Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Configure a Microsoft Dynamics CRM Internet-facing deployment

You can deploy Microsoft Dynamics CRM so that remote users can connect to the application through the Internet. The following Internet-facing deployment (IFD) configurations are supported:

  • Microsoft Dynamics CRM for internal users only

  • Microsoft Dynamics CRM for internal users and IFD access

  • Microsoft Dynamics CRM for IFD-only access

Configuring an IFD enables access to Microsoft Dynamics CRM from the Internet, outside the company firewall, without using a virtual private network (VPN) solution. Microsoft Dynamics CRM configured for Internet access uses claims-based authentication to verify credentials of external users. When you configure Microsoft Dynamics CRM for Internet access, integrated Windows Authentication must remain in place for internal users.

To let users access the application over the Internet, the server that is running Internet Information Services (IIS) where the Microsoft Dynamics CRM application is installed must be available over the Internet.

For more information, see “Claims-based authentication and IFD requirements” in Microsoft Dynamics CRM Server 2011 software requirements in this guide.

In This Topic

Claims-based authentication

The claims-based security model extends traditional authentication models to include other directory sources that contain information about users. This identity federation lets users from various sources, such as Active Directory Domain Services (AD DS), customers via the Internet, or business partners, authenticate with native single sign-on.

The claims-based model has three components: the relying party, which needs the claim to decide what it is going to do; the identity provider, which provides the claim; and the user, who decides what if any information they want to provide. Microsoft provides a claims-based access solution called Active Directory Federation Services (AD FS). AD FS enables Active Directory Domain Services (AD DS) to be an identity provider in the claims-based access platform.

AD FS consists of the following components:

  • AD FS Framework provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications.

  • Active Directory Federation Services (AD FS) is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access. Active Directory Federation Services (AD FS) supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. Active Directory Federation Services (AD FS) can also issue manage information cards for AD DS users.

  • Windows CardSpace helps users navigate access decisions and is designed for developers to build customer authentication experiences for users.

For more information about AD FS, see:

Implement a strong password policy

To reduce the risk of "brute-force attacks" we strongly recommend that you implement a strong password policy for remote users who are accessing the domain where Microsoft Dynamics CRM is installed. For more information about how to implement a strong password policy in Windows Server, see Creating a Strong Password Policy on Microsoft TechNet and the "Understanding User Accounts" topic in Active Directory Users and Computers Help.

Internet connection firewall

The Windows Server 2008 family provides firewall software to prevent unauthorized connections to the server from remote computers. For more information about how to configure the Internet connection firewall for Internet Information Services (IIS) Manager, see the "Before Configuring IIS" topic in IIS Help.

For information about how to make a Web site available on the Internet, see the "Domain Name Resolution" topic in the IIS Help.

Proxy/firewall server

If you do not have a secure proxy and firewall solution on your network, we recommend that you use a dedicated proxy and firewall server, such as Microsoft Internet Security and Acceleration Server (ISA). ISA Server can act as a gateway between the Internet and the Microsoft Dynamics CRM application. ISA Server protects your IT infrastructure while providing users with fast and secure remote access to applications and data. For more information, see Internet Security and Acceleration Server.

Use the following steps as configuration guidelines.

Step 1: Configure Microsoft Dynamics CRM Server 2011 for Internet access

You can configure Microsoft Dynamics CRM Server 2011 for Internet access. To do this, run the Configure Claims-Based Authentication Wizard, and then run the Internet-Facing Deployment Configuration Wizard where Microsoft Dynamics CRM Server 2011 is installed. For more information, see the Deployment Manager Help.

Step 2: Configure Microsoft Dynamics CRM for Outlook to connect to the Microsoft Dynamics CRM Server 2011 by using the Internet

For Microsoft Dynamics CRM for Microsoft Office Outlook to be able to access the Microsoft Dynamics CRM Server 2011 over the Internet, you must specify the external Web address that will be used to access the Internet-facing Microsoft Dynamics CRM Server 2011. To do this, you must install Microsoft Dynamics CRM for Outlook, and then run the Configuration Wizard. Then, during configuration, type the external Web address in the External Web address box. If you install server roles, this Web address must specify where the Discovery Web Service role is installed. For more information about how to configure Microsoft Dynamics CRM for Outlook, see “Task 2: Configure Microsoft Dynamics CRM for Outlook” in Installing on a computer that does not have Microsoft Dynamics CRM for Outlook installed in the Installing Guide.

See Also

Send comments about this article to Microsoft.

© 2013 Microsoft Corporation. All rights reserved.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.