Configure a Microsoft Dynamics CRM Internet-facing deployment
Applies To: Dynamics CRM 2013
You can deploy Microsoft Dynamics CRM so that remote users can connect to the application through the Internet. The following Internet-facing deployment (IFD) configurations are supported:
Microsoft Dynamics CRM for internal users only
Microsoft Dynamics CRM for internal users and IFD access
Microsoft Dynamics CRM for IFD-only access
Configuring an IFD enables access to Microsoft Dynamics CRM from the Internet, outside the company firewall, without using a virtual private network (VPN) solution. Microsoft Dynamics CRM configured for Internet access uses claims-based authentication to verify credentials of external users. When you configure Microsoft Dynamics CRM for Internet access, integrated Windows Authentication must remain in place for internal users.
To let users access the application over the Internet, the server that is running Internet Information Services (IIS) where the Microsoft Dynamics CRM application is installed must be available over the Internet.
For more information, see Accessing Microsoft Dynamics CRM from the Internet - Claims-based authentication and IFD requirements.
In This Topic
About claims-based authentication
Internet-facing server best practices
Configure IFD
About claims-based authentication
The claims-based security model extends traditional authentication models to include other directory sources that contain information about users. This identity federation lets users from various sources, such as Active Directory Domain Services (AD DS), customers via the Internet, or business partners, authenticate with native single sign-on.
The claims-based model has three components: the relying party, which needs the claim to decide what it is going to do; the identity provider, which provides the claim; and the user, who decides what if any information they want to provide. Microsoft provides a claims-based access solution called Active Directory Federation Services (AD FS). AD FS enables Active Directory Domain Services (AD DS) to be an identity provider in the claims-based access platform.
AD FS consists of the following components:
AD FS Framework provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications.
Active Directory Federation Services (AD FS) is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access. Active Directory Federation Services (AD FS) supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. Active Directory Federation Services (AD FS) can also issue manage information cards for AD DS users.
For more information about AD FS, see:
Active Directory Federation Services Overview (Windows Server 2012 AD FS 2.1)
Download AD FS 2.0 for Windows Server 2008: AD FS 2.0 RTW
Internet-facing server best practices
Implement a strong password policy
To reduce the risk of "brute-force attacks" we strongly recommend that you implement a strong password policy for remote users who are accessing the domain where Microsoft Dynamics CRM is installed. For more information about how to implement a strong password policy in Windows Server, see Creating a Strong Password Policy on Microsoft TechNet and the "Understanding User Accounts" topic in Active Directory Users and Computers Help.
Internet connection firewall
The Windows Server 2012 and Windows Server 2008 operating systems provide firewall software to prevent unauthorized connections to the server from remote computers. For more information about how to configure the Internet connection firewall for Internet Information Services (IIS) Manager, see the IIS Help.
For information about how to make a Web site available on the Internet, see the "Domain Name Resolution" topic in the IIS Help.
Proxy/firewall server
If you do not have a secure proxy and firewall solution on your network, we recommend that you use a dedicated proxy and firewall server, such as Forefront Unified Access Gateway (UAG). Forefront UAG can act as a gateway between the Internet and Microsoft Dynamics CRM Server. Forefront UAG protects your IT infrastructure while providing users with fast and secure remote access to applications and data. For more information, see Forefront Unified Access Gateway 2010.
Configure IFD
Use the following steps as configuration guidelines.
Step 1: Configure Microsoft Dynamics CRM Server 2013 for Internet access
You can configure Microsoft Dynamics CRM Server 2013 for Internet access. To do this, run the Configure Claims-Based Authentication Wizard, and then run the Internet-Facing Deployment Configuration Wizard where Microsoft Dynamics CRM Server 2013 the Deployment Administration Server role is installed. For more information, see the Deployment Manager Help.
Step 2: Configure Microsoft Dynamics CRM for Outlook to connect to the Microsoft Dynamics CRM Server 2013 by using the Internet
For Microsoft Dynamics CRM for Microsoft Office Outlook to be able to access the Microsoft Dynamics CRM Server 2013 over the Internet, you must specify the external Web address that will be used to access the Internet-facing Microsoft Dynamics CRM Server 2013. To do this, you must install CRM for Outlook, and then run the Configuration Wizard. Then, during configuration, type the external Web address in the External Web address box. If you install server roles, this Web address must specify where the Discovery Web Service role is installed. For more information about how to configure CRM for Outlook, see Task 2: Configure Microsoft Dynamics CRM for Outlook.
See Also
Advanced deployment options for Microsoft Dynamics CRM Server 2013
Key management in Microsoft Dynamics CRM
Multi-organization deployment
© 2016 Microsoft Corporation. All rights reserved. Copyright