Configure Forefront TMG

  • Article

This topic covers configuring Forefront Threat Management Gateway (TMG) 2010 as the web gateway for Microsoft Dynamics CRM Server 2011. The following network topology and sample IP addresses are test lab settings used in the steps below. DNS records are the same as used throughout this document.

TMG server as firewall

Network node IP address Description

CRM Server

192.168.0.3

This is the IP address of the Microsoft Dynamics CRM server.

ADFS Server

192.168.0.2

This is the IP address of the AD FS server.

TMG Server

This server has three NICs.
  1. 192.168.0.1

  2. 10.10.0.2

  3. 10.10.0.3
  1. This is the IP address of the internal network node.

  2. This is the public-facing IP address used by the Forefront TMG Web listener for the AD FS server.

  3. This is the public-facing IP address used by the Forefront TMG Web listener for the Microsoft Dynamics CRM server.

External Client

10.10.0.100

This is the IP address of the external client computer accessing Microsoft Dynamics CRM data over the Internet. In a production deployment, this IP address would be obtained from the ISP.

Client

192.168.0.100

This is the IP address of an internal client computer and is not used in the steps below.

Create Web Listeners

A Web listener listens for Web requests on the specified network. You must create a Web listener for both public-facing network interfaces.

Create a Web listener for the Microsoft Dynamics CRM server

  1. Open Forefront TMG Management. Click Start, click All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management.

  2. In the Forefront TMG console tree, expand Forefront TMG (<server name>), and then click Firewall Policy.

  3. Click the Toolbox tab, click New, and then click Web Listener.

  4. On the Welcome to the New Web Listener Wizard page, in the Web listener name box, type CRMIFDWebListener (or something descriptive), and then click Next.

  5. On the Client Connection Security page, verify Require SSL secured connections with clients is selected, and then click Next.

  6. On the Web Listener IP Addresses page, under Listen for incoming Web request on these networks, click External, and then click Select IP Addresses.

  7. On the External Network Listener IP Selection page, click Specified IP addresses on the Forefront TMG computer in the selected network, under Available IP Addresses, click the Microsoft Dynamics CRM public-facing IP address, click Add, and then click OK. For example, 10.10.0.3.

  8. On the Web Listener IP Addresses page, click Next.

  9. On the Listener SSL Certificates page, click Select Certificate.

  10. In the Select Certificate window, click Select.

    Note

    You must have a certificate installed on the Forefront TMG server (Local Computer, Personal store). For example, the *.contoso.com wildcard certificate.

    If you are running Forefront TMG with multiple nodes in the array, you need to have this certificate installed on all Forefront TMG servers for it to be considered valid; or, you must select Assign a certificate for each IP address on the Listener SSL Certificates page. For more information about SSL certificates on ISA Server, see: Troubleshooting SSL Certificates.

  11. On the Listener SSL Certificates page, click Next.

  12. On the Authentication Settings page, in the Select how clients will provide credentials to Forefront TMG drop-down list, click No Authentication, and then click Next.

  13. On the Single Sign On Settings page, click Next.

  14. On the Completing the New Web Listener Wizard page, confirm that the correct settings are specified, and then click Finish.

  15. In the Forefront TMG console, click Apply to save changes and update the configuration.

  16. In the Configuration Change Description window, for the Change description, type Create Web Listener for CRM server, and then click Apply.

  17. In the Save Configuration Changes window, verify that the configuration updates were saved, and then click OK.

Create a Web listener for the AD FS server

  1. Open Forefront TMG Management. Click Start, click All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management.

  2. In the Forefront TMG console tree, expand Forefront TMG (<server name>), and then click Firewall Policy.

  3. Click the Toolbox tab, click New, and then click Web Listener.

  4. On the Welcome to the New Web Listener Wizard page, in the Web listener name box, type ADFSWebListener (or something descriptive), and then click Next.

  5. On the Client Connection Security page, verify Require SSL secured connections with clients is selected, and then click Next.

  6. On the Web Listener IP Addresses page, under Listen for incoming Web request on these networks, click External, and then click Select IP Addresses.

  7. On the External Network Listener IP Selection page, click Specified IP addresses on the Forefront TMG computer in the selected network, under Available IP Addresses, click the Microsoft Dynamics CRM public-facing IP address, click Add, and then click OK. For example, 10.10.0.2.

  8. On the Web Listener IP Addresses page, click Next.

  9. On the Listener SSL Certificates page, click Select Certificate.

  10. In the Select Certificate window, click Select.

    Note

    You must have a certificate installed on the Forefront TMG server (Local Computer, Personal store). For example, the *.contoso.com wildcard certificate.

