Publishing Dynamics CRM 2011

Applies To: Unified Access Gateway

This topic provides instructions on how to publish Microsoft Dynamics CRM 2011 via Forefront Unified Access Gateway (UAG), and how to manage user operations from non-compliant endpoints, as follows:

  • Publishing Dynamics CRM 2011 via Forefront UAG

  • Managing user operations from non-compliant endpoints

To publish Dynamics CRM 2011 using claims-based authentication, see Publishing Dynamics CRM 2011 with AD FS 2.0.


In its default configuration, publishing Dynamics CRM 2011 via Forefront UAG is supported when using forms-based authentication to the Forefront UAG server and NTLM or KCD authentication to the Dynamics CRM 2011 server.


Publishing Dynamics CRM 2011 via Forefront UAG does not support the Dynamics CRM client for Outlook.

Microsoft Dynamics CRM 2011 is compatible with Internet Explorer 10 only in Compatibility Mode. See Support with Microsoft Dynamics CRM 2011 and Internet Explorer 10.

Publishing Dynamics CRM 2011 as the initial portal application with the Display home page within portal frame option enabled is not supported.

Publishing Dynamics CRM 2011 via Forefront UAG

To publish Dynamics CRM 2011

  1. In the Forefront UAG Management console, select the portal in which you want to publish Dynamics.

  2. In the main portal properties page, in Applications, click Add.

  3. On the Select Application page of the Add Application Wizard, select Web, and then select Microsoft Dynamics CRM 2011. Then click Next.

  4. On the Configure Application page, specify a name for the application. This name will appear in the portal. Then click Next.

  5. On the Select Endpoint Policies page, select an access policy for accessing the CRM application, download and upload policies, and a policy for accessing the restricted zones of an application if relevant. For more information about editing endpoint policies, see Implementing access policies for endpoint health validation.

  6. On the Deploying an Application page, click Configure an application server. If you want to publish a farm of Dynamics CRM servers that all share the same configuration, click Configure a farm of application servers. Then click Next.

  7. On the Web Servers page, in the Addresses box, enter the address of the server, and then, in the Public host name box, type the desired public host name. This name should be in DNS and should point to the Forefront UAG external address. It can be used to access the CRM2011 application directly. Then click Next.

  8. On the Authentication page, select Use single sign-on to send credentials to published applications if users are required to authenticate to the backend Dynamics CRM application. Select 401 request, or Both. Then click Next. After completing the wizard, you can also configure the application to use Kerberos or ADĀ FS. For more information, see Implementing backend authentication mechanisms.

  9. On the Portal Link page, click Add a portal and toolbar link to allow users to access the application from the portal toolbar. Then specify the link settings, and click Next.

    If you are publishing Dynamics CRM 2011 and it is not the initial portal application, make sure that the Open in a new window check box is selected.

  10. On the Authorization page, leave the default setting to allow all portal users to access the application. To allow access to the Dynamics CRM server for specified users and groups only, clear Authorize all users. Then click Add to add users and groups, and click Next. For more information about setting up portal application authorization, see Implementing users and groups for application authorization.

  11. On the completion page of the wizard, click Finish. If GZip compression for URL extensions is not enabled for your trunk, you will be notified that this setting will be enabled after adding the Dynamics CRM 2011 application. This ensures that the application works correctly.

Managing user operations from non-compliant endpoints

After you finish adding the application to the trunk, you may need to modify the dedicated Microsoft Dynamics CRM policies to comply with the security policy requirements of your organization.

The following table lists the operations that can be controlled using endpoint policies. By default, the value of these policies is True, and they do not prevent users from performing these operations.

Operation Policy

Prevent end users from printing information from the CRM application.

Microsoft CRM Enhanced Security

Prevent end users from uploading, importing data into the application, and saving files from Microsoft Office applications to the CRM server.

Microsoft CRM Upload

Prevent end users from downloading files or exporting to a spreadsheet.

Microsoft CRM Download

The following procedure describes how you can prevent users from performing the operations described in the table above, unless their computer meets the defined security policy requirements. Users that are blocked are notified accordingly.

To manage user operations on Microsoft Dynamics CRM 2011 from non-compliant endpoints

  1. In an area where you assign policies, click Edit Endpoint Policies.

  2. On the Manage Policies and Expressions dialog box, select the application-specific policy (from the policies described in the table above), and then click Edit Policies.

  3. Use the Policy Editor to edit the policy according to your requirements.

    Users accessing the Microsoft Dynamics CRM 2011 application from a non-compliant endpoint computer will not be able to perform the described operations.