Mattia Minervini
asked on
Setting up ADFS and ADFS proxy for MS Dynamics 2013 on premise with split domain condition and wildcard certificate
Hi
i have dynamics on a windows 2012 std server in domain environment
I want to deploy with ADFS so users can access it without establish vpn, we can move to https and use mobile app for dynamics CRM.
So i make a windows 2012 std. server in domain called SRVADFS, and a second windows 2012 std. server called SRVADFSPROXY in dmz with https traffic enable to SRVADFS
I have a 3 years wildcard cerificate ready to use, but i have a split domain (so external domain is mattia.it and internal is met.local)
Environment is not so big (10 users for dynamics ).
I really need a useful guide to deploy adfs in my situation, not general link to general posts.
i have found a lot of info about windows 2012 r2, but i have windows 2012, and nothing on how to manage split domain condition (a mix of wildcard and SAN certificate?)
Please help, sorry for my english, ask me for details
Thanks
Mattia
i have dynamics on a windows 2012 std server in domain environment
I want to deploy with ADFS so users can access it without establish vpn, we can move to https and use mobile app for dynamics CRM.
So i make a windows 2012 std. server in domain called SRVADFS, and a second windows 2012 std. server called SRVADFSPROXY in dmz with https traffic enable to SRVADFS
I have a 3 years wildcard cerificate ready to use, but i have a split domain (so external domain is mattia.it and internal is met.local)
Environment is not so big (10 users for dynamics ).
I really need a useful guide to deploy adfs in my situation, not general link to general posts.
i have found a lot of info about windows 2012 r2, but i have windows 2012, and nothing on how to manage split domain condition (a mix of wildcard and SAN certificate?)
Please help, sorry for my english, ask me for details
Thanks
Mattia
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You definitely should not put CRM in the DMZ.
I'm afraid I can't help you with ADFS using a proxy server. Did you review the Microsoft document at the link I provided above? There is something on page 16.
I'm afraid I can't help you with ADFS using a proxy server. Did you review the Microsoft document at the link I provided above? There is something on page 16.
so, you wanted to use web application proxy to publish crm on internet, you need 2012 R2 for that
ASKER
my question was about it...
is there a wai with this release of windows with only adfs proxy in dmz??
"i have dynamics on a windows 2012 std server in domain environment
I want to deploy with ADFS so users can access it without establish vpn, we can move to https and use mobile app for dynamics CRM.
So i make a windows 2012 std. server in domain called SRVADFS, and a second windows 2012 std. server called SRVADFSPROXY in dmz with https traffic enable to SRVADFS"
is there a wai with this release of windows with only adfs proxy in dmz??
"i have dynamics on a windows 2012 std server in domain environment
I want to deploy with ADFS so users can access it without establish vpn, we can move to https and use mobile app for dynamics CRM.
So i make a windows 2012 std. server in domain called SRVADFS, and a second windows 2012 std. server called SRVADFSPROXY in dmz with https traffic enable to SRVADFS"
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Only testing i realized that with adfs 2.0 (windows 2012) i have to put crm in dmz with adfs proxy.
There's a lot of incorrect ifo (diagram, post) about this scenario.
To avoid putting crm in dmz i need adfs 3.0 (windows 2012 r2) and WAP (web application proxy) enabled on dmz machine , so it provide auth proxy (adfs proxy) and web app proxy .
My gol was no vpn, no crm in dmz, no domain machine in dmz
Next week i'll try with 2012 r2 but this is right way. thanks contributors for info
There's a lot of incorrect ifo (diagram, post) about this scenario.
To avoid putting crm in dmz i need adfs 3.0 (windows 2012 r2) and WAP (web application proxy) enabled on dmz machine , so it provide auth proxy (adfs proxy) and web app proxy .
My gol was no vpn, no crm in dmz, no domain machine in dmz
Next week i'll try with 2012 r2 but this is right way. thanks contributors for info
"adfs.domain.com" is unique and you cannot have multiple name spaces for adfs
U have to have domain.com zone within internal network and external network so that internal queries to adfs will be resolved to its private IP while external queries will hit to public dns
Adfs does work on wildcard certificates, I don't see any issue with that
The certificate used on Adfs must be exported and used on adfs proxy as well, otherwise setup won't work
there are guides available on internet to setup basic Adfs and adfs proxy, u need guide how to integrate CRM with Adfs
I think guides are available on internet because I am not CRM expert
Since you have only 10 users, you can have single Adfs and adfs proxy, if you need HA then you need 2xAdfs and 2xadfs proxy servers
Mahesh