link provided it shows 2 servers in the DMZ, this is the configuration I originally configured but then after talking to Microsoft they have told me that I don't need the Front End Web Server (CRM) because it pretty much does the dame job as the ADFS Proxy server, plus it increases the DMZ footprint.
I'm just struggling to understand how (logically) the external user views CRM on their publicaly attached device; are the requests and CRM pages presented through/via the Proxy server if this is the only server in the DMZ?
Looking at the diagrams on the link provided it shows 2 servers in the DMZ, this is the configuration I originally configured but then after talking to Microsoft they have told me that I don't need the Front End Web Server (CRM) because it pretty much does the dame job as the ADFS Proxy server, plus it increases the DMZ footprint.
I'm just struggling to understand how (logically) the external user views CRM on their publicaly attached device; are the requests and CRM pages presented through/via the Proxy server if this is the only server in the DMZ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm thinking that they meant you only needed the Front End Web Server and NOT the adfs proxy server. I don't see how anyone could get to the CRM app without it being accessible to the outside world. I would double check that with Microsoft to get a confirmation if they're saying you can hit the CRM through the adfs proxy server.
Brad . . . from my understanding the question isn't about how ADFS works . . . the question is about how they access the CRM app once they authenticate against ADFS.
Brad . . . from my understanding the question isn't about how ADFS works . . . the question is about how they access the CRM app once they authenticate against ADFS.
ASKER
Hi Kyle/Brad
Thanks for the information, you're right Kyle, I understand the ADFS side of the implementation in terms of authenticating users to access applications, I have this working for my internal users over ADFS (SSO) and there are no issues there. I'm just struggling to see how CRM as an application is presented to the external users on the Public domain. Does the ADFS Proxy server also work as a proxy for CRM because with the Proxy server being the only DMZ server for this project then I have no other way of seeing this working.
I'm going to take a look at the links you have provided Brad because I'm clearly missing something here and will chase Microsoft for a reply to the same question.
Thanks for the information, you're right Kyle, I understand the ADFS side of the implementation in terms of authenticating users to access applications, I have this working for my internal users over ADFS (SSO) and there are no issues there. I'm just struggling to see how CRM as an application is presented to the external users on the Public domain. Does the ADFS Proxy server also work as a proxy for CRM because with the Proxy server being the only DMZ server for this project then I have no other way of seeing this working.
I'm going to take a look at the links you have provided Brad because I'm clearly missing something here and will chase Microsoft for a reply to the same question.
ASKER
OK Guys I've found the following which specifies just the ADFS Proxy in the DMZ and the CRM session be therefore presented through that server.
http://crmbook.powerobjects.com/system-administration/server-installation/multiple-server-deployment-2/
http://crmbook.powerobjects.com/system-administration/server-installation/authentication-models/
http://crmbook.powerobjects.com/system-administration/server-installation/multiple-server-deployment-2/
http://crmbook.powerobjects.com/system-administration/server-installation/authentication-models/
ASKER
Hi Guys
I have just spoken to Microsoft and they have provided the following.
When configuring Claims-Based Authentication/IFD on the CRM server/s the Metadata page created in ADFS is updated and acts as the association between CRM and ADFS along with the configuration of Relying Party Trusts. When the external user receives the ADFS Token they will connect to the CRM environment via the ADFS Proxy server, this means data transfer between the end user and CRM goes through the ADFS Proxy connection.
I have just spoken to Microsoft and they have provided the following.
When configuring Claims-Based Authentication/IFD on the CRM server/s the Metadata page created in ADFS is updated and acts as the association between CRM and ADFS along with the configuration of Relying Party Trusts. When the external user receives the ADFS Token they will connect to the CRM environment via the ADFS Proxy server, this means data transfer between the end user and CRM goes through the ADFS Proxy connection.
ASKER
Aaaaaaaaaaarrrrrrrrrrrrrrr
So I think I have got to the bottom of this, however, not yet configured and tested. It seems that they were right in saying to remove the CRM Front End web server but not right in saying that we only need one external IP address. You do need 2 x external IP addresses so you end up having to punch 2 holes through the firewall with one hole providing a direct connection to CRM.
I'll update this request once I have the testing done.
So I think I have got to the bottom of this, however, not yet configured and tested. It seems that they were right in saying to remove the CRM Front End web server but not right in saying that we only need one external IP address. You do need 2 x external IP addresses so you end up having to punch 2 holes through the firewall with one hole providing a direct connection to CRM.
I'll update this request once I have the testing done.
That makes a lot more sense. I was surprised when they said they were actually establishing a proxy connection (ala, a function of a real proxy) to bridge the network. Made me think there was still more to learn about ADFS.
From my understanding the workflow is:
1) connect to client app
2) Check authenticated
3) If authenticated, pass through, if not, redirect to ADFS
4) if applicable authenticate to adfs and redirect back to client site.
If the app isn't visible from the outside world there's no way they can hit it.
From my understanding the workflow is:
1) connect to client app
2) Check authenticated
3) If authenticated, pass through, if not, redirect to ADFS
4) if applicable authenticate to adfs and redirect back to client site.
If the app isn't visible from the outside world there's no way they can hit it.
ASKER
HI Guys
Finally got there.
Removed the front end CRM web server in the DMZ leaving just the ADFS Proxy server in the DMZ
Assigned one external IP address to the ADFS server/service
Assigned a second external IP address to the CRM internal environment (not totally happy with this but hey!)
Configured the external Addresses on the firewall to point to those services over NAT
I can now access CRM via ADFS externally, the only issue I have is that the external users are being presented with 2 login screens, the first 'Windows Security' login box pointing to the sts service on the Proxy server, and then the Form Based 'Sign-In' window for authenticating against AD so not sure how to get rid of the first Window as we shouldn't be seeing this.
Finally got there.
Removed the front end CRM web server in the DMZ leaving just the ADFS Proxy server in the DMZ
Assigned one external IP address to the ADFS server/service
Assigned a second external IP address to the CRM internal environment (not totally happy with this but hey!)
Configured the external Addresses on the firewall to point to those services over NAT
I can now access CRM via ADFS externally, the only issue I have is that the external users are being presented with 2 login screens, the first 'Windows Security' login box pointing to the sts service on the Proxy server, and then the Form Based 'Sign-In' window for authenticating against AD so not sure how to get rid of the first Window as we shouldn't be seeing this.
ASKER
Got there eventually, thanks guys