Accessing Dynamics CRM 2011 from the Internet

Add a comment October 19th, 2011

To access Dynamics CRM 4 (on premise) from the Internet, you’d to configure IFD and you could use i.e. ISA in a DMZ if you didn’t want the CRM server to be facing the Internet.

If you decided to use ISA you couldn’t use the built-in security provided by ISA/UAG, but you had to just tunnel all traffic through and let the CRM server authenticate the user. This was not so cool, but it was fairly easy to set up and configure.

With the release of Dynamics CRM 2011 things started to get a little more complicated. If you wanted to access CRM from the Internet you’d to configure claims-based authentication, ADFS 2.0 and IFD. UAG was not supported.

I was taken by surprise when I read about this, since Microsoft uses UAG to make i.e. Exchange and SharePoint more secure. Did they forget about CRM?

Products like Citrix Access Gateway began to take a sole lead.

Things changed with the release of UAG Service Pack 1. CRM is now supported to be published via UAG. You don’t need to set up ADFS and claims. Let the UAG do the job to secure and authenticate the users. With or without two-factor authentication like RSA.

Easy to configure, easy to understand 🙂






  1. April 27th, 2012 at 14:44 | #1


    Sorry to do this as a comment but could not see a published email – apologies if this confuses anyone.

    Thanks for such an informative blog – there’s lots of information here re Dynamics CRM that I haven’t found anywhere else, and that’s refreshing as most stuff gets replicated.

    I have a question, which I hope you might be able to take a few minutes out to answer, or perhaps do a post on:

    As CRM is so dependent on Active Directory, how would you recommend developer environments which have to mirror the live environment (Which is DC, 2x Front End load balanced CRM, SharePoint, Exchange, clustered SQL, Reporting Services Server) are configured?

    We have looked at lots of options but the biggest requirement is to roll whole virtual environments back to a previous state (CRM 2011 with associated Exchange and SharePoint integration means only way to get to a known point in time is to snapshot and rollback all of the server’s in the environment and roll them all back together.

    Our domain admin wants to put everything (All environments DEV, TEST, UAT and LIVE in same domain). As far as I can see, if you use your ‘live’ DC for this it will effectively be a moving target and over time would get out of step with the state of the snapshots. I restore a snapshot and lo and behold the domain admin has got rid of two or three critical accounts in the interim, which as you know distresses CRM, Exchange and Sharepoint intensely.
    The only solution I can find is to use closed VLANS, isolated from the live domain, with a replica of AD from a point in time that the VLAN was created. This isn’t ideal as user accounts in the VLAN either get very out of date over time, or have to be maintained, which is a major headache for our domain admins.
    What doesn’t help our case is that we have a legacy AS400 environment sat out in its own world with applications that have to synch with the CRM systems (Otherwise we could just create some test users in the VLAN).
    It’s basically a bit of a nightmare – there is almost certainly some very obvious solution, or alternative approach we are missing and wondered whether you had any thoughts.
    I can provide more technical information if it would help – I have yet to find anyone provide a definitive way of handling larger complex organisations and their requirement for developer environments.
    PS: I work for a large UK cancer charity and any advice, pointers would be very welcome,

    Much appreciated,


  2. May 5th, 2012 at 11:06 | #2

    Hi Andrew, from what you say it sounds like a really bad idea to put i.e. the developer environment in the same domain as the production environment. I would for sure keep them seperated. I guess you have multiple DCs in the production, and they don’t like to get rolled back (read USN rollback). If you have a single DC developer environment, a roll back is just a “time travel”, so I would keep it as simple as possible. Like, drop the redundency from the test (SQL cluster, single host to run SP, single Exchange)

  1. No trackbacks yet.
Comments feed

5 − = four