    If you are running Forefront TMG with multiple nodes in the array, you need to have this certificate installed on all Forefront TMG servers for it to be considered valid; or, you must select Assign a certificate for each IP address on the Listener SSL Certificates page. For more information about SSL certificates on ISA Server, see: Troubleshooting SSL Certificates.

  11. On the Listener SSL Certificates page, click Next.

  12. On the Authentication Settings page, in the Select how clients will provide credentials to Forefront TMG drop-down list, click No Authentication, and then click Next.

  13. On the Single Sign On Settings page, click Next.

  14. On the Completing the New Web Listener Wizard page, confirm that the correct settings are specified, and then click Finish.

  15. In the Forefront TMG console, click Apply to save changes and update the configuration.

  16. In the Configuration Change Description window, for the Change description, type Create Web Listener for ADFS server, and then click Apply.

  17. In the Save Configuration Changes window, verify that the configuration updates were saved, and then click OK.

Create Web publishing rules

Next, you create Web publishing rules to allow external access to the Microsoft Dynamics CRM and AD FS web applications.

Create a Web publishing rule for Microsoft Dynamics CRM

  1. In the Forefront TMG console tree, expand Forefront TMG (<server name>), and then click Firewall Policy.

  2. Click the Tasks tab, and then under Firewall Policy Tasks, click Publish Web Sites.

  3. On the Welcome to the New Web Publishing Rule Wizard page, in the Web publishing rule name box, type CRMIFDOrgPubRule, and then click Next.

  4. On the Select Rule Action page, click Allow, and then click Next.

  5. On the Publishing Type page, click Publish a single Web site or load balancer, and then click Next.

  6. On the Server Connection Security page, click Use SSL to connect to the published Web server or server farm, and then click Next.

  7. On the Internal Publishing Details page, for the Internal site name, type your Microsoft Dynamics CRM organization, and then click Next. For example: orgname.contoso.com

  8. Leave Path (optional) blank, and then press Next.

  9. On the Public Name Details page, for the Public name, type your Microsoft Dynamics CRM organization, and then click Next. For example: orgname.contoso.com

  10. On the Select Web Listener page, in the Web listener drop-down list, click the Microsoft Dynamics CRM Web listener, and then click Next. For example, CRMIFDWebListener

  11. On the Authentication Delegation page, in the Select the method used by ForeFront TMG to authenticated to the published Web server drop-down list, select No delegation, but client may authenticate directly, and then click Next.

  12. On the User Sets page, verify that All Users is present, and then click Next.

  13. On the Completing the New Web Publishing Rule Wizard page, verify the configuration, and then click Finish.

  14. In the Configuration Change Description window, for the Change description, type Create web publishing rule for CRM organization, and then click Apply.

  15. In the Save Configuration Changes window, verify that the configuration updates were saved, and then click OK.

Create a Web publishing rule for the Microsoft Dynamics CRM federation endpoint

To create a Web publishing rule for the federation endpoint, repeat the steps above with the following changes.

Step Change

3.

Web publishing rule name: AuthPubRule (or something descriptive)

7.

Internal site name: <your federation endpoint> (for example: auth.contoso.com)

9.

Public name: <your federation endpoint> (for example, auth.contoso.com)

Create a Web publishing rule for the Microsoft Dynamics CRM Discovery Web Service domain

To create a Web publishing rule for the Discovery Web Service, repeat the steps above with the following changes.

Step Change

3.

Web publishing rule name: DevPubRule (or something descriptive)

7.

Internal site name: <your Discovery Web Service domain> (for example: dev.contoso.com)

9.

Public name: <your Discovery Web Service domain> (for example, dev.contoso.com)

Create a Web publishing rule for AD FS

To create a Web publishing rule for AD FS, repeat the steps above with the following changes.

Step Change

3.

Web publishing rule name: ADFSPubRule (or something descriptive)

7.

Internal site name: <your AD FS server> (for example: sts1.contoso.com)

9.

Public name: <your AD FS server> (for example, sts1.contoso.com)

10.

Web listener: your AD FS Web listener (for example, ADFSWebListener

Additional configuration

Complete the Forefront TMG configuration with the following steps.

For each of the four Web publishing rules you created:

  1. Right-click the Web publishing rule, and then click Configure HTTP.

  2. Under URL Protection, uncheck Verify normalization and Block high bit characters, and then click OK.

Configure HTTP compression for the Microsoft Dynamics CRM server.

  1. In the Forefront TMG console tree, expand Forefront TMG (<server name>), and then click Web Access Policy.

  2. Click the Tasks tab, click Configure HTTP Compression, and then click the Request Compressed Data tab.

  3. Add your Microsoft Dynamics CRM server to the first list, and then click OK.

See Also

Other Resources

Forefront Threat Management Gateway (TMG) 2010

Send comments about this article to Microsoft.

© 2012 Microsoft Corporation. All rights reserved.