09 Agustus 2012 23:19
I hope this isn't a question that's already been asked, but I've searched the forums (and elsewhere, for that matter), but can't find an answer anywhere.
My client has a Windows 2008 R2 server that hosts only CRM 2011. The server is behind a firewall and is a member of a domain. Their users need to access the CRM deployment over the Internet, so it's necessary to setup AD FS and IFD. I'll be installing ADFS on the CRM server; they have a wildcard SSL certificate for this server.
There are 2 problems:
1) The client either can't or doesn't want to put the server on a DMZ. Does this mean that a Federated Proxy server is mandatory? Or can we simply port forward traffic through the firewall to the server? If a federated proxy server is absolutely necessary, does it require it's own SSL certificate?
2) The standard HTTPS port 443 is already being used on their Internet gateway, and thus can't be used for ADFS. I've tried binding the Default Web Site to port 446, and configured ADFS to use port 446, but when I navigate to https://sts.domain.com:446/federationmetadata/2007-06/federationmetadata.xml, I get an error saying the page cannot be displayed, where I should be seeing the certificate data. Can ADFS be configured to use a non-standard HTTPS port? Or, again, is a federation proxy server mandatory to get around the issue?
Any help would be greatly appreciated! I've spent hours looking, but have yet to find anything conclusive.
10 Agustus 2012 2:42
You will need AD FS with HTTPS and SSL certificate to configure the IFD deployment, you can use the same wildcard certificate for the AD FS server as well as the CRM server if you want.
I think you should be able to configure the AD FS on another port as far as it uses https, be sure your local windows firewall has that port open.
Hope it helps.
10 Agustus 2012 14:39Hi Damian,
Thanks for replying! It seemed that it should be possible to configure ADFS on an non-standard HTTPS port - as mentioned, I used port 446. But when I navigate to the federationmetadata.xml URL I get a "Page not found" error. Also, I did turn the local Windows firewall off on the server.
What I did was first bind the Default Web Site to HTTPS port 446. I then Installed AD FS 2.0. During the setup wizard the the wildcard SSL certificate and port 446 were already selected (and greyed out so that I couldn't select any other values in those 2 fields) and I named the federated service (sts.domain.com).
The setup wizard finished successfully (all green check marks). But when I go to:
the certificate data is not shown, only the "Page not found" error. Previously, when I tried the exact same procedure (on another network) using port 443 for HTTPS I was able to view the certificate data in the browser.
So at this stage, I'm thinking that ADFS cannot use a port other than port 443 for HHTPS. Also, I'm still unsure as to whether the ADFS server can be behind a firewall and NOT use an ADFS proxy server.