Configure a Microsoft Dynamics CRM Internet-facing deployment
Applies To: CRM 2016 on-prem
You can deploy Microsoft Dynamics CRM so that remote users can connect to the application through the Internet. The following Internet-facing deployment (IFD) configurations are supported:
Microsoft Dynamics CRM for internal users only
Microsoft Dynamics CRM for internal users and IFD access
Microsoft Dynamics CRM for IFD-only access
Configuring an IFD enables access to Microsoft Dynamics CRM from the Internet, outside the company firewall, without using a virtual private network (VPN) solution. Microsoft Dynamics CRM configured for Internet access uses claims-based authentication to verify credentials of external users. When you configure Microsoft Dynamics CRM for Internet access, integrated Windows Authentication must remain in place for internal users.
To let users access the application over the Internet, the server that is running Internet Information Services (IIS) where the Microsoft Dynamics CRM application is installed must be available over the Internet.
For more information, see Accessing Microsoft Dynamics CRM from the Internet - Claims-based authentication and IFD requirements.
The claims-based security model extends traditional authentication models to include other directory sources that contain information about users. This identity federation lets users from various sources, such as Active Directory Domain Services (AD DS), customers via the Internet, or business partners, authenticate with native single sign-on.
The claims-based model has three components: the relying party, which needs the claim to decide what it is going to do; the identity provider, which provides the claim; and the user, who decides what if any information they want to provide. Microsoft provides a claims-based access solution called Active Directory Federation Services (AD FS). AD FS enables Active Directory Domain Services (AD DS) to be an identity provider in the claims-based access platform.
AD FS consists of the following components:
AD FS Framework provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications.
Active Directory Federation Services (AD FS) is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access. Active Directory Federation Services (AD FS) supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. Active Directory Federation Services (AD FS) can also issue manage information cards for AD DS users.
For more information about AD FS, see:
To reduce the risk of "brute-force attacks" we strongly recommend that you implement a strong password policy for remote users who are accessing the domain where Microsoft Dynamics CRM is installed. For more information about how to implement a strong password policy in Windows Server, see Creating a Strong Password Policy on Microsoft TechNet and the "Understanding User Accounts" topic in Active Directory Users and Computers Help.
The current Windows Server operating systems provide firewall software to prevent unauthorized connections to the server from remote computers. For more information about how to configure the Internet connection firewall for Internet Information Services (IIS) Manager, see the IIS Help.
For information about how to make a Web site available on the Internet, see the "Domain Name Resolution" topic in the IIS Help.
If you do not have a secure proxy and firewall solution on your network, we recommend that you use a dedicated remote access, proxy, or firewall server, such as the Windows Server Remote Access Server role or Windows Firewall with Advanced Security. For more information, see Remote Access Overview and Windows Firewall with Advanced Security Overview.
Use the following steps as configuration guidelines.
You can configure Microsoft Dynamics CRM Server for Internet access. To do this, run the Configure Claims-Based Authentication Wizard, and then run the Internet-Facing Deployment Configuration Wizard where the Deployment Administration Server role is installed. For more information, see Configure claims-based authentication and Configure an Internet-facing deployment.
For Microsoft Dynamics CRM for Outlook to be able to access the Microsoft Dynamics CRM Server over the Internet, you must specify the external Web address that will be used to access the Internet-facing Microsoft Dynamics CRM Server. To do this, you must install Dynamics CRM for Outlook, and then run the Configuration Wizard. Then, during configuration, type the external Web address in the External Web address box. If you install server roles, this Web address must specify where the Discovery Web Service role is installed. For more information about how to configure Dynamics CRM for Outlook, see 7e846aff-e472-4a3a-810d-de2aea0817f0#BKMK_Task2_ConfigureCRMforOutlook.
For detailed steps to configure IFD, see Configure IFD for Microsoft Dynamics CRM.
© 2016 Microsoft. All rights reserved. Copyright