ADFS Proxy in the DMZ for CRM Dynamics 2013

Guys, I have been at this for weeks trying to resolve this issue with different configurations.

I have managed to configure my internal ADFS 2.0 server to allow internal using access to CRM 2013 platform (SSO).

I now want to allow the same access to external users out on the public domain (staff members with Internet access).

I have placed a ADFS 2.0 Proxy server in our DMZ which connects to the internal ADFS server. However, I am stuck here because I can't see how the external user will gain access to the internal CRM platform once authenticated over ADFS.

Does ADFS issue the token to the user once authenticated and then the user accesses CRM via/through the ADFS Proxy server? If that is the case then that's fine as I'm only using the single Externally facing (Public) IP address.
CTCRMInfrastructure EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
All ADFS authentication traffic takes place over SSL (Port 443). So, your ADFS Proxy Server needs port 443 access to at least one of your domain controllers.
Kyle AbrahamsSenior .Net DeveloperCommented:
Your understanding is correct:

ADFS proxy will issue the challenge, you pass credentials over https . . . that then talks to the real ADFS server.  If authentication is successful, will issue a secure cookie to the browser which the site will then accept as you being authenticated.

Note that the CRM website would still need to be publicly accessible, but using the ADFS authentication binaries.
CTCRMInfrastructure EngineerAuthor Commented:
So, with this implementation I do not need any other server such as a Front End CRM Web server along side the ADFS Proxy server in the DMZ to present CRM web pages to the external users once ADFS has granted access with a token?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

CTCRMInfrastructure EngineerAuthor Commented:
Looking at the diagrams on the link provided it shows 2 servers in the DMZ, this is the configuration I originally configured but then after talking to Microsoft they have told me that I don't need the Front End Web Server (CRM) because it pretty much does the dame job as the ADFS Proxy server, plus it increases the DMZ footprint.

I'm just struggling to understand how (logically) the external user views CRM on their publicaly attached device; are the requests and CRM pages presented through/via the Proxy server if this is the only server in the DMZ?
Brad GrouxSenior Manager (Wintel Engineering)Commented:
The easiest way I can explain it is, ADFS utilizes the SAML protocol to pass authentication. It is a token-based process and the web proxies authenticate the users to your domain controllers over port 443 across the firewall.

You can read up on just how ADFS and SAML works, or you can trust that it is a technology used by hundreds of millions of clients across countless networks. An example is if you have HBO Go, Showtime Anytime or ESPN3 you authenticate with SAML to get access to those premium content sites via your television provider's network.

EDIT: And yes, the proxy is the only server that needs to be in the DMZ.

If you'd like a full understanding check out the "Demystified Series: ADFS" on Microsoft's Channel 9 -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kyle AbrahamsSenior .Net DeveloperCommented:
I'm thinking that they meant you only needed the Front End Web Server and NOT the adfs proxy server.  I don't see how anyone could get to the CRM app without it being accessible to the outside world.  I would double check that with Microsoft to get a confirmation if they're saying you can hit the CRM through the adfs proxy server.

Brad . . . from my understanding the question isn't about how ADFS works . . . the question is about how they access the CRM app once they authenticate against ADFS.
CTCRMInfrastructure EngineerAuthor Commented:
Hi Kyle/Brad

Thanks for the information, you're right Kyle, I understand the ADFS side of the implementation in terms of authenticating users to access applications, I have this working for my internal users over ADFS (SSO) and there are no issues there. I'm just struggling to see how CRM as an application is presented to the external users on the Public domain. Does the ADFS Proxy server also work as a proxy for CRM because with the Proxy server being the only DMZ server for this project then I have no other way of seeing this working.

I'm going to take a look at the links you have provided Brad because I'm clearly missing something here and will chase Microsoft for a reply to the same question.
CTCRMInfrastructure EngineerAuthor Commented:
OK Guys I've found the following which specifies just the ADFS Proxy in the DMZ and the CRM session be therefore presented through that server.
CTCRMInfrastructure EngineerAuthor Commented:
Hi Guys

I have just spoken to Microsoft and they have provided the following.

When configuring Claims-Based Authentication/IFD on the CRM server/s the Metadata page created in ADFS is updated and acts as the association between CRM and ADFS along with the configuration of Relying Party Trusts. When the external user receives the ADFS Token they will connect to the CRM environment via the ADFS Proxy server, this means data transfer between the end user and CRM goes through the ADFS Proxy connection.
CTCRMInfrastructure EngineerAuthor Commented:
Aaaaaaaaaaarrrrrrrrrrrrrrrrrrrrrrrrrrrrrrgggghhhhhh, Microsoft Support are rubbish.

So I think I have got to the bottom of this, however, not yet configured and tested. It seems that they were right in saying to remove the CRM Front End web server but not right in saying that we only need one external IP address. You do need 2 x external IP addresses so you end up having to punch 2 holes through the firewall with one hole providing a direct connection to CRM.

I'll update this request once I have the testing done.
Kyle AbrahamsSenior .Net DeveloperCommented:
That makes a lot more sense.  I was surprised when they said they were actually establishing a proxy connection (ala, a function of a real proxy) to bridge the network.  Made me think there was still more to learn about ADFS.

From my understanding the workflow is:

1)  connect to client app
2)  Check authenticated
3)  If authenticated, pass through, if not, redirect to ADFS
4)  if applicable authenticate to adfs and redirect back to client site.

If the app isn't visible from the outside world there's no way they can hit it.
CTCRMInfrastructure EngineerAuthor Commented:
HI Guys

Finally got there.

Removed the front end CRM web server in the DMZ leaving just the ADFS Proxy server in the DMZ
Assigned one external IP address to the ADFS server/service
Assigned a second external IP address to the CRM internal environment (not totally happy with this but hey!)
Configured the external Addresses on the firewall to point to those services over NAT

I can now access CRM via ADFS externally, the only issue I have is that the external users are being presented with 2 login screens, the first 'Windows Security' login box pointing to the sts service on the Proxy server, and then the Form Based 'Sign-In' window for authenticating against AD so not sure how to get rid of the first Window as we shouldn't be seeing this.
CTCRMInfrastructure EngineerAuthor Commented:
Got there eventually, thanks guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.