Publishing Microsoft CRM 4.0 through ISA Server 2006

1. Introduction

Last February I collaborated with Henning Petersen from the CRM Team on CRM 3 through ISA Server 2006. After this post, we received a lot of requests for an article on publishing CRM 4 using the Internet Facing Deployment option (IFD). This post is going to answer those requests. For this post we chose to let ISA handle the SSL Certificates as this is the common scenario for ISA deployments although other methods can be used.

We chose to focus this blog on letting CRM handle the authentication while letting ISA handle the SSL session. The main reason for using IFD despite ISA’s ability to provide forms based authentication was that the Microsoft Dynamics CRM Clients for Outlook would run into authentication problems if prompted with an ISA login. In order to get CRM running with IFD a good starting point is to study the IFD guide called How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0 it can be downloaded from the Microsoft Download Center. The deployment guide will allow you to better understand the CRM 4 IFD concepts before you create any publishing rules on ISA Server.

2. Adjusting the CRM Server for External Publishing

To deploy this scenario the following topology was used:

Figure 1 – Topology using CRM IFD with ISA Server 2006.

We broke it down the IFD configuration in two parts. Let’s see them:

Part 1 – General Considerations

We created an Organization in CRM 4.0 named “CRM”. to avoid the complication of split DNS, we decided to define the internal domain as .local and the external domain as contoso.com, therefore our first action item was to ensure that the External URL could resolve to the CRM server on the inside of the network. The external URL was defined as crm.contoso.com. CRM 4.0 IFD does a redirect to the External URL thus making it crucial to have name resolution to the external URL from the Inside of the network. The DNS infrastructure for this lab allows the external name (crm.contoso.com) resolves to the internal CRM Server.

Important Notes:

  • If you are using Multi-tenancy in CRM and you are planning on exposing multiple CRM Organizations to the outside world you will need to ensure that you can resolve all names such as crmorg2.contoso.com and crmorg3.contoso.com. (If you are exposing multiple CRM Organizations we recommend that you purchase a wildcard certificate (*.contoso.com) or an individual certificate for each organization.
  • The DNS setup and best practices are not covered in this blog.
  • After we established name resolution for crm.contoso.com on the inside we needed to activate IFD

Part 2 – IFD Configuration

CRM 4.0 IFD can be activated during the install of CRM 4.0 if you are using a configuration file. Clint Warriner (Escalation Engineer, Microsoft CRM Team) has developed a tool that will allow you to configure CRM 4.0 with IFD after a normal GUI Install of CRM 4.0. For this blog we utilized Clint’s tool in order to enable IFD. The tool can be downloaded from the document named “How to use the Microsoft Dynamics CRM Internet Facing Deployment Configuration tool” In order to run the tool, you should read this document first and also review “Microsoft Dynamics CRM 4.0 Internet Facing Deployment Scenarios”. Once you have the tool downloaded, place the executable in the tools folder under the Microsoft CRM folders. (i.e. c:\Program Files\Microsoft Dynamics CRM\Tools). Here it is the screenshot of the currently released tool:

Figure 2 – IFD Tool.

When setting CRM up with IFD Auth we used HTTP on both IFD Domain Scheme (IFD Auth-External) and AD Domain Scheme (AD Auth-Internal). One important feature build into the tool is a DNS check – the check will ensure that the Orgname IFD App Root Domain and IFD SDK Root Domain resolve to the external name (in our example crm.contoso.com).

Note: In this scenario SSL is offloaded to the ISA server. Select HTTPS in the CRM IFD tool. If HTTPS is not selected, CRM will generate a HTTP URL which could be blocked by ISA.

3. Configuring the ISA Server 2006 Web publishing rule

After preparing CRM 4, IFD follow the steps below to configure ISA Server 2006:

1. Right-click on the Firewall Policy, select the option New, and then click Web Site Publishing Rule.

2. Type the name of the rule, and then click Next.

3. On the Select Rule Action window, select the option Allow, and then click Next.

4. On the Publishing Type window,select the option to Publish a single Web Site or load balancer,and then click Next.

5. On the Server Connection Security window, select the option Use SSL to connect to the published web server or server farm, and then click Next.

6. On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site. Select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type the server name. If you do not know the name of the server, click Browse to navigate to its location.

7. On the Internal Publishing Details window, in the Path (optional) box, type /* , and then click Next.

8. On the Public Name Details window, from the Accept requests for dropdown list, select This domain name (type below), and then, in the Public name box, type the public name that matches the certificate that was issued for this URL. Click Next.

9. On the Select Web Listener window, click New, type the name for this Web listener, and then click Next.

10. On the Client Connection Security window, select the option Require SSL secured connection with clients, and then click Next.

11. Click to highlight the External interface, and then click in Select IP Address.

12. In the External Network Listener IP Selection dialog box, select the option Specified IP addresses on the ISA Server computer in the selected network. In the Available IP address field, select the IP address, click Add, and then click OK. In the Web Listener IP Addresses window, click Next.

13. On the Listener SSL Certificates window, select Use a single certificate for this Web Listener, and then click Select Certificate. Select the certificate that was installed on this ISA Server 2006 computer, and then click Select.

Note: If you are running ISA Server 2006 Enterprise with multiple nodes in the array, you need to have this certificate installed on all ISA Servers for it to be considered valid; or you must select “Certificate per IP address”. For more information about SSL Certificate on ISA Server, see “Troubleshooting SSL Certificates” in ISA Server Publishing at Microsoft Technet.

14. In the Authentication Settings window, select No Authentication and click Next.

15. On the Single Sign On Settings window disable the checkbox, click Next, and then click Finish.

16. In the Web Publishing Rule wizard, click Next.

17. In the Authentication Delegation window, select the option No delegation, but client may authenticate directly and then click Next.

18. On the User Set window, make sure that All Users is selected, click Next, and then click Finish.

Since the purpose of this post is to use CRM 4 IFD is an Internet facing mechanism we will not authenticate on the ISA Server. This is the reason why authentication was disabled on the listener and on the delegation tab.

Now that we have everything set up, we can access the site from outside. The logon page that will be presented to the end user comes from the CRM 4 IFD itself and will look like the one below:

Figure 3 – CRM 4 Logon Page.

4. Troubleshooting Tips

Most issues you are going to run into is either DNS or authentication related. Most commonly you will be able to trouble shoot authentication from the inside of your network using the external URL. Once the FQDNs resolve, the ISA setup should be straight forward. Most of the authentication issues we have seen can be solved with the bullets listed below.

  • We recommend that you setup an SPN HTTP/ entry under the CRMAppPool account for each orgname you need to access. Ie. HTTP/crm.contoso.com (See “How to use SPNs when you configure Web applications that are hosted on IIS 6.0” “Scenario 2: Access a Web application by using a host header” for additional details. If you are unsure of this action please consult your networking/AD administrators.)
  • Also look into adding host headers for each Org that you will be accessing.

Authors

Henning Petersen

Support Escalation Engineer - Microsoft CRM Team

Microsoft – ND

Yuri Diogenes

Security Support Engineer – ISA/IAG Team

Microsoft – TX

Technical Reviewers

Corey Hanson

Technical Readiness Engineer – Microsoft CRM Team

Jim Harrison

Microsoft Forefront (ISA/TMG) Sustained Engineering Team