Publishing Microsoft CRM 4.0 through ISA Server 2006

1. Introduction

Last February I collaborated with Henning Petersen from the CRM Team on CRM 3 through ISA Server 2006. After this post, we received a lot of requests for an article on publishing CRM 4 using the Internet Facing Deployment option (IFD). This post is going to answer those requests. For this post we chose to let ISA handle the SSL Certificates as this is the common scenario for ISA deployments although other methods can be used.

We chose to focus this blog on letting CRM handle the authentication while letting ISA handle the SSL session. The main reason for using IFD despite ISA’s ability to provide forms based authentication was that the Microsoft Dynamics CRM Clients for Outlook would run into authentication problems if prompted with an ISA login. In order to get CRM running with IFD a good starting point is to study the IFD guide called How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0 it can be downloaded from the Microsoft Download Center. The deployment guide will allow you to better understand the CRM 4 IFD concepts before you create any publishing rules on ISA Server.

2. Adjusting the CRM Server for External Publishing

To deploy this scenario the following topology was used:

Figure 1 – Topology using CRM IFD with ISA Server 2006.

We broke it down the IFD configuration in two parts. Let’s see them:

Part 1 – General Considerations

We created an Organization in CRM 4.0 named “CRM”. to avoid the complication of split DNS, we decided to define the internal domain as .local and the external domain as contoso.com, therefore our first action item was to ensure that the External URL could resolve to the CRM server on the inside of the network. The external URL was defined as crm.contoso.com. CRM 4.0 IFD does a redirect to the External URL thus making it crucial to have name resolution to the external URL from the Inside of the network. The DNS infrastructure for this lab allows the external name (crm.contoso.com) resolves to the internal CRM Server.

Important Notes:

• If you are using Multi-tenancy in CRM and you are planning on exposing multiple CRM Organizations to the outside world you will need to ensure that you can resolve all names such as crmorg2.contoso.com and crmorg3.contoso.com. (If you are exposing multiple CRM Organizations we recommend that you purchase a wildcard certificate (*.contoso.com) or an individual certificate for each organization.
• The DNS setup and best practices are not covered in this blog.
• After we established name resolution for crm.contoso.com on the inside we needed to activate IFD

Part 2 – IFD Configuration

CRM 4.0 IFD can be activated during the install of CRM 4.0 if you are using a configuration file. Clint Warriner (Escalation Engineer, Microsoft CRM Team) has developed a tool that will allow you to configure CRM 4.0 with IFD after a normal GUI Install of CRM 4.0. For this blog we utilized Clint’s tool in order to enable IFD. The tool can be downloaded from the document named “How to use the Microsoft Dynamics CRM Internet Facing Deployment Configuration tool” In order to run the tool, you should read this document first and also review “Microsoft Dynamics CRM 4.0 Internet Facing Deployment Scenarios”. Once you have the tool downloaded, place the executable in the tools folder under the Microsoft CRM folders. (i.e. c:\Program Files\Microsoft Dynamics CRM\Tools). Here it is the screenshot of the currently released tool:

Figure 2 – IFD Tool.

When setting CRM up with IFD Auth we used HTTP on both IFD Domain Scheme (IFD Auth-External) and AD Domain Scheme (AD Auth-Internal). One important feature build into the tool is a DNS check – the check will ensure that the Orgname IFD App Root Domain and IFD SDK Root Domain resolve to the external name (in our example crm.contoso.com).

Note: In this scenario SSL is offloaded to the ISA server. Select HTTPS in the CRM IFD tool. If HTTPS is not selected, CRM will generate a HTTP URL which could be blocked by ISA.

3. Configuring the ISA Server 2006 Web publishing rule

After preparing CRM 4, IFD follow the steps below to configure ISA Server 2006:

1. Right-click on the Firewall Policy, select the option New, and then click Web Site Publishing Rule.

2. Type the name of the rule, and then click Next.

3. On the Select Rule Action window, select the option Allow, and then click Next.

4. On the Publishing Type window,select the option to Publish a single Web Site or load balancer,and then click Next.

5. On the Server Connection Security window, select the option Use SSL to connect to the published web server or server farm, and then click Next.

6. On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site. Select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type the server name. If you do not know the name of the server, click Browse to navigate to its location.

7. On the Internal Publishing Details window, in the Path (optional) box, type /* , and then click Next.

8. On the Public Name Details window, from the Accept requests for dropdown list, select This domain name (type below), and then, in the Public name box, type the public name that matches the certificate that was issued for this URL. Click Next.

9. On the Select Web Listener window, click New, type the name for this Web listener, and then click Next.

10. On the Client Connection Security window, select the option Require SSL secured connection with clients, and then click Next.

11. Click to highlight the External interface, and then click in Select IP Address.

12. In the External Network Listener IP Selection dialog box, select the option Specified IP addresses on the ISA Server computer in the selected network. In the Available IP address field, select the IP address, click Add, and then click OK. In the Web Listener IP Addresses window, click Next.

13. On the Listener SSL Certificates window, select Use a single certificate for this Web Listener, and then click Select Certificate. Select the certificate that was installed on this ISA Server 2006 computer, and then click Select.

Note: If you are running ISA Server 2006 Enterprise with multiple nodes in the array, you need to have this certificate installed on all ISA Servers for it to be considered valid; or you must select “Certificate per IP address”. For more information about SSL Certificate on ISA Server, see “Troubleshooting SSL Certificates” in ISA Server Publishing at Microsoft Technet.

14. In the Authentication Settings window, select No Authentication and click Next.

15. On the Single Sign On Settings window disable the checkbox, click Next, and then click Finish.

16. In the Web Publishing Rule wizard, click Next.

17. In the Authentication Delegation window, select the option No delegation, but client may authenticate directly and then click Next.

18. On the User Set window, make sure that All Users is selected, click Next, and then click Finish.

Since the purpose of this post is to use CRM 4 IFD is an Internet facing mechanism we will not authenticate on the ISA Server. This is the reason why authentication was disabled on the listener and on the delegation tab.

Now that we have everything set up, we can access the site from outside. The logon page that will be presented to the end user comes from the CRM 4 IFD itself and will look like the one below:

Figure 3 – CRM 4 Logon Page.

4. Troubleshooting Tips

Most issues you are going to run into is either DNS or authentication related. Most commonly you will be able to trouble shoot authentication from the inside of your network using the external URL. Once the FQDNs resolve, the ISA setup should be straight forward. Most of the authentication issues we have seen can be solved with the bullets listed below.

• We recommend that you setup an SPN HTTP/ entry under the CRMAppPool account for each orgname you need to access. Ie. HTTP/crm.contoso.com (See “How to use SPNs when you configure Web applications that are hosted on IIS 6.0” “Scenario 2: Access a Web application by using a host header” for additional details. If you are unsure of this action please consult your networking/AD administrators.)
• Also look into adding host headers for each Org that you will be accessing.

• • I.e. If you have an org name crm and an org named crm2 you’re your domain name is contoso.com. The following URL’s need’s to resolve properly; crm.contoso.com and crm2.contoso.com. In this case you should add both these hostheaders to your CRM website through IIS manager and add the proper DNS records. (See “Using Host Header Names to Host Multiple Web Sites (IIS 6.0)” for more details.)

• With 2003 SP1 additional security was introduced. Given that the CRM website may be accessed using aliases or cnames you will most likely need to apply a regkey called disableloopbackcheck (See “Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path")

Authors

Henning Petersen

Support Escalation Engineer - Microsoft CRM Team

Microsoft – ND

Yuri Diogenes

Security Support Engineer – ISA/IAG Team

Microsoft – TX

Technical Reviewers

Corey Hanson

Technical Readiness Engineer – Microsoft CRM Team

Jim Harrison

Microsoft Forefront (ISA/TMG) Sustained Engineering Team

Comments

• Anonymous
  January 01, 2003
  Henning Petersen, CRM team support engineer points to a very popular post collaboration with the ISA

• Anonymous
  January 01, 2003
  Thanks for your comment. Since your environment has some custom requirements I recommend you to open an Advisory case with CRM Team so they can evaluate your request and advice thet best solution for your case.

• Anonymous
  January 01, 2003
  Henning Petersen, CRM team support engineer points to a very popular post collaboration with the ISA

• Anonymous
  January 01, 2003
  Hi, Can you shed some more light on my 2 questions please?

1. I have setup the CRM IFD, published via ISA server 2006 by following your article.  However, when user logs on externally to CRM, they don't have the form based authentication page, instead they got the Windows login prompt.  I suspect CRM is treating external users as internal users, hence not showing the signin.aspx page. When I tried to access the https://crm.domainname.com/signin.aspx, I don't get anything.  IE simply told me the destination cannot be reached. What would be the likely issue here?  Is it mainly to do with how CRM determine if you can coming from outside?
2.  When you say about the external URL needs to be resolvable from inside the network.  Do you mean internal computers should be able to query the external URL and expect the internal IP address of CRM server will be returned?  e.g. if my external URL is crm.domain.com, and my CRM server is 10.0.0.1  Should crm.domain.com be resolved into 10.0.0.1 on the inside of network? Thanks!

• Anonymous
  January 01, 2003
  Johnmen, I have the same problem with the CRM form. I changed the ISA configuration to use FBA on the ISA listener and NTLM authentication on the ISA rule and that is working.

• Anonymous
  January 01, 2003
  Hi, I have followed the instruction above to publish CRM using ISA. However, the users can browse to the login page but when they login with thier credential, the login page just reloads again!!! Interestingly, when the user sign in with a wronge username or password, the credential warning appears,,, Please help, thanks,

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hi, I have followed the instruction above to publish CRM using ISA. Like Shuk the users can browse to the login page but when they login with thier credential, the login page just reloads again!!! Interestingly, when the user sign in with a wronge username or password, the credential warning appears,,, Please help, thanks, Vince

• Anonymous
  January 01, 2003
  Hi, just wanted to report that we implemented an IFD scenario according to this guide. However, I did notice one thing when it comes to using the CRM outlook client with this solution. In our case, we had to configure the IFDTool to use HTTPS (from the drop down list visible in the picture above) for the IFD Domain Scheme. If this was set to HTTP, the web client still works and uses SSL, but the CRM outlook client uses the CRM discovery service to find the address of the server, and if the option is set to HTTP the service returns a non SSL address to the client. If subsequently the ISA server is set to allow SSL only, this means that the configuration wizard for the outlook client will throw a "Server not found" error. Setting this option to HTTPS (or allowing non-ssl traffic through ISA) solves the problem.

• Anonymous
  January 01, 2003
  Hi Markus, If to make it work you have to delete the current WebListener seems that you have a conflict. Also, it is not clear why kind of error you receive when you try to access the CRM publishing rule. Follow the procedure below to run the ISA BPA on your ISA Server. The ISA BPA can help you to identify where the conflict is: http://blogs.isaserver.org/shinder/2008/06/26/remember-to-use-the-isa-firewall-best-practices-analyzer-and-data-packager-when-troubleshooting/ If you get stuck on that, please open a incident support with Microsoft CSS. Here it is the contact information for that: http://support.microsoft.com/oas/default.aspx?&c1=10750&gprid=11928& Thank you.

• Anonymous
  January 01, 2003
  Hey, i have tried to add the publishing-rule to my ISA environment as shown above. At the moment there are 2 other rules for publishing Sharepoint and OWA through FBA existing. But when i do the settings above i must delete my existing Weblistener for OWA, etc. I'm using a wildcard SSL- certifiacte. In the past i have published CRM 4.0 also through FBA. In Version 3 of CRM i get no error and troubles. But since the upgrade to Version 4.0 i get some error's in CRM 4.0 like "error receiving the date", etc. when i open a item where a calendar/date-field is existing. That's my point why i try to publish CRM over the way you describe. Any other suggestions how to get running ?

• Anonymous
  June 18, 2010
  Don't forget to set the correct default gateway.. "After you configure Microsoft Dynamics CRM for IFD and you are using an Internet Security and Acceleration (ISA) server, any user attempts to login from the Internet are challenged for a Windows login instead of the Microsoft Dynamics CRM sign on page. This causes the user authentication to fail. You can resolve this issue by changing the configuration setting on the ISA server to Request Appear to come from Original Client. This setting causes the ISA server to interpret the request as coming from the original client IP. For this configuration setting to work, the web server must point to ISA Server's internal IP address as the Default Gateway."

• Anonymous
  November 14, 2010
  We dont have CRM 4 published via ISA yet, but want to move that direction quickly.  Will this also assist in letting the outlook plug in work with outlook anywhere?  If so, how should this be setup? Secondly,  I notice without ISA, there are a lot of issues on some laptops accessing the site via the browser outside the firewall.  Will this minimize these issues?

• Anonymous
  January 11, 2011
  is there any consultants who are looking for contact position in USA? please send your resumes to sam@shellsoftinc.com, i have a SAP CRM ISA requirement in Bay Area CA for 1 year duration. let me know your interest .  

• Anonymous
  June 30, 2011
  Hi , Is crm 4.0 can be published via TMG 2010 ? if yes pl show me the link. regards Rezzu

• Anonymous
  December 18, 2013
  need help,i publish dynamics GP using ISA 2006, why hang on initializing applicationbut from local network is